Hack attempts

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

Well, the site I run has suffered 500+ hack attempts and counting.

Is there any way to stop this stuff or at least reduce it. I am tired of getting Blocked Abuse emails.

Raven · Posted: Sun Jun 01, 2008 6:21 pm

Adding the IP's to .htaccess will stop them from reaching your site which will stop the notifications. So, if you have the write to .htaccess option turned on then you shouldn't be getting repeats. Just turn the email admin option off to stop the emails.

I also always add the 4th octet as a wild card when I ban them, ie Full C Class

evaders99 · Posted: Sun Jun 01, 2008 6:47 pm

There is no real solution. Automated scripts constantly try to exploit any vulnerability. Blocking won't slow these down as they have a full botnet of compromised machines.

Just keep your site up-to-date. If you're tired of the notifications, you can turn them off.

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

Thanks guys. I added them to the .htaccess and I didn't even think about shutting off the notifications.

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

Ok. Where do I shut off notifications? I looked everywhere.

Gremmie · Posted: Sun Jun 01, 2008 8:26 pm

You can configure Sentinel what to do for each type of attack. One of the options is to send email.

I added something to my .htaccess file that has stopped 90% of my notifications. Most of the time these guys are trying to do a remote script execution via a _GET parameter. This stops that:

Code:

RewriteEngine on
#
# Prevent cross-site scripting
#
RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.*
Rewriterule ^.* - [F,L]

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

Thanks Gremmie, I just copy and pasted it.

Bizarre. I went from 5,400 page views to 13,000+ in under two hours and the visitor count doesn't even remotely reflect it.

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

Well, Gremmie that piece of code seems to have done the trick.

However, can anyone help me understand how I can have 42 visitors and have page views jump from 5193 to well over 16,000 in a little over 2 hours?

evaders99 · Posted: Mon Jun 02, 2008 3:49 pm

You may be under a more direct form of attack, a denial of service.

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

Isn't a DoS a server side attack, rather than an attack directed at the site itself?

Sorry if I am coming across as thick headed and asking all of these questions.

Raven · Posted: Tue Jun 03, 2008 1:24 am

It can be either but is usually directed at a particular site.

warren-the-ape · Posted: Tue Jun 03, 2008 1:29 am

Is it a new site with a lot of contents/topics?
It could just be search engine spiders indexing your pages.

You can easily verify this in NS or in the Forums admin.

Open up your forums admin on the 1st page and check the IP's listed.

You can do the same in NS if you enabled IP tracking. Go to tracked IP's and sort on 'hits' (highest hits on top choose; 'descending').
WHOIS the IP's with a large amount of hits to see if they are search engines or not.

Edit:
Some time ago I had a dude/bot from France who was requesting topics every second, sometimes 2-3 per second and that for a couple of minutes.

I noticed it cause my site statistics for that day went through the roof..

If its not Google or another known search engine I dont need them Wink

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

warren-the-ape wrote:

Is it a new site with a lot of contents/topics?
It could just be search engine spiders indexing your pages.

You can easily verify this in NS or in the Forums admin.

Open up your forums admin on the 1st page and check the IP's listed.

You can do the same in NS if you enabled IP tracking. Go to tracked IP's and sort on 'hits' (highest hits on top choose; 'descending').
WHOIS the IP's with a large amount of hits to see if they are search engines or not.

Edit:
Some time ago I had a dude/bot from France who was requesting topics every second, sometimes 2-3 per second and that for a couple of minutes.

I noticed it cause my site statistics for that day went through the roof..

If its not Google or another known search engine I dont need them Wink

It's a very controversial topic...Global Warming/Climate change and the science behind it.

evaders99 · Posted: Tue Jun 03, 2008 12:32 pm

Well it is possible you have many links to a certain topic. And if you've gotten linked from some major site, you'll have increased traffic that you may not be able to handle (see: Slashdot effect)

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

evaders99 wrote:

Well it is possible you have many links to a certain topic. And if you've gotten linked from some major site, you'll have increased traffic that you may not be able to handle (see: Slashdot effect)

I suppose that's possible. It's just strange that the visitor count could not have possibly accounted for that amount of hits in that amount of time.

Raven · Posted: Tue Jun 03, 2008 12:48 pm

Use AWSTATS or something like it to find out the details.

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

Forgot about that. Thanks!

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

AWSTATS isn't telling me anything.

Guardian2003 · Posted: Tue Jun 03, 2008 2:10 pm

PM me your cPanel (or other hosting control panel) login and your God admin user/pass and lets check this puppy out, I have about an hour to spare.

steve_lemaster · Worker Joined: Dec 26, 2006 Posts: 178

I PM'd you my cPanel and site admin logins. If you get the chance to check it out, let me know.