I have been hosting with lunar pages for some time now, and am thrilled. I have been writing web a Content Management System (CMS) web application for the last three years and have recently released a new version of it with a lot more focus on security. Going through my raw access log files I have just under 700 hack (Specifically php injection) attempts in the last few months (since the 27th of nov 2007). And the number seems to be increasing dramatically 2-3 attempts in my first week, and now over 300 last week alone (2nd week of feb 2008).
These are some of the injection attempts from my log file.... modified for public posting... I have grabbed some of the injection files that are being injected to analyze them. Some of them are rather mild performing just server identification, and some of them rather nasty attempting to turn the infected machine into a remote hacking bot controlled through an IRC channel.
84.53.83.254 - - [10/Feb/2008:16:34:08 -0800] "GET /!autorfipath***Text Removed***/test.txt?? HTTP/1.1" 302 225 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
***Text Removed***
201.235.253.16 - - [12/Feb/2008:08:28:56 -0800] "GET /the other hosting company.php//errors.php?error=***Text Removed***ayes.txt?? HTTP/1.1" 302 225 "-" "libwww-perl/5.808"
***Text Removed***
201.235.253.16 - - [12/Feb/2008:08:29:24 -0800] "GET //errors.php?error=***Text Removed***ayes.txt?? HTTP/1.1" 302 225 "-" "libwww-perl/5.808"
***Text Removed***
213.250.2.37 - - [12/Feb/2008:08:50:02 -0800] "GET /sub.php?sub=***Text Removed***test.txt???? HTTP/1.1" 302 225 "-" "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)"
***Text Removed***
69.59.17.71 - - [12/Feb/2008:08:50:46 -0800] "GET /sub.php?sub=***Text Removed***test.txt???? HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)"
***Text Removed***
213.250.2.37 - - [12/Feb/2008:08:59:20 -0800] "GET /sub.php?s=***Text Removed***test.txt???? HTTP/1.1" 302 225 "-" "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)"
***Text Removed*** = Data i removed for display...
After looking at my logs I find very few repeat IP addresses (4 times at the most), and it seems like they are using a proxy service or something like TOR (The Onion Router) to continually change IP addresses. Which makes blocking IP's difficult at best.
Being security contentious, I have tried to write my code (in my web app) as good as possible to make sure these attempts do not succeed and it seems to be working so far.. But wanted to know from the hosting services point of view any good courses of action I can take to help prevent these attacks from being successful hacks, and what to do if one is successful. And I wanted to know any advice (programing/practical/or otherwise) from users about ways to thwart these types of attacks.
Things I'm doing already (website):
1. Backup regularly (at least once a week, my site doesn't change too often)
2. perform "diff" on each file (after backup) to check for new/modified/deleted files
3. Regularly manually scan raw log files
4. Use htaccess to control file access
5. Randomly generated passwords over 20 characters long
6. Passwords not in web path
(Coding)
1. My software scans for various injection attempts and redirects to an error if injection found
2. I aggressively filter all input from user
3. I allow no global vars to be passed
4. I allow no "Get" type posts using "?var=value" from the browser
5. I validate all incoming data and pre-initialize all values prior to use...
6. I try to check for directory transversal
7. I filter data before logging or display
Any other recommendations?
Thanks... I know it is a big question. But programing in php i see a lot of injection type attacks and just wondered what else I can learn on the topic of protection against them.
Dilber MC Theme by HarzeM