Jump to content

Hackers really annoying me... Time to start banning countries?


Guest So Called

Recommended Posts

Guest So Called

I've spent a lot of time writing log analysis software for my hobbyist site. (It's about a hobby that has nothing to do with programming or web design.) I've spent a lot of time analyzing and understanding what I can about my traffic, about search engines, about visitors and where they are (I have a geo-location feature) and about what URLs they request from my site. I've become increasingly aware of mal-traffic, bad traffic, people who want to access my site for reasons other than being interested in my content. I get all kinds of hack attempts for things like WordPress and other popular packages and many where I don't even understand what they're hacking but I see the pattern. Mostly the attacks come from shared hosting accounts, accounts just like my LAMP package, some of them perhaps with shell accounts (not in my package). But one is clearer than anything else: By far most of the attacks come from RU, UA, CZ, MD, and RO. I've already banned these countries from my main site. (I have a few more domains that are just for testing. I let even these countries access my test sites, just so I can monitor their new probes before they hit my main site.) My geo-location feature tells me from their IP address what country they're coming from. Currently I have my software set to just drop the connection rather than serving them anything. (Although I still log their connection attempts.) Some countries are just not worth it. I can see where my real human visitors are coming from, people who are interested in my content, and I can tell when scripts are probing my site looking for weaknesses. If a country gives me mostly hackers and very few humans interested in my content, then why not just ban their country?

  • Like 3
Link to comment
Share on other sites

Please provide a short description of one of the simpler attacks.

  • Like 1
Link to comment
Share on other sites

ip based location detection is not accurate and user can use proxies. so if people want they can come around by other way. Server conifiguration is not in your hand in shared host. so there is little to nothing you can do with server security flaws. Maintaining the secure coding principal in your script would be last resort. as most of script security flaws could be eliminated if it is used wisely. it is not bad to analysis the attack patterns so that you know what are they trying to do and you may act upon them.

Link to comment
Share on other sites

Guest So Called
Please provide a short description of one of the simpler attacks.
This is not only hacks but also including generally annoying behavior like link spamming. That's where the site just keeps on hitting my index or one of my content pages solely to get the referrer link posted in my logs. I've described that in other posts, they are hoping that the logs they're hitting appear in some publicly accessible locations where search engines will see them and equate them with links to the referrer site, and that site's page rank. The people who are link spamming charge sites for the service. All of them are coming from the countries I named. Here's some of the weakness probes:
/wp-login.php/phpmyadmin/scripts/setup.php/myadmin/scripts/setup.php/wp//wp-login.php/wordpress//wp-login.php/administrator/index.php/?dgd=1/mambots/editors/wysiwygpro/document.php/wp-login.php?action=registe/blog/wp-login.php?action=register/crm//blog/wp-content/plugins/wp-property/readme.txt/blog//?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input/blog/wp-login.php?action=lostpassword

Keep in mind that I do not have WordPress installed. There is no /blog/ directory. Many if not all of the WP related accesses are trying to discover if I have WP in order to exploit WP vulnerabilities or gain admin access. Some of the others are trying to exploit possible installation of phpMyAdmin, or searching for some admin access to my site. In reality, I have a fixed IP address. My admin access page tests remote IP and just sends a 404 Not Found to all IP addresses but my own. (And that's just to get to the admin login page to be able to enter a password.

Funny! Just because of few hackers (lets say ~50), you banned an entire country? Well, that dont seems right to me. Maybe you monitor your site too much, thats why you see those thing alot.
The point is that I'm getting zero real traffic from those countries. My website is in English and I get accesses from all over the world, primarily English speaking countries, but even in a few dozen countries where English is not the primary language I get a fair amount of traffic, traffic I can see is real because they access various of my almost 100 content pages rather than just hitting lame URLs like I described above. Some of the lamer attacks/probes come from the US, but obviously so does most of my traffic, so I'll just have to live with those probes.
ip based location detection is not accurate and user can use proxies. so if people want they can come around by other way. Server conifiguration is not in your hand in shared host. so there is little to nothing you can do with server security flaws. Maintaining the secure coding principal in your script would be last resort. as most of script security flaws could be eliminated if it is used wisely. it is not bad to analysis the attack patterns so that you know what are they trying to do and you may act upon them.
Makes no difference to me. If I'm not banning the real hackers then I'm banning their proxies which is just as good for my purposes. I'm not very concerned about server security, because as you said it's out of my hands. I have my content backed up and I back up my logging frequently. I could clean out my web root and upload my scripts in about 5 minutes, and re-upload my MySQL databases in probably about the same time (each). There's really not much a hacker could do to my site. My code is written as securely as I can make it. It's all custom so there are no "known" vulnerabilities that can be exploited. No hacker would waste their time trying to figure out how to hack into my site. They're running these scripted probes to locate WP and phpMyAdmin and other well known packages that can be exploited when vulnerabilities are found. The hackers are probably keeping databases of which sites have those packages and what URLs are used, so that when a 0-day exploit comes out they'll have a list of sites to attack all ready to go. I'm not going to ban any countries that are sending me real human visitors, but for countries that send me nothing but attackers, probers and spammers I see no down side to just banning their entire country.
Link to comment
Share on other sites

Personally, I prefer to stay passive about it. If they do anything to the site, I just reupload the files and possibly fix any vulnerabilities I detected.

Link to comment
Share on other sites

So Called's weakness probes (post #5) are files that users are searching for on So Called's site -- right?

Edited by niche
Link to comment
Share on other sites

Why don't you ban just the offenders' IPs? In fact, why don't you configure your server to redirect known malicious requests like that to a PHP file that would automatically add the offender's IP to the list of banned IPs?

Link to comment
Share on other sites

Guest So Called
So Called's weakness probes (post #5) are files that users are searching for on So Called's site -- right?
I don't know what you mean by "users." I've assumed they're script generated, accessing thousands or tens of thousands of URLs per day. All my sites are on the same shared server (same IP address) and they appear at my various sites separated by a few hours as they hammer other people's sites on my same shared server. This traffic is entirely different from my human users/visitors, who usually show up with a search engine referrer URL and are accessing my content pages rather than spewing invalid URLs like those I posted above.
Link to comment
Share on other sites

Guest So Called
Why don't you just ban the offender's IPs? In fact, why don't you configure your server to redirect known malicious requests like that to a PHP file that would add the offender's IP to the list of disallowed IPs?
I can do that too but many of these lamers, particularly link spammers or log spammers have multiple IP addresses. I can tell they're the same spammers because the referrer links they're posting are the same URLs. I can ban them any number of ways. Single IP address, IP address expressions like 192.168.1.*, CIDR, user agent, client address that IP resolves to, even by referrer. I have plenty of limited bans like the above, but sometimes it's better to just ban the whole damned country. I've noticed that much of this activity comes from IP addresses that come from blocks used by shared hosting services. These are not your typical home users. (My real human visitors are interested in the site content which is about a hobby.) Real humans for the most part will resolve to Internet service providers, not shared hosting providers. When I see any fishy activity and it comes from a shared hosting account, I just use CIDRs and ban the entire shared hosting service from accessing my site. I don't allow accesses from clients with no user agent string either. Over the last 3-4 years almost 100% of site accesses with no user agent string are fishy accesses like I described above, not honest accesses requesting my content pages.
Link to comment
Share on other sites

I'm just trying to understand how an attack works because I'm too ignorant about this. Say you have a site hosted on your shared server called abc.com. Are you able to id an attack when a bot start fishing your site with a php header() for:abc.com/wp-login.phpabc.com/phpmyadmin/scripts/setup.php...and so on Right?

Edited by niche
Link to comment
Share on other sites

Guest So Called
Why don't you ban just the offenders' IPs? In fact, why don't you configure your server to redirect known malicious requests like that to a PHP file that would automatically add the offender's IP to the list of banned IPs?
Actually I have a similar feature to detect search engines that do not honor my robots.txt file. In the robots.txt I have various directories prohibited, and on every page I have a hidden link to one of the forbidden pages. The link is obscured by CSS, it's Z-axis behind an image, and the link itself is around a 1 pixel image the same color as the page background. Ordinary site visitors cannot even see the link. When a search engine accesses that link it is automatically IP banned and I receive an email so I can go investigate what happened. In virtually every case it turned out that some annoying search engine was attempting to download my entire site in a minute or two, and eventually they tried to download the trapped link and got banned. Ordinary human visitors do not access my site and then try to read every content page in a couple minutes. I've also got a mass download detector. I can configure it so that it trips if any site visitor tries to access more than X pages in Y minutes. I can configure X and Y from my admin section, along with the action to take when tripped. I get log reports when this happens and I investigate. In every case it happens when somebody is trying to download my entire site because I'll see a couple dozen content pages accessed within perhaps a minute before the detector is tripped. Currently it's set to just drop connections after it's tripped, and it automatically resets when Y minutes has passed. As I said, my website content is related to a hobby, and the hobby has nothing to do with programming or web development or anything technical. But behind the code it's also a hobby site for me to write HTML/CSS/PHP/MySQL and log analysis and all the other stuff I've been discussing. The back end of the site is my hobby of writing code to mess with hackers and rude search engines. It's a game for me and that's why I've been writing all this code. Much of what I've done (outside of search engine tracking) would be a bad idea if applied to a real commercial site.
Link to comment
Share on other sites

Guest So Called
I'm just trying to understand how an attack works because I'm too ignorant about this. Say you have a site hosted on your shared server called abc.com. Are you able to id an attack when a bot start fishing your site with a php header() for:abc.com/wp-login.phpabc.com/phpmyadmin/scripts/setup.php...and so on Right?
More or less that's it. I would call that a probe, not really an attack, since I don't have the necessary package installed that they are trying to attack. I don't have WordPress installed. I do have phpMyAdmin installed, but it's in a place they'd never think to look (nothing obvious) and anyway I have a fixed IP address and my PMA directory is protected by .htaccess from being accessed from other than my own IP address.
Link to comment
Share on other sites

Thanks. How do you capture the probe?

Edited by niche
Link to comment
Share on other sites

I have plenty of limited bans like the above, but sometimes it's better to just ban the whole damned country.
As someone from a small damned country that most sites obviously don't get much traffic from, I must say I'm offended on behalf of all legitimate users from the countries you've banned.I mean, if you have all the tools to dynamically ban attackers, you're just being lazy by not using them.For your referrer problem, simply ban anyone with a known bad referrer. mod_rewrite can match even that in a rule.Side note, you do realize certain bad people (*caugh*na*caught*zi) use similar logic when talking about people, right? It's a slippery slope.... sort of.
  • Like 1
Link to comment
Share on other sites

Guest So Called

Here's another thing that's annoying me. One of the link/log spammers has fixated on one of my content pages, spamming it several times a day with referrer sites mostly in RU. I keep track of each of my content pages and have counters for both real human visitors and recognized search engine indexing accesses. It's interesting to know how many humans have accessed each of my content pages, how many times they've been indexed, and the ratio. Typical content pages are visited a few times a day or several times a week. But when a link spammer hits my page several times a day it throws off my statistics entirely. One page can look like the most popular page on my site if I didn't know that up to 50% or more of the accesses are caused by the link/log spammer's annoying activity. So I just ban the link/log spammer by any of several methods and my page statistics return to validity.

Link to comment
Share on other sites

It sounds like instead of anyone doing any actual damage or harm to you or your site that you are banning entire countries just because they annoy you. I'm not sure that's a great reason to ban potential legitimate traffic. If I started banning users here who annoyed me I think that some people would have a problem with that.

  • Like 1
Link to comment
Share on other sites

Guest So Called
Thanks. How do you capture the probe?
It's nothing more than logging. I don't generally use the hosting service log (although one of my admin reports displays the raw log if I want to see it). My site is entirely PHP driven with all the content in a MySQL database. All is served through one index.php file, and all accesses are directed there, even file or directory not found. The only traffic that does not go through this index.php is images, although some of my images do not appear in the sites image directory so they too are served via the index.php access. (This is mostly for my test sites with only 4-5 images and it's easier to just have them in a database rather than raw.) So for each access my index.php takes the raw URL accessed and analyzes that to decide if it can be served and what script is necessary to serve it. I have scripts to send external CSS files (which content is stored in MySQL database), to serve content, to serve my contact form, to generate the CAPTCHA for the contact form, to generate robots.txt (again from database), to generate sitemap.xml (dynamic, generated from the names/URLs of my content pages), and on and on. Any requested URL that cannot be served is logged as an error (as are malformed URLs like with // inside). Most of the probes end up either in my error log or in my bad web crawler log. There is really only one log table but it has several categories and each entry is flagged as belonging to one of them: main (normal accesses, mostly from real human beings)errorredirect (pages that I've moved or changed the URL, and 301 was sent)bad web crawlergood web crawlerban list (automatic bans) I have so much of my traffic automatically identified now that about three-fourths of my main log shows only human visitors. The other fourth is mostly lamers and hackers who show up only one time or too infrequently to bother banning them. But I have a pretty good idea of which visitors are human, because they show up in my main log and haven't been put in one of the other logs, because of their behavior, and because they usually show up with a Google, Yahoo, Bing, MSN or other valid search engine referrer, and often include search terms related to the page they are accessing. It's almost a sure bet they are real people who have an honest interest in my content. Keep in mind that my experiment here wouldn't be appropriate for a commercial site. They'd be better off to monitor odd accesses just to make sure they aren't getting near any sensitive areas, but you can't just ban countries off a commercial site. It's an interesting experiment for me, and I've learned a lot about traffic going to typical websites (assuming my website is typical, at least typical of a personal hobby website). Also note that my traffic is much less than any commercial website. It would be too time consuming to monitor a site with a large volume in the way that I'e been monitoring mine. It's just an interesting experiment. I sometimes get tried of it and just let it run itself for a few months or several months without any action on my part other than occasionally adding new content.
Link to comment
Share on other sites

Guest So Called
As someone from a small damned country that most sites obviously don't get much traffic from, I must say I'm offended on behalf of all legitimate users from the countries you've banned. I mean, if you have all the tools to dynamically ban attackers, you're just being lazy by not using them. For your referrer problem, simply ban anyone with a known bad referrer. mod_rewrite can match even that in a rule. Side note, you do realize certain bad people (*caugh*na*caught*zi) use similar logic when talking about people, right? It's a slippery slope.... sort of.
In 3-4 years I have never once seen a valid access to one of my content pages originating from RU, yet I get about 100 accesses from RU every day, mostly link/log spamming and vulnerability probes. Evidently there are not any English speakers in RU who are likely to find my hobby pages. In any case if I see any human activity in my banned activity logs I can always change my ban conditions and let them in. I have little enough traffic that I can look at all banned activity and decide in each case if it's valid or not. That's part of the experiment. I can do everything from my script that you could do from mod_rewrite, and much easier since my admin control pages are all forms I can simply click and fill input fields. I don't have to bother writing .htaccess code and FTPing my code to my shared hosting account.
Link to comment
Share on other sites

Guest So Called
It sounds like instead of anyone doing any actual damage or harm to you or your site that you are banning entire countries just because they annoy you.
Yep, that's about it. I do it because I can. :) Like I said, I'm not banning any real humans, and if I start getting human accesses from sources I've banned I can just change the rules and find another way to keep out undesirable traffic and let the human traffic in.
Link to comment
Share on other sites

How do you know you have legitimate access if you've banned all traffic?

Link to comment
Share on other sites

Like I said, I'm not banning any real humans
Really? The entire countries that you're banning don't have any real humans in them? I realize that Boen calls himself a robot, but I suspect that he is in fact flesh and blood. I guess I'll just respond directly to your question:
If a country gives me mostly hackers and very few humans interested in my content, then why not just ban their country?
Because you're throwing out the baby with the bath water. You're sacrificing potential actual traffic, even if it is a small amount, simply because you're being annoyed. You should know that though, the potential downside to banning a country from your website should be obvious. I don't think you're looking for suggestions from us, I think you're going to do what you're already doing anyway, I think you're just looking for validation of the nuclear option.
Link to comment
Share on other sites

Guest So Called
How do you know you have legitimate access if you've banned all traffic?
Every access to my site shows up in some area of my log, including banned accesses. I look at it. If it's going for some WP or PMA URL then it stays banned. If it looks like a legitimate access I can start wondering what to do to re-enable legitimate activity. The thing with .htaccess and mod_rewrite, those accesses would disappear and I'd never know if legitimate traffic was attempted. But since I log everything I can see even bans, and I have the opportunity to modify them.
Link to comment
Share on other sites

Here's another thing that's annoying me. One of the link/log spammers has fixated on one of my content pages, spamming it several times a day with referrer sites mostly in RU.
So if you can identify a spammer by ip as soon as a page is requested you could give him a 404 error, right?
Link to comment
Share on other sites

Guest So Called
Really? The entire countries that you're banning don't have any real humans in them? I realize that Boen calls himself a robot, but I suspect that he is in fact flesh and blood. I guess I'll just respond directly to your question: Because you're throwing out the baby with the bath water. You're sacrificing potential actual traffic, even if it is a small amount, simply because you're being annoyed. You should know that though, the potential downside to banning a country from your website should be obvious. I don't think you're looking for suggestions from us, I think you're going to do what you're already doing anyway, I think you're just looking for validation of the nuclear option.
I'm not getting ANY legitimate traffic from the domains, IP blocks or countries I've been discussing. None at all. I'm not looking for suggestions or validation from anybody. I think it's an interesting subject to discuss, and evidently several of you agree with me or you wouldn't be posting. And don't be silly. Every country has human beings. If it didn't it would be annexed by another country that does have humans.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...