Our sites our constantly under attack from bots with IP addresses resolving to China, attempting to exploit our systems. While their attacks are proving unsuccessful, they are a constant drain on our servers resources. A sample of the attacks would look as such:
2010-07-23 15:56:22 58.223.238.6 48681 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.4/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:23 58.223.238.6 48713 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.5/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:23 58.223.238.6 48738 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.6/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48761 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.7/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48784 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.8/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48806 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.9/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48834 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48857 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48886 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:27 58.223.238.6 48915 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:27 58.223.238.6 48997 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49023 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49044 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.2/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49072 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.3/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:29 58.223.238.6 49094 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.4/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:29 58.223.238.6 49122 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.5/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:30 58.223.238.6 49152 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.6/scripts/setup.php 400 - Hostname -
They are litterally hitting our servers 24/7, multiple times each second, looking to find an exploit. The IP addresses are always different, so adding rules to the firewall for these attacks only serve as short term solutions before they start up again.
I'm looking for a solid approach to identifying these attackers when the website is served. Is there a programatic way to add rules to IIS upon identifying a IP address or a better way to block these requests?
Any ideas or solutions for identifying and blocking these IP addresses would be very welcomed. Thanks!
Please don't blacklist entire countries, or even large address blocks.
Consider the implications of these actions. Even blocking a single address could block the connectivity to your site for a significant number of users. It's entirely possible the legitimate owners of the hosts don't know their boxes have been
0wned
.You did show traffic coming "24/7"... but I would ask you to evaluate whether the drain on your resources is really significant (I see three hits a second max from that log snippet).
Do investigate your options. Make sure your servers are indeed hardened, conduct your own vulnerability assessment and review of your site code. Look into per-source rate-limiters, web application firewalls, and the like. Secure your site, preserve your resources, and do what makes sense for your business needs.
I say this as someone whose services used to be regularly blocked by the Great Firewall of China. If your site ends up being good enough, maybe they'll even block their users from getting to you!
I block entire countries. The Chinese have ONLY purchased a single item from over 3000 of my sites and yet they used to account for 18% of my bandwidth. Of that 18% about 60% of it was bots looking for scripts to exploit.
You could also set up a simple htaccess rule to redirect them to the Chinese version of the FBI every time they look for anything starting with phpmyadmin without case.
You can try looking into snort which is an Intrusion Detection System (search for it on wikipedia as I can't link more than one url). Check that your firewall may have something already. An IDS scans incoming traffic and if it sees an exploit it knows about it can block it on the firewall.
Aside from that, not much you can really do. I wouldn't bother notifying the abuse contact of ip address as it's unlikely anything will result from it unless you are see a lot of attacks from a single ip address. Only other suggestion is keep your servers up to date and any third party scripts you use up to date so you don't become a victim of one of these attacks.
Well, according to the apnic registry of iana, the IP address 58.223.238.6 is part of a block assigned to China Telecom - with the whole block being 58.208.0.0 - 58.223.255.255. I'm not sure exactly how you want to approach it. If it were me, I would block the entire address range in my rules and be done with it. But that might be too much of a scorched earth policy for you to be comfortable with.
I'm not a web admin so take this with a grain of salt, but you might be able to craft something that monitors access from a set of IP ranges (China), and then gives them the boot if there is activity that points to exploitation attempts.
HTH
Might be time to look into a good hardware solution. A Cisco ASA with an IPS module would be about as close to rock solid as you're going to get.
http://www.cisco.com/en/US/products/ps6825/index.html
McAfee enterprise hardware appliances (a buyout of the former Secure Computing Sidewinder series) has a Geo-location feature that lets you apply filters to particular countries or regions. It may be tricky to get the balance right though if you have a lot of legitimate traffic from China too.
If you are using IIS - there is a good program called IISIP from hdgreetings dot com that will update your server block lists by IP or Range using a custom text file or also block China or Korea entirely using updates lists from Okean dot com.
Part of the logic in stopping this is that if they are only blocked - it consumes server resources to block and they keep on trying. If they are redirected to a loop - it consumes their servers instead. As well - if they are directed to censored materials - they will in turn be censored by their own system and possibly prevented returning.
For the problem of hacker bots trying phpmyadmin etc. my solution was to read my log files and make all the folders in wwwroot they are looking for then put in each one the php file names they try to access. Each php file then simply contains a redirect to some other place - so when they access it - it sends them off elsewhere. As my webs are all using host headers - it does not affect them at all. A google lookup will provide info on how to write a very simple php script for redirection. In my case I send them either to the honeypot project or send them to a script that generates infinite junk emails in case they are harvesting. Another alternative is to redirect them back to their own ip or to something they will censor themselves.
For China ftp dictionary hacker bots using IIS there is a nice script called banftpips that will automatically add the attackers IP to the ban list on failed attempts. It is a bit tricky to get working but does work exceptionally well. The best way to make it work is to use multiple copies of the script using the name first tried as the script only seems to accept one name rather than an array. Example: Administrator, admin, abby etc. It can be found by google also.
These solutions work on IIS5 Win2K and probably also on newer IIS as well.
Install Config Server Firewall (CSF) and set the security to block any one that hammers.
We run it on ALL of our servers.
First and foremost make sure everything is up to date. Hide services like (!!!) phpmyadmin (!!!). It would also be a good idea to do a whois on these ip addresses and report this activity to their abuse email address. But its probably the Chinese government so you'll just give them something to laugh about. Here is information about reporting the issue to the FBI.
In all reality you need to take matters into your own hands. You need to test your server for vulnerabilities before they find one.
Web Application testing:
Network Services Testing:
Run OpenVAS with ALL plugins.
Run NMAP with a full TCP/UDP scan. Firewall everything off that you don't need.
If you can't fix any of the issues, higher a professional.
"Please don't blacklist entire countries, or even large address blocks. Consider the implications of these actions. Even blocking a single address could block the connectivity to your site for a significant number of users. It's entirely possible the legitimate owners of the hosts don't know their boxes have been 0wned."
I think that it depends entirely upon the type of website, and the intended audience, whether or not blocking entire countries is wise. Sure, the legitimate owner of a host in Shanghai might not know his computer is probing a website belonging to your company. But presume your company has a local audience, or presume the website is the Outlook Web Access portal for your employees - is it a problem blocking the website for users from Shanghai ?
Of course net neutrality is a good thing, but not all websites necessarily have to serve a global audience, and if you can prevent problems by blocking access from countries which do not provide legitimate web site visitors - why not do so ?