Off Topic

9 replies to this thread. Most Recent

JDW

20 May 2016, 2:41 am

Russian Hackers

I’ve been reviewing my server ERROR Logs over the past few days. This is something I had not been doing in the past. I’ve noticed that there are many 404’s generated from IP addresses in Russian or the Ukraine, caused by using the following keywords at the root of my domain:

src
wp-login.php
administrator
admin
admin.php
manager
typo3
index.php
positivessl
natro
blog
wp
wordpress
xmlrpc.php
bitrix
beta

For example (note the “src” at the end):

http://www.mydomain.com/src

In the Error Log I see that there are hack attempts from other countries too as per the IP address, and from the time stamps I can see that they are perhaps using TOR or a VPN to hop their IP around. (When illicit requests like this occur only seconds apart in a stream of requests, it’s clearly the same hacker doing it.)

No doubt this has been going on for a while, since I only recently started examining the Apache Error Logs.

I don’t have a blog or Wordpress or anything that would be readily hackable (that I am aware of), but what action should I take, or am I powerless to do anything?

Thanks,

James W.

The Big Erns

20 May 2016, 6:14 am

I think that there are different levels of hackers out there. I know that is an obvious thing to say, but it is worth thinking on.

My blog— which is a WordPress blog— is always under attack, 24/7. I also manage two other, commercial, WP sites. They are set up in a similar fashion to my blog, but have hardly ever been attacked.

The majority of attacks are likely scripted and merely report back when they find targetable files or assets, like the xmlrpc.php file. Then another script is used to overwhelm the server with requests for the file… which I assume gives the actual hacker some advantage or window of opportunity. Whatever the tertiary goal, the hacker’s ultimate goal is to control the server. From there he/she can then use that server for however long they can keep control of it for whatever purpose suits them.

What can you do about this?

Well, not much it seems. Try to insure that you have complete control of what happens on your server, so, how your server is supposed to react to error requests or robots is a big thing— that many take for granted. Be aware of the vectors hackers use to gain control (or sow mayhem) like forms or scripts, then shore those bits up as best you can. Any passworded access should use Very Strong passwords and treat usernames the same way. Rotate your passwords on different preset intervals, and whenever you think they are in jeopardy. I also actively block IP addresses engaged in suspicious activity, but the quantity is so enormous and hackers just rotate through IPs they have already compromised that the effectiveness is debatable. I think it slows many of them down, though.

I use software made for WP that automatically locks out IPs that display certain behaviors… similar software for the server would be nice. When alerted, I can choose to take action like blocking that IP or perhaps follow the attack in real time and learn something about the attacker.

What I have learned is there is a multitude of low-level, generally scripted, attacks which are not particularly bright in their method or plan. There are a few, mostly brute force types of attackers which are more worrisome but also usually not long-term successful. Then, there are a very few sneaky bastards, who somehow get close enough to make me stop and rethink my whole strategy. Yikes!

All this is a lot of work… obviously. But what is worse is that it can be all for nothing as the hacker is also trying to get into the other shared sites on that same server and if any of those are weak then the hacker gets control of the whole server— including your bit of it. As a result I try to keep a good working relationship with my hosting provider regarding security issues. This is harder than it sounds. As a business, they don’t want any legal exposure, so more diplomacy than honesty is what I usually get. But that’s better than nothing, I reckon.

I wish there was a way as an individual to block IPs by country… as there are some that are most annoying (you refer to the russians). This bothers me because it goes against the whole principle of the Internet, but did I also mention how annoying they were? Anyway, they usually fall into that first category that don’t seem to get very far (if I had a nickel for every идиот that guesses my password as cssway or my user name as thebigerns, I would be richer than the pope and the queen put together. Though not as fashionably dressed, of course.

Best of luck to you.

no longer subscribed to this discussion…

JDW

20 May 2016, 6:27 am

Thanks for sharing your thoughts, Ernie. I actually pondered using .htaccess to redirect those idiots to another site, thinking it would be rather fun to redirect someone who types “/src” at the end of my URL to a Chinese malware site. But I decided against it since it might incite them to be more aggressive in their future attacks.

Anyway, thank you.

JDW

23 May 2016, 1:21 am

Today while reviewing my server’s Error Log, it was interesting to see that all of the following keywords were used in rapid succession, each of them repeated between 4 and 11 times, finishing in 14 seconds, and all having been sent to my server by the same IP address:

admin
admin.php
administrator
authenticating.php
beta
bitrix
blog
cache
cli
components
configbak.php
configuration.php
configurationbak.php
CONFIGURATIONS.php
conn.php
controller.php
cppr.php
d.php
dir.php
dump.php
flash
functions.php
getFile.php
getgg.php
hello.php
images
includes
includes.php
index.php
joomla-resize.php
layouts
license.php
libraries
logs
manager
media
menu.php
modules
modx.php
monitor
move2.php
natro
path.php
plugins
popup-pomo.php
positivessl
proizvoditelej.php
psyco.php
redirect.php
rss.php
sql_debug.php
sql_dump.php
sqlbak.php
src
temp0
templates
tmp
tmp.php
typo3
upload.php
webconfig.txt.php
wordpress
wosss.php
wp
wp-back.php
wp-content
wp-datas.php
wp-includes
wp-login.php
wp-mailback.php
xGASSx.php
xGx.php
xmlrpc.php
xmlsrpc.php
xxx123456_wp-datas.php

Clearly an automated hacking server sent the above. Not sure why some commands were repeated up to 11 times each. I would think that once my server generated a 404 that would be a pretty strong message to the hacking server that my server doesn’t have what they are looking for. Or perhaps this is a mild form of a DoS attack?

Note that those commands were not sent in alphabetical order. I sorted them that way above for clarity. And I mention this because if any of you have filenames such as this on your server, take note that someone out there is looking closely for them!

—James W.

The Big Erns

23 May 2016, 7:57 am

You are in the stage where you are needing to discern which attacks to defend against and which to ignore. I think that probably all of that is ignorable. Still, time to bone up on what the anti-hacker strategies are these days… remember, they evolve too.

I doubt you’ll find this forum helpful… after all, Freeway is for people who don’t want to learn code, so they may not be the best advisors. Someone else on the internet gave this advice, which seemed to me like a good starting place for this kind of stuff…

Some of those are automated attacks, you could introduce a delay for specific requests, but it won’t stop them. The effort to block or introduce a delay would have a negligible affect on the attacker. You shouldn’t worry about those requests, since they will happen no matter what you do as long as your website is publicly available. There are tons of people doing those automated attacks, so punishing one person with a delay will not prevent more from coming in from someone else. Same goes for blocking IPs, if you block one IP, another will show up in their place.

The best way to deal with an attack, is to be prepared, keep an eye out for libraries and features that you use on your website to see if they are vulnerable to an attack. Also ensure you are not vulnerable to common attacks like SQL injection, XSS, CSRF, etc.

Best of luck

no longer subscribed to this discussion…

JDW

23 May 2016, 8:28 am

Thank you, Ernie.

—James W.

Ashley

24 May 2016, 11:18 am

Just a suggestion but signing up for CloudFlare can add a considerable degree of protection to your site, even with a free account.

Ashley

Rapidweaver 7.5.6, Blocs 3.2.1

https://greatwebdesign.uk/

Author of Colour Management Pro https://colourmanagementpro.com

JDW

25 May 2016, 12:05 am

Thank you, Ashley, but I currently do not use a CDN, nor have I really understood the reason for having one in my situation. My sites have never been hacked either. I simply have recently been looking at the server Error Logs and discovered the aforementioned hack attempts. Unsettling, but as Ernie said, perhaps nothing to worry about, especially since I do not have Word Press.

—James Wages

Nashatai

28 Jul 2016, 8:43 am

Guys,thank you for useful tips, what can you say about the attacks by Ddoss? They are not so trivial as they were abou 10 years ago, now the attackers use the sophisticated methods to unable your protecting forces from their attacks. For example, they use different IP addresses so that you can not separate them from the similar users and not each hosting can calculate and track . hat to do in such cases?