Results 1 to 8 of 8

Thread: Are these hacking attempts?

  1. #1
    Your average angry alien dc dalton's Avatar
    Join Date
    Mar 2006
    Location
    Stuck in FREAKING PA
    Posts
    127

    Are these hacking attempts?

    Getting more strangeness in my logs, all coming out of china (per the IP)

    Code:
    209.26.212.163 - - [09/Mar/2006:14:48:55 -0500] "GET /sock4.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:48:58 -0500] "GET /sock5.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:49:01 -0500] "GET /socks4.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:49:04 -0500] "GET /socks5.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:49:07 -0500] "GET /socks.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:49:10 -0500] "GET /sock.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:49:12 -0500] "GET /good.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:49:14 -0500] "GET /goods.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:49:16 -0500] "GET /proxy.php HTTP/1.1" 500 1022 "-" "-"
    209.26.212.163 - - [09/Mar/2006:14:49:18 -0500] "GET /proxies.php HTTP/1.1" 500 1022 "-" "-"
    there's 3 or 4 more all hitting the site for stupid files that aren't there. I've already banned them via the .htaccess file but I was really curious what kind of stupidity this really is!

  2. #2
    Registered Sagewing's Avatar
    Join Date
    Mar 2006
    Posts
    113
    I see stuff like that in my logs, too. There are so many bots scanning for security holes, it's impossible to keep up. My server adminstrator has my server incredibly well locked down, with all kinds of auto-ban type mechanisms running. I have never actually been hacked but I get an e-mail when a big attack is in progress.

    It's incredible to see how often my servers get attacked!

  3. #3
    Administrator Chris's Avatar
    Join Date
    Feb 2003
    Location
    East Lansing, MI USA
    Posts
    7,048
    IF you run your own server its crazy to see how many brute force cracking attempts are done against the root account. Hundreds a day easy. This is why it is so very important to have a alphanumeric password.
    Chris Beasley - My Guide to Building a Successful Website[size=1]
    Content Sites: ABCDFGHIJKLMNOP|Forums: ABCD EF|Ecommerce: Swords Knives

  4. #4
    Registered platinum's Avatar
    Join Date
    Mar 2006
    Location
    Adelaide
    Posts
    19
    Yeah it's crazy, I recommend installing BFD (needs APF). It automatically detects bruteforce attacks and bans the IP.

    Also, I generally change the port SSHd runs on, basically stopped any attempted attacks.

  5. #5
    Your average angry alien dc dalton's Avatar
    Join Date
    Mar 2006
    Location
    Stuck in FREAKING PA
    Posts
    127
    My servers are locked down like a vault so even though we see some attacks they never get through.

  6. #6
    Site Contributor KLB's Avatar
    Join Date
    Feb 2006
    Location
    Saco Maine
    Posts
    1,181
    One idea I have is to create a script that records and bans the IP address of these types of requests for a period of time. It should be pretty easy. I do something similar for bad bots.
    Ken Barbalace - EnvironmentalChemistry.com (Environmental Careers, Blog)
    InternetSAR.org: Volunteers Assisting Search and Rescue via the Internet
    My Firefox Theme Classic Compact: Based onFirefox's classic theme but uses much less window space

  7. #7
    Chronic Entrepreneur
    Join Date
    Nov 2003
    Location
    Tulsa, Oklahoma, USA
    Posts
    1,112
    Quote Originally Posted by Chris
    IF you run your own server its crazy to see how many brute force cracking attempts are done against the root account. Hundreds a day easy. This is why it is so very important to have a alphanumeric password.
    It's truly scary to see how many of these types of automated attacks are out there. I used to try to look up the ip's and report them to their ISP's, but there are so many that there's no way to keep up with them.

    In addition to complex non-dictionary passwords, it's also a good idea to disable direct root logon via ssh. Create a separate account with a non-obvious name, ssh in with it, and then switch to the root account as necissary.

    This forces the crackers to guess 3 things (ssh logon username, ssh logon password, root password) instead of just one root password.

  8. #8
    Registered Member moonshield's Avatar
    Join Date
    Aug 2004
    Location
    Charlotte
    Posts
    1,281
    Indeed. I get thousands of those attacks each and every day - mostly from Germany and Israel. I run some antiDNS script that blocks the IP once they try to login like 6 times.

    I have also taken the steps Westech has suggested, most of these attacks are shooting at nothing..

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •