Basically, there must have been some vulnerability in some version of VB that would probably execute whatever code is at somehackersite-usually-russian.ru/images/cs.txt, or at least display it in a users browser.
For the most part, these have been ferreted out by the VB team so it really isn't much to be worried about as far as security. These are just bots hitting known VB installs trying to recruit machines for some idiots nefarious dealings. If you watch your log in real time however, you can see that this happens over and over.. Multiple IP's from multiple locations. Basically, every time they hit the site, it creates load on the server.
This really annoys me because seriously, it is a waste of resources for not just me, but the hackers themselves. So finally I fired up my Perl scripting and wrote up something that searched the webserver log (access_log) and if it found any attempt to grab a thread starting with http:// it just banned it via iptables.. Here is a snippet:
Code:
open (FH, '/home/mysite/logs/access_log');
@log = <FH>;
close FH;
foreach (@log) {
if ($_ =~ m/showthread.php\?t=http:\/\//) {
# parse out and find IP, ban IP (unless it is mine, or in my range).
}
I won't post the entire code here, but basically it saves the IP's that it bans, to an array, serializes and saves it. Loads it upon script execution, unserializes it, and if a hack attempt is found in the log, and is not in the IP array, proceed to ban the ip with a drop:
I ran this via a cronjob every 15 minutes and over the last 5 days I have banned over 600 IP addresses. Most of these are compromised machines I assume. Watching the logs, I see fewer and fewer hack attempts. The load on the server in question has dropped noticeably. Most of the time, this servers 30 minute average hovered around 0.50 - 0.60, it is now around 0.30 - 0.40.
Of course, the server could just be experiencing a slow week, but the numbers don't really indicate that.
I am considering redoing the script so I can release it to everyone free, it is just cobbled together at the moment so I don't really want to put it up yet.
Has anyone else here run into the same issues? Would anyone here be interested in the PERL script?
Show Your Support
This modification may not be copied, reproduced or published elsewhere without author's permission.
Just an update on this... I had to modify my code a bit because for some reason, I set a threshold of 5 offenses by an IP before it would ban them. It was something I had in another application of mine that I carried into it. Now I ban on the first offense.
So far over the last 7 days, 1,259 drops issued to iptables. Load throughout the day continues to drop.
A good firewall blocks this sort of attempted exploit automatically. I use Astaro and it blocks 70,000 or more exploits/attacks/probes daily. This is a great system and I sleep a little easier at night. Eric
A good firewall blocks this sort of attempted exploit automatically. I use Astaro and it blocks 70,000 or more exploits/attacks/probes daily. This is a great system and I sleep a little easier at night. Eric
Your firewall isn't going to protect your site against such an attack as the firewall has port 80 open, otherwise it would not be serving pages.
If you are serving data dynamically, of course there is a chance someone could hack your system, which is why there are patches for software.
Load Relief: Block the sniffers Details »»
About Developer
Visit Web Site
No support by the author.
12-20-2007, 10:39 AM
