Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Dealing With Web Hackers

  • 29-01-2008 3:28pm
    #1
    CptSternn
    Registered Users, Registered Users 2 Posts: 1,530 ✭✭✭


    Every year the amount of web hackers increases. In the past six months though, it seems they really have spiked. In fact, I have about 4 IP's that scan my servers about 3 times a week for exploits.

    Now, for years I just ignored it. Then, I started banning the IP's at the firewall. Due to dynamic IP's I then started blocking large swaths of addresses by sub-net (i.e. banning all IP's from Asia-Pacific blocksand all IP's from South American blocks).

    This works, but is a hassle. So, since I had a bit of time recently I have started to try something new. Now, I log the attempt, record it in a database and send an admin email, then redirect the hit to a government website, based on the IP source.

    All attacks from US addresses get redirected to the FBI COmputer Crimes Division website, all attacks from Chinese origins go to the Chinese police computer crimes department, etc.

    This is something new I am trying. If nothing else, I'm sure sooner or later someone at the FBI checking their web logs will notice the same thing I see on my web logs every month - a few addresses which are the #1 visitor and #1 bandwidth users. They can then go take it up with them ;)

    I have also today started redirecting hackers who attempt to use SQL injections to hijack my sites as well. A nice redirect that even includes the original attack string might turn some heads at the various security services I hope. Maybe then people will stop trying this crap, eh?

    Anyone else out there have an interesting way of dealing with web hackers?


Comments

  • #2
    ntlbell
    Registered Users, Registered Users 2 Posts: 16,287 ✭✭✭✭ntlbell


    CptSternn wrote: »

    Anyone else out there have an interesting way of dealing with web hackers?

    I'm not really sure how you're "dealing" with them here.

    I would have assumed that the majority of these scans are made from compromised/zombied machines.

    Depending on the country/state/law etc scanning may or may not be illegal etc.

    It just seems to me like your wasting you're time and you're resources to do....well to do nothing really.


  • #3
    mcloughl
    Closed Accounts Posts: 71 ✭✭mcloughl


    I am not so sure of the legality of redirecting HTTP requests to .gov type addresses. However that is of course your decision!

    So, one thing that I dont understand is why you actually care? Assuming your Web App is properly coded and configured login with a username or a SQL injection attempt with ' OR 1=1-- should all be just, well HTTP GET/POST traffic.

    So I suppose the key here is assuming your web application is properly coded and secured. There are plenty of resources on PHP, Java, .NET Security on the web.

    However there is one other proactive step you can take, an application level proxy. Good example being mod_security for Apache. Essentialy allows only the content that you white list to be actioned at the web app layer. All the other crap is just dropped. Key is to whitelist what you want to see and drop everything else by default.

    www.modsecurity.org/ will sort you out


  • #4
    CptSternn
    Registered Users, Registered Users 2 Posts: 1,530 ✭✭✭CptSternn


    The best part of redirection is that the person redirected and the site you redirect to have no record of your redirection.

    But more to your question:

    My apps are very secure. Thats not the issue.

    I host for a few dozen companies worldwide. I have detailed logging software installed that creates detailed reports one a month for our clients.

    These logs include files accessed, errors, top IP's, etc.

    Tis just a new way of taking care of business.


  • #5
    the_syco
    Registered Users, Registered Users 2 Posts: 37,315 ✭✭✭✭the_syco


    Have you tried redirecting the attacks to a honeypot?


  • #6
    Black Swan
    Moderators, Category Moderators, Science, Health & Environment Moderators, Society & Culture Moderators Posts: 47,811 CMod ✭✭✭✭Black Swan


    Let us know how this works, and if some black hat gets really p*ssed at you and tries something like a denial of service attack or whatever.


  • Advertisement
  • #7
    layke
    Closed Accounts Posts: 1,956 ✭✭✭layke


    Seeing as most of these attacks are probably coming from compromised computers I doubt that it's going to help.

    Most "hackers" as you have termed them are in fact nothing more then script kiddies who know how to download a malicious script press a button or malware turning their machine into a zombie most users are probably unaware they are even running it.

    In the end after the few site defacements I have suffered you can't stop them or deal with them in any way. All you can do is secure your sites and servers and pray it's enough.

    For a start try blocking all traffic from China and Korea at the firewall.


  • #8
    Bob.
    Closed Accounts Posts: 26 Bob.


    heres an idea for a honeypot

    redirect them to a page with this on it:
    admin:5f94b2aac42f1531be77ad2bb5d9bf1a
root:2b799c2fce6778c5dc78b2330ab7e7f9
system:395d834702c488720aaca4a9880881c2

    the skids will think they hit the jackpot....but those fake md5s will take YEARS to crack ;)


Advertisement