I have an older Typo3 (v4.5.x) site and since a while my server is under attack by a script kiddie. He sends quite some PHP requests of URLs which do not exists on my server. I got so many PHP 500 errors back and after a while the number of parallel php processes are exceeding the limit and my site is down and unreachable for a while.
Any idea what I can do? How can I avoid that such non-existent URLs get not processed?
If I looking at these requests and google around there are all about some vulnerabilites of wordpress or joomla. Does anybody know if there exists some lists of such kind of requests which can be added to a filter/blocking lists on apache level? i.e.
- templates/atomic/system.php
- wp-content/languages/system.php
- wp-admin/images/system.php
- plugins/captcha/jproicaptcha.php
- modules/cgi.php
- modules/mod_articless/func.php
- tmp/install.css.php
- ...
You have a number of options:
This is not really a TYPO3 specific question. It is a question of how to avoid/block DOS (denial of service) attacks or rather in this case hacking attempts.
The sooner you can block / divert the attacker, the better because you do not want him hogging your resources and creating unnecessary traffic. So if you can block the IP(s) you might want to do that (keep in mind though that IPs may be dynamically assigned by a provider so this is a bit brutal and should not be done permanently).
Once the attacker does reach your webserver and generates HTTP requests, you want him to allocate as little resources as possible. So, instead of serving an error page in TYPO3 (or diverting to the start page), make sure that you block the page entirely or serve a minimal 404 page for these known URLs (e.g. a static html page where no access to the DB or running of PHP scripts is necessary).
Example: Apache webserver
RewriteEngine ononce and requires the module mod_rewrite (which you should have anyway, for TYPO3 rewrite rules)