Chinese traffic ban/ site is currently suffering brute force attack

bigjohnny80 · 15-06-2010 5:30pm #1

Hi

If anyone had good recent .htaccess code for repelling Chinese traffic I’d be very grateful.

My site has been under constant brute force attack since last week and today they’ve managed to get the fanaccountblogger.com javascript code into the index.php file.

I had updated the .htaccess file a couple of times in the last week but it does not seem to have helped. They are blitzing the site constantly. Very frustrating.

Any other advice welcome…. I’ve already changed FTP passwords.

Cheers

Sparks · 15-06-2010 6:28pm

There's a very apropos question&answers session on serverfault about that:
http://serverfault.com/questions/20667/equivalent-to-denyhosts-but-for-http-requests

The best suggestions were ModSecurity, fail2ban and OSSec. Personally, I think fail2ban would be the better match for you - it scans the apache error log and updates the iptables rules to block offending IP addresses - and it looks like you can run it so that an attack on one web node can result in all web nodes blocking that IP.

bigjohnny80 · 15-06-2010 7:59pm

Cheers

Just spent the last number of hours going through the site. about 40 .js files compromised.

fail2ban looks good thanks.

fcrossen · 23-06-2010 7:59am

Make sure you check your .htaccess file too (if you have one)

STBR · 23-06-2010 9:31pm

bigjohnny80 wrote: »

Cheers

Just spent the last number of hours going through the site. about 40 .js files compromised.

fail2ban looks good thanks.

Sorry can I ask what you mean by "compromised"?

As in they've edited malicious code into them?

Evil Phil · 23-06-2010 10:53pm

Yeah, either that or they've replaced the files with their own.

bigjohnny80 · 29-06-2010 6:22pm

SirDarren wrote: »

Sorry can I ask what you mean by "compromised"?

As in they've edited malicious code into them?

Inserted code into all the .js files to redirect visitors

Trivarion · 29-06-2010 8:48pm

http://www.blockacountry.com/

Use this excellent site. It autogenerates a .htaccess file. I've had to use it in the past.

FruitLover · 29-06-2010 10:39pm

If possible, blocking IP ranges using a firewall would be better than using a .htaccess file (i.e. before TCP and HTTP sessions are started).

jUNK · 29-06-2010 10:45pm

Geo ip lookup plugin to block visitors from certain countries.

Sparks · 29-06-2010 10:56pm

FruitLover wrote: »

If possible, blocking IP ranges using a firewall would be better than using a .htaccess file (i.e. before TCP and HTTP sessions are started).

Which is pretty much what fail2ban is designed to do. You run the server on the firewall and the clients on the web nodes behind the firewall and they pass on the suspect IPs to the firewall, which modifies its iptables setup to block them.

Trivarion · 29-06-2010 11:03pm

FruitLover wrote: »

If possible, blocking IP ranges using a firewall would be better than using a .htaccess file (i.e. before TCP and HTTP sessions are started).

You're right. I assumed he may be using shared hosting, or not have those privileges.

Chinese traffic ban/ site is currently suffering brute force attack

Comments