Attempted Hacking? WTF can I do to stop this?
 

I took a few minutes to look at traffic on one of my bigger sites and noticed a huge increase in my 404 traffic on that site. 404's are already double this month what they were last month, that raised a red flag:error.
So I checked it out. the SE's still list around 20 pages that no longer exist, and that is my normal 404 traffic. Nothing to care about at all.
Then I found these urls that do not and never have existed:

Required but not found URLs (HTTP code 404):

/krheupfile_flash.asp
/suozftp.rar
/srestmdqq.asp
/arknmirserver.rar
/xmwywebeditor/ewebeditor.asp
/pjhkplus/infosearch.php


What do you guys make of it? Hacking attempt? Thats my thought, but whats more is i've never been proactive in stopping anything like this beyond going with a decent host.

Anything I can do to safeguard myself from a low level attempt such as this?

Thanks in advance.

hit up your host...maybe they can help

don't recognise any of those, but i get lots of similar requests for non existant urls on my servers and i think they are looking to see if you have certain scripts installed that they know have vulnerabilities that they can hack. it's nothing to worry about, unless someone knows different?

I already went there, they of course told me (without going into much detail) that "on thier end they have evey measure in place to protect my sites in the event of an attack."

I would say that if a client were asking me that question and my biz was hosting thier network.

Shit sometimes happens, you know? i'm a bit worried

Yea contact your host man..

it looks like simple exploit scanning. There isn't to much preventative that could be done.

unless your seeing actual load problems from this I wouldn't wast energy on it. If your really paranoid you could write some for of script to determine the number of 404 requests sent by a script kiddie, determine a threshold and drop them at the firewall level.

they do it across many sites looking for exploits, don't know how to block that

Yes looks like either exploit scanning or warez scanning (they looking for hosts with upload permissions where they can upload files).But more likely exploit scanning

Everything on the site and in my network loads fine and works like it should.

For peace of mind I should learn more about this from his point of view, learn a few tricks and try to hack my own stuff then learn what I can do to prevent others from being sucessful in the event that I should.

At the same time, I should install a 3 strikes your out script. Although, thats gonna take me learning new stuff too. Damnit.


For the most part it looks like I dont have to worry. Thanks for the input everyone, much appreciated.

1.) Create the nonexistent pages they are scanning for on your server

2.) Become an affiliate for one of the bullshit scam antivirus companies

3.) Have pages autoinstall trojans

4.) ???????

5.) Profit.

have your isp add the ip ranges to their firewall rules

Don't know if it exists, but maybe for an added piece of mind:
- Take a recursive directory snapshot of known files you want / power your stuff.
- Every once in a while, take new snapshots and compare to the baseline.
- If there's a "new" file that looks amiss, research it.

Don't know if there's an automated solution that does that, and if so, unless it scans file contents, won't really help if someone's modified a pre-existing file.

Anyway. Just throwing my nonsense out there.

Just ignore it. Almost all of my sites get scanned for that crap. If you're using 3rd party scripts that you aren't sure about, .htaccess them to keep out the riff-raff.

If you're running unix I believe you're thinking of Tripwire.

Not hard, all you have to do is create a link on a search engine crawled page with some random page that doesn't exist on your server, it it will come back 404 by the search engines.

You're at the wrong host dude. Any good host would tace it down and block them for you.:2 cents:

have a script written to place on pages named after the exploits on your server, chmod your htaccess to allow your server to modify the htaccess file. Each time someone request one of those pages, the script will record their ip, and bann it by adding it to the htaccess file.

:1orglaugh:1orglaugh:1orglaugh

Worrying about this is like worrying about the sky falling...

What they are doing is akin to fishing. If you are a fish and you don't want to get eaten, don't eat worms...

Other than that... Nothing to worry about.

Google Webmaster tools is your friend. Remove pages in GWT, notify host, get a firewall & check shit regularly.

It is extremely rare I get hacked now and when I do its a quick turn around. A couple years ago I was getting hit regularly. Karma for me I guess LOL.

why would they bother? it would be a never ending battle, this goes on all day, every day. as long as you haven't got outdated scripts and stuff with known exploits your safe (from the people who are scanning for this).

Can you knock that down to 3 steps please? kthxbye. :2 cents:

:thumbsup i agree

IP banning is never a good solution, they use botnets that have millions of infected computers, you risk blocking out a lot of potential customers in the long run.
To be safer, use custom scripts that are coded to handle malicious input. If you have to use a script that is commonly available, make sure you always have the latest updates.

looks like its just skiddies scanning for holes. Adding their ip's manually will be a pain in the arse if they are using proxies (which they most times do). Best thing to do is just make sure all your scripts and your box is up to date. Also you could install mod_security if you haven't already (but if you install it, get someone who knows what they are doing to tune it for you).