2

My web site was under an SQL injection attack for a while. After it was noticed, I closed the problem places and the attacks have failed.

Examining the logs I find about 46 unique IPs have been trying to run SQL injection attacks consisting of more than 500 GET/POST requests over a couple of weeks (highest one was 147816 requests).

After the loopholes were closed the number of requests dropped right down (to a handful a day - probably just probing).

My question is, is there any point trying to report these guys? They are probably from some compromised machine somewhere, so maybe not.

Related: Is there a way to report IP addresses scanning for Exploits?

However this isn't a scan - the volume implies they knew it was a success.

I can imagine a couple of scenarios:

  • These addresses are actually the attacker, in which case they may be able to "assist the police with their enquiries".
  • These addresses are from some innocent victim, in which case they would probably be pleased to be told their machine is infected.

Assuming the answer is "yes, report it", the next question is "to whom?". If I have to spend an hour filling in a lengthy form, per address, it won't really be worth it.

Countries involved

(edited to add)

I am in Australia.

The most prolific attacker is in Montreal, Canada.

Others are:

  • Bromley, UK (near London)
  • Glattfelden, Switzerland
  • Amsterdam, The Netherlands

It's hard to see one police jurisdiction getting interested in this, unless they have a special department to handle world-wide attacks.

Community
  • 1
Nick Gammon
  • 1,197
  • 7
  • 15
  • My opinion is that it's probably not worth your time, I've been down this route before. Even if you can pin it to a particular individual (not really hard to do this), there are ways the attacker can deny it or claim their network was being misused without their consent (depends on the country whether this matters or not). Defending against it should be your top priority, if no damage has been caused yet - it's a blessing in disguise. –  Nov 21 '16 at 08:52
  • EDIT: Sorry, just misread - appears as though you've already put defenses in place. Expect many attempts at 'profiling' your systems for injection vulnerabilities and other attack vectors, some of the services that do so are automated anyway and it'll happen from time to time, targetted or not. –  Nov 21 '16 at 08:54
  • What you encounter can be part of `botnet` that carry out distributed attack. You may use info from netcraft.com to check ISP that own the netblock and report to correspondence entity. But nothing is guarantee. If this end up to end user infected user computer (that use random IP), little can be done. – mootmoot Nov 21 '16 at 08:57

2 Answers2

2

If you are suspecting they are using a compromised machine, you can notify the administrator of the network. You can find contact information by doing a whois lookup:

$ whois 151.301.193.69

...
OrgAbuseHandle: ABUSE4771-ARIN
OrgAbuseName:   Abuse Account
OrgAbusePhone:  +1-555-496-9353
OrgAbuseEmail:  abuse@example.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE4771-ARIN
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 1
    Good to point out how to get the abuse contact information, but don't expect anything to come from that. The IP addresses that are involved are usually just proxies, so the only thing that will happen (at best) is that the ISP responsible for the network will tell the client that held the IP in question that he should check his system for viruses. So, you're doing the these people a favour, but it won't help with your problem. Such attacks happen all the time, they're just business as usual for ISPs and not worth following up. – Out of Band Nov 21 '16 at 15:21
1

As these sound like normal Internet scanning/probing attempts, the usual advice in situations like yours, where attacks are coming from multiple jurisdictions, is not to bother, as in general nothing can be done about it.

If you want to put in the effort, you could try notifying the owner of the whois records for each of the IP addresses (company or ISP) because chances are they are unaware their machines are attacking you. It is most likely they are compromised as part of a botnet.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Your advice is very sound, and I agree that the device in question is probably not actually owned by the attacker. It seems odd, though, that the mechanism for stopping these attacks is so vague. These botnets are a pain, and it looks like there is no real centralized way of letting people know that their machine is compromised. – Nick Gammon Nov 22 '16 at 05:40
  • Nick - there is no way possible to let everyone in a botnet know... – Rory Alsop Nov 22 '16 at 22:00