Are these hacking attempts?

Printable View

03-09-2006, 01:49 PM
dc dalton

Are these hacking attempts?

Getting more strangeness in my logs, all coming out of china (per the IP)

Code:

209.26.212.163 - - [09/Mar/2006:14:48:55 -0500] "GET /sock4.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:48:58 -0500] "GET /sock5.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:49:01 -0500] "GET /socks4.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:49:04 -0500] "GET /socks5.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:49:07 -0500] "GET /socks.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:49:10 -0500] "GET /sock.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:49:12 -0500] "GET /good.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:49:14 -0500] "GET /goods.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:49:16 -0500] "GET /proxy.php HTTP/1.1" 500 1022 "-" "-" 209.26.212.163 - - [09/Mar/2006:14:49:18 -0500] "GET /proxies.php HTTP/1.1" 500 1022 "-" "-"

there's 3 or 4 more all hitting the site for stupid files that aren't there. I've already banned them via the .htaccess file but I was really curious what kind of stupidity this really is!
03-09-2006, 02:14 PM
Sagewing

I see stuff like that in my logs, too. There are so many bots scanning for security holes, it's impossible to keep up. My server adminstrator has my server incredibly well locked down, with all kinds of auto-ban type mechanisms running. I have never actually been hacked but I get an e-mail when a big attack is in progress.

It's incredible to see how often my servers get attacked!
03-09-2006, 02:21 PM
Chris

IF you run your own server its crazy to see how many brute force cracking attempts are done against the root account. Hundreds a day easy. This is why it is so very important to have a alphanumeric password.
03-09-2006, 07:04 PM
platinum

Yeah it's crazy, I recommend installing BFD (needs APF). It automatically detects bruteforce attacks and bans the IP.

Also, I generally change the port SSHd runs on, basically stopped any attempted attacks.
03-09-2006, 07:21 PM
dc dalton

My servers are locked down like a vault so even though we see some attacks they never get through.
03-09-2006, 07:37 PM
KLB

One idea I have is to create a script that records and bans the IP address of these types of requests for a period of time. It should be pretty easy. I do something similar for bad bots.
03-10-2006, 09:58 AM
Westech

Quote:

Originally Posted by Chris

IF you run your own server its crazy to see how many brute force cracking attempts are done against the root account. Hundreds a day easy. This is why it is so very important to have a alphanumeric password.

It's truly scary to see how many of these types of automated attacks are out there. I used to try to look up the ip's and report them to their ISP's, but there are so many that there's no way to keep up with them.

In addition to complex non-dictionary passwords, it's also a good idea to disable direct root logon via ssh. Create a separate account with a non-obvious name, ssh in with it, and then switch to the root account as necissary.

This forces the crackers to guess 3 things (ssh logon username, ssh logon password, root password) instead of just one root password.
03-10-2006, 11:41 AM
moonshield

Indeed. I get thousands of those attacks each and every day - mostly from Germany and Israel. I run some antiDNS script that blocks the IP once they try to login like 6 times.

I have also taken the steps Westech has suggested, most of these attacks are shooting at nothing..