Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Web Hackers

Options
  • 30-08-2007 11:59am
    #1
    CptSternn
    Registered Users Posts: 1,530 ✭✭✭


    I was wondering how other webmasters out there deal with hackers attacking their web servers.

    I have written some custom scripts to detect some of the more prevalent attacks, but there are new ones popping up all the time.

    Most recently, I have found spammers attacking my server about 2-3 times an hour for the past week with scripts trying to register bogus accounts.

    My logs show as follows:

    Page: http://www.MyDomain.com/profile.php?mode=register
    Referrer: http://www.MyDomain.com/
    IP: 212.77.215.21
    DNS: Could Not Resolve DNS
    Browser: Opera/7.21 (Windows NT 5.0; U) [en]


    Now, first off, it's a Windows2003 server, and PHP compatibility isn't even installed. Second, the website in question doesn't have any forums nor does it contain links to forums.

    My log files are filling up to the tune of about 30-40 of these hits a day for each site. They always come from different IP's, but 90% of them seem to be spoofing the Opera browser.

    Currently, I have setup a 404 error page for them, and it logs the attack in my system. I have my system checking for other known exploits and whatnot, but attacks like this still bother me. Not because they are successful (my servers are patched and as I said log everything), they bother me because all of the 404's they create. I have an automated system that runs a nice report for all of my websites at the end of the month, and normally, there are no errors listed. When hackers do this sort of thing I get hundreds of errors listed in the reports which look very bad.

    I don't want to create a page for them, as then it would return the page exists and they would hammer me even more. I don't want to do a 303 redirect because that screws with web spiders and Google and Yahoo will drop your search rankings because they think your trying to funnel hits.

    Has anyone else experienced this sort of thing? Anyone found a way to be proactive in stopping this sort of attack?


Comments

  • Options
    #2
    seamus
    Registered Users Posts: 68,317 ✭✭✭✭seamus


    I haven't much experience with this, but would it be possible to log it as an attack and status 200 in the logs, but use a default script handler (JSP or ASP) to return something more than a 404 - reset the connection or something to pretend the site doesn't even respond?


  • Options
    #3
    Spunj
    Registered Users Posts: 437 ✭✭Spunj


    I have a 2003 server myself and had some serious attacks on both Remote Desktop ports and especially the FTP ports. Guys were trying mostly the Administrator account, but some were swapping some 20-100 accounts and multiple passwords.

    I did a little research and found a very tasty script which automatically bans the attacks against the FTP server at least which has seriously reduced the activity.

    The script I use is at http://blog.netnerds.net/2006/07/ban-administrator-ftp-login-attemps/

    I am not sure it will help with your exact problem but I recommend using it if you have an internet facing Windows server. A good place to start anyway.. I have done a lot more including disabling the account named "administrator".


Advertisement