27

My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.

Is there anything I can do about it at this point?

Jad S
  • 393
  • 4
  • 7

4 Answers4

66

Welcome to the internet! This is the normal situation, business as usual.

You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."

Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.

Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 19
    How's that voluntary? Didn't you mean involuntary? – d33tah Nov 05 '18 at 15:43
  • 24
    @d33tah because those *helpful* security probes are volunteering their resources to pen test your website. – aaaaaa Nov 05 '18 at 16:22
  • 28
    I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that... – ThoriumBR Nov 05 '18 at 17:34
  • 5
    @ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area. – Mooing Duck Nov 05 '18 at 18:50
  • 1
    IANAL, but it heavily depends on your jurisdiction. In some places a scan is illegal, on another it isn't. Usually unless the attacker causes a measurable loss, no law enforcement will pursue. And if the attacker is in another jurisdiction, you can forget about pursuing gim unless there's *a lot* of damage. – ThoriumBR Nov 05 '18 at 19:00
  • 13
    Nice to see these generous people for their *volunteer* work. Maybe they would even crack my site and create *backups* of my customer data, *for free*! It is very helpful. :-) – peterh Nov 06 '18 at 04:53
  • 1
    @peterh "Yeah, and if you could fix some of the bugs in my system while you're here, that would be *great*. *Yeah*." – Michael Nov 06 '18 at 04:56
  • 2
    @Michael That's not unheard of. During the last cryptocurrency mining craze, malicious miner programs exploited CVEs (notably including a serious Drupal exploit) to infect servers, some of them actually patched that CVE after infection to reduce competition from rival hackers. – March Ho Nov 06 '18 at 09:43
5

The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?

First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.

Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.

Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.

The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog

NASAhorse
  • 310
  • 1
  • 7
  • A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click. – Coomie Nov 06 '18 at 03:04
2

Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.

Do not refer them to other sites for huge downloads, and do not leave malware for them to find.

90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.

Look into Fail2Ban and DenyHosts for ideas.

If you are actually running WP, harden it up with a security solution.

Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.

mckenzm
  • 469
  • 2
  • 6
0

If I had a cent for every scan my website gets...

Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.

What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.

What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.

What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).

Tom
  • 10,124
  • 18
  • 51