How to process hacking attempts?

11155 · January 9, 2011, 12:32am

I quite frequently see logentries like this:

Processing MenuController#menu (for 81.18.246.182 at 2010-09-29 21:06:22) [GET] Parameters: {"anything"=>["phpMyAdmin", "config", "config.inc.php"], "p"=>"phpinfo()"} Redirected to http://85.214.197.248/authentication/login Filter chain halted as [#<Proc:0xb74c7784@/home/xxx/yyy.de/releases/20100929164559/vendor/rails/actionpack/lib/action_controller/verification.rb:82>] rendered_or_redirected. Completed in 1ms (DB: 0) | 302 Found [http://85.214.197.248/phpMyAdmin/config/config.inc.php?p=phpinfo();]

Obviously these guys try to find some weakness in my server. They very often retry a list of login attempts to get some successful login sending Parameters like this: {"anything"=>["phpMyAdmin"]} {"anything"=>["phpmyadmin","config","config.inc.php"],"p"=>"phpinfo()"} {"anything"=>["pma","config","config.inc.php"], "p"=>"phpinfo()"} {"anything"=>["admin","config","config.inc.php"],"p"=>"phpinfo()"} {"anything"=>["dbadmin","config","config.inc.php"],"p"=>"phpinfo()"} {"anything"=>["mysql","config","config.inc.php"],"p"=>"phpinfo()"} {"anything"=>["php-my-admin","config","config.inc.php"],"p"=>"phpinfo()"} {"anything"=>["myadmin","config","config.inc.php"],"p"=>"phpinfo()"} {"anything"=>["PHPMYADMIN","config","config.inc.php"],"p"=>"phpinfo()"} {"anything"=>["phpMyAdmin","config","config.inc.php"],"p"=>"phpinfo()"} {"anything"=>["p","m","a","config","config.inc.php"],"p"=>"phpinfo()"}

What's the best way to process these hacking attempts?

Garrett_Lancaster · January 9, 2011, 12:38am

If it’s from a consistent set of IP addresses, you can ban them. Not a full solution obviously, but a good first step.

11155 · January 9, 2011, 12:44am

No, I tested 3 IP addresses: Russia, USA, Netherlands.

rwz · January 9, 2011, 9:21am

it is not wise to simply ban the ips, cause this can be a simple botnet scanning. so, real users are not even aware of what's foing on.

you can try to block this kind of requests on the webserver before it goes to the rails stack like this (nginx)

location ~ \.php$ { deny all; }

11155 · January 9, 2011, 11:35am

I guess, I simply should send a 404.

Since my server needs to be accessable from a quite small region and I'm uninterested in getting it indexed by search engines, it would be possible to reject any request, that comes from outside the region.

How to programmaticaly get the origin of an IP address?

Simon_Macneall · January 9, 2011, 11:43am

I wouldn't bother doing that from Rails. That'd be easier to set up either at the firewall or web server level. Would use a lot less resources.

Simon

11155 · January 9, 2011, 1:41pm

That's also not very wise, since I occasionally use phpmyadmin myself. (In normal mode, it is stopped and a cronjob stops automatically every night for security.)

11155 · January 9, 2011, 11:28pm

Fritz Trapper wrote in post #973449:

That's also not very wise, since I occasionally use phpmyadmin myself. (In normal mode, it is stopped and a cronjob stops it automatically every night for security.)

That's not wise at all. PhpMyAdmin has known security holes, and there are better MySQL admin tools available anyway.

Best,

11155 · January 10, 2011, 1:19am

And what about webmin?

11155 · January 10, 2011, 3:12am

Please quote when replying.

Fritz Trapper wrote in post #973537:

And what about webmin?

What about it?

Best,