13

Our sites our constantly under attack from bots with IP addresses resolving to China, attempting to exploit our systems. While their attacks are proving unsuccessful, they are a constant drain on our servers resources. A sample of the attacks would look as such:

2010-07-23 15:56:22 58.223.238.6 48681 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.4/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:23 58.223.238.6 48713 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.5/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:23 58.223.238.6 48738 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.6/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48761 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.7/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48784 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.8/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48806 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.9/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48834 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48857 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48886 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:27 58.223.238.6 48915 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:27 58.223.238.6 48997 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49023 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49044 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.2/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49072 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.3/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:29 58.223.238.6 49094 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.4/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:29 58.223.238.6 49122 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.5/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:30 58.223.238.6 49152 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.6/scripts/setup.php 400 - Hostname -

They are litterally hitting our servers 24/7, multiple times each second, looking to find an exploit. The IP addresses are always different, so adding rules to the firewall for these attacks only serve as short term solutions before they start up again.

I'm looking for a solid approach to identifying these attackers when the website is served. Is there a programatic way to add rules to IIS upon identifying a IP address or a better way to block these requests?

Any ideas or solutions for identifying and blocking these IP addresses would be very welcomed. Thanks!

Holocryptic
  • 5,665
  • 2
  • 28
  • 37
George
  • 293
  • 3
  • 11
  • Notifying the abuse contact of associated with the IP is a start. They may not be aware their IP is the source. – jl. Jul 23 '10 at 17:51
  • Tell me about it! My website is also under constant attack. Every day there is a bot looking for wordpress vulnerabilities. I keep blocking them using htaccess as they issue thousands of 404s! –  May 06 '13 at 22:45

11 Answers11

10

Please don't blacklist entire countries, or even large address blocks.

Consider the implications of these actions. Even blocking a single address could block the connectivity to your site for a significant number of users. It's entirely possible the legitimate owners of the hosts don't know their boxes have been 0wned.

You did show traffic coming "24/7"... but I would ask you to evaluate whether the drain on your resources is really significant (I see three hits a second max from that log snippet).

Do investigate your options. Make sure your servers are indeed hardened, conduct your own vulnerability assessment and review of your site code. Look into per-source rate-limiters, web application firewalls, and the like. Secure your site, preserve your resources, and do what makes sense for your business needs.

I say this as someone whose services used to be regularly blocked by the Great Firewall of China. If your site ends up being good enough, maybe they'll even block their users from getting to you!

medina
  • 1,970
  • 10
  • 7
  • With all respect, that's an extreme case you cited. Unless his website is a worldwide portal of education I don't think it applies. Even though he accepted it as the best answer, I wouldn't recommend this to people who come upon this thread in the future. – Copy Run Start May 07 '13 at 01:50
  • I think it still applies and is good advice, simply because botnets are global networks and these sorts of attacks can come from any IP address world wide, even if the persons controlling the botnet are in a single country their networks are not. Most linux distros these days include the iptables module "recent" for performing per source rate limiting on the number of connections per time period. There's probably something available for apache to rate limit per-source based on number of http error pages they generate too. – BeowulfNode42 Jun 24 '15 at 01:27
5

I block entire countries. The Chinese have ONLY purchased a single item from over 3000 of my sites and yet they used to account for 18% of my bandwidth. Of that 18% about 60% of it was bots looking for scripts to exploit.

  • update - After many years I turned off blocking China. I was flooded with real non-bot traffic on a few key terms from Baidu. After about 400,000 hits over a weeks time I made one sale only after I had created a special page in Simplified Chinese. Not worth the bandwidth. I am going back to blocking them.

You could also set up a simple htaccess rule to redirect them to the Chinese version of the FBI every time they look for anything starting with phpmyadmin without case.

V_RocKs
  • 51
  • 3
2

You can try looking into snort which is an Intrusion Detection System (search for it on wikipedia as I can't link more than one url). Check that your firewall may have something already. An IDS scans incoming traffic and if it sees an exploit it knows about it can block it on the firewall.

Aside from that, not much you can really do. I wouldn't bother notifying the abuse contact of ip address as it's unlikely anything will result from it unless you are see a lot of attacks from a single ip address. Only other suggestion is keep your servers up to date and any third party scripts you use up to date so you don't become a victim of one of these attacks.

2

Well, according to the apnic registry of iana, the IP address 58.223.238.6 is part of a block assigned to China Telecom - with the whole block being 58.208.0.0 - 58.223.255.255. I'm not sure exactly how you want to approach it. If it were me, I would block the entire address range in my rules and be done with it. But that might be too much of a scorched earth policy for you to be comfortable with.

I'm not a web admin so take this with a grain of salt, but you might be able to craft something that monitors access from a set of IP ranges (China), and then gives them the boot if there is activity that points to exploitation attempts.

HTH

Holocryptic
  • 5,665
  • 2
  • 28
  • 37
  • I've had servers come under attack and blocked encompassing subnets from China to hault the traffic. I've considered making this more of a permanent move, unless running international services that require communication with China, I'm not sure what the downside would be. – ManiacZX Jul 23 '10 at 20:29
  • @ManiacZX that was my thinking. The funny thing is that the contact listed is anti-spam@hostingcompany. Talk about ironic. – Holocryptic Jul 23 '10 at 20:38
  • @Maniac -- Unfortunately, a big part of our business is in China, so doing anything that blocks large subnets in China would probably be a bad idea. – George Jul 23 '10 at 21:00
  • @George if that's the case, I would look at hardware/software IPS/IDS systems to dynamically detect and block IP addresses in that case, like Jason and vrillusions have suggested. – Holocryptic Jul 23 '10 at 21:42
  • Agreed, if you are doing business there, you aren't going to be able to avoid it 100% and will require "smart" tools to stop as much as you can. – ManiacZX Jul 23 '10 at 22:10
  • 1
    Another thing to consider, I've seen this used on the mail side, is look for tools that instead of just ignoring or rejecting packets will actually accept their request, then take a while to respond. Odds are their tools aren't that well written and so will be waiting for your response before going on to the next. One blank response every 5 seconds is a lot better than 100 rejections per second. – ManiacZX Jul 23 '10 at 22:13
2

Might be time to look into a good hardware solution. A Cisco ASA with an IPS module would be about as close to rock solid as you're going to get.

http://www.cisco.com/en/US/products/ps6825/index.html

Jason Berg
  • 18,954
  • 6
  • 38
  • 55
  • +1 - I couldn't agree with you more - there's no way in hell that important production servers should be directly fronting requests - that's what firewalls and/or load-balancers are for. – Chopper3 Jul 24 '10 at 07:10
  • 1
    How is an ASA going to fix this? Specifically, how is an ASA going to fix this better then just blocking the IP? – devicenull May 07 '13 at 00:31
1

McAfee enterprise hardware appliances (a buyout of the former Secure Computing Sidewinder series) has a Geo-location feature that lets you apply filters to particular countries or regions. It may be tricky to get the balance right though if you have a lot of legitimate traffic from China too.

1

If you are using IIS - there is a good program called IISIP from hdgreetings dot com that will update your server block lists by IP or Range using a custom text file or also block China or Korea entirely using updates lists from Okean dot com.

Part of the logic in stopping this is that if they are only blocked - it consumes server resources to block and they keep on trying. If they are redirected to a loop - it consumes their servers instead. As well - if they are directed to censored materials - they will in turn be censored by their own system and possibly prevented returning.

For the problem of hacker bots trying phpmyadmin etc. my solution was to read my log files and make all the folders in wwwroot they are looking for then put in each one the php file names they try to access. Each php file then simply contains a redirect to some other place - so when they access it - it sends them off elsewhere. As my webs are all using host headers - it does not affect them at all. A google lookup will provide info on how to write a very simple php script for redirection. In my case I send them either to the honeypot project or send them to a script that generates infinite junk emails in case they are harvesting. Another alternative is to redirect them back to their own ip or to something they will censor themselves.

For China ftp dictionary hacker bots using IIS there is a nice script called banftpips that will automatically add the attackers IP to the ban list on failed attempts. It is a bit tricky to get working but does work exceptionally well. The best way to make it work is to use multiple copies of the script using the name first tried as the script only seems to accept one name rather than an array. Example: Administrator, admin, abby etc. It can be found by google also.

These solutions work on IIS5 Win2K and probably also on newer IIS as well.

Larry
  • 11
  • 1
0

Install Config Server Firewall (CSF) and set the security to block any one that hammers.

We run it on ALL of our servers.

VisBits
  • 101
  • 1
  • 4
0

First and foremost make sure everything is up to date. Hide services like (!!!) phpmyadmin (!!!). It would also be a good idea to do a whois on these ip addresses and report this activity to their abuse email address. But its probably the Chinese government so you'll just give them something to laugh about. Here is information about reporting the issue to the FBI.

In all reality you need to take matters into your own hands. You need to test your server for vulnerabilities before they find one.

Web Application testing:

  1. NTOSpier ($$$) - Very good, and this is probably better technology than they have.
  2. Acunetix ($) - Good, but not great. It will find problems.
  3. Wapiti and w3af (open source), you should run both of them. You should run every w3af attack module available. Even if you go with acuentix or ntospider you should still run w3af, there is a chance it will find more issues.

Network Services Testing:

  1. Run OpenVAS with ALL plugins.

  2. Run NMAP with a full TCP/UDP scan. Firewall everything off that you don't need.

If you can't fix any of the issues, higher a professional.

Rook
  • 2,615
  • 5
  • 26
  • 34
0

"Please don't blacklist entire countries, or even large address blocks. Consider the implications of these actions. Even blocking a single address could block the connectivity to your site for a significant number of users. It's entirely possible the legitimate owners of the hosts don't know their boxes have been 0wned."

I think that it depends entirely upon the type of website, and the intended audience, whether or not blocking entire countries is wise. Sure, the legitimate owner of a host in Shanghai might not know his computer is probing a website belonging to your company. But presume your company has a local audience, or presume the website is the Outlook Web Access portal for your employees - is it a problem blocking the website for users from Shanghai ?

Of course net neutrality is a good thing, but not all websites necessarily have to serve a global audience, and if you can prevent problems by blocking access from countries which do not provide legitimate web site visitors - why not do so ?

0

Informing the abuse contact in china is impossible.

They won't react, often, these abuse email addresses don't even exists.

I'm blocking all chinese ip adresses, or at least gateing them and limit their access to a minimum.

Daniel W.
  • 1,439
  • 4
  • 23
  • 46
  • Welcome to Server Fault. This is a Q&A site, not a discussion forum, so _answers should actually answer the question_. Once you have enough reputation on the site, you will be able to [leave comments on other questions and answers](http://serverfault.com/privileges/comment). – Michael Hampton Feb 01 '13 at 16:55