Author Topic: Good Hackers, Bad Servers  (Read 11299 times)

0 Members and 1 Guest are viewing this topic.

May 28, 2009, 12:19:06 am
Read 11299 times

weblion

  • Newbie

  • Offline
  • *

  • 1
I'm really glad I found this site and have much reading to do.
I have many simple websites at 6 or 7 hosting companies (all shared servers).
1 seems to get hacked a lot by Remote File Inclusion.
Seems the hackers scoope out the sight several times before they actually implement code (per much time reviewing raw log files).
After getting all my sites hacked into about a year ago, I added these to my htaccess file and stopped all so far (yet I hate to block any ips):
order allow,deny
deny from 78.129.
deny from 77.92.
deny from 212.175.170.
allow from all

This month I had another hack on the same "bad  server" where I've traced all IP from the raw log files once again being compromised from many IPs yet major code being sent from 210.48.154.152 Kuala Lumpur, MY (Malaysia).

I'm aware that blocking IP blocks is not a good idea, yet find I would never have target viewing in these countries.

I've been thinking for 2 years now about moving 80+ domains from this server company yet I like the simple front end.

I'll share all knowledge I have on this subject and am fully open to suggestions!

Thanks.

May 28, 2009, 12:47:29 am
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
In my opinion, you should concentrate on finding exactly how they are exploiting your site and fix the vulnerability. Blocking IP ranges is a bad idea, the people responsible for these remote file inclusions are from all over the world, and they target servers indiscriminately. They normally use automated tools, to scan and exploit servers.

It may be code on your site which is causing the problem. Or if you notice other sites on the same server are being affected in some way. The server might be vulnerable to some form of attack. Have you tried going through access logs to see how it is happening?


May 28, 2009, 03:51:58 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I'm in agreement with John, blocking hackers/skiddies via IP based methods isn't going to work for long - especially given most use proxies.

You desperately need to audit your code for vulnerabilities (i.e. are you properly escaping querystrings/post data etc?)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net