Paul Konstanski
asked on
External Query Attack
A couple of times over the past few weeks, my server has been hammered by a series of "scanning" type URL entries.
They all come from the same IP address: 188.165.251.129
Which is in France and shows up as being blacklisted on at least four blacklists.
What this attack does is uses my URL and a valid php file name.
https://mydomain.com/help.php
Then it adds on an "a=..." query which I assume is an attempt at looking for vulnerablities.
So for example:
https://mydomain.com/help.php?a=noscr+and+1=1&i=newLog
It then cycles through nearly 100 of these variations. *See below for a list of other attempted options.
I have two questions:
1) What is the best way to handle this type of "scanning"
2) What does the following list of queries tell you they are trying to do?
Thanks.
*Here is a sample of attempted queries:
a=noscr+and+1=1&i=newLog
a=tour+-6863+union+all+sel ect+CONCAT (0x3a6f797 53a,0x4244 7648776975 69706b,0x3 a70687a3a) ,1,1,1,1,1 ,1%2523
a=tour+%2527-6863+union+al l+select+1 ,1,1,1,1,C ONCAT(0x3a 6f79753a,0 x424476487 7697569706 b,0x3a7068 7a3a),1,1, 1%2523
a=tour+%2527-6863+union+al l+select+1 ,1,1,1,1,1 ,1,1,CONCA T(0x3a6f79 753a,0x424 4764877697 569706b,0x 3a70687a3a )%2523
a=tour%2527)+AND+(SELECT+8 041+FROM(S ELECT+COUN T(%252A),C ONCAT(0x3a 6f79753a,( SELECT+(CA SE+WHEN+(8 041%253D80 41)+THEN+1 +ELSE+0+EN D)),0x3a70 687a3a,flo or(rand(0) %252A2))x+ FROM+INFOR MATION_SCH EMA.CHARAC TER_SETS+G ROUP+BY+x) a)+AND+(%2 527ffAM%25 27%253D%25 27ffAM
a=demo+%2527-6863+union+al l+select+1 ,1,1,1,1,1 ,1,CONCAT( 0x3a6f7975 3a,0x42447 6487769756 9706b,0x3a 70687a3a)% 2523
a=demo+-6863+union+all+sel ect+1,1,CO NCAT(0x3a6 f79753a,0x 4244764877 697569706b ,0x3a70687 a3a),1,1,1 ,1,1,1,1%2 523
a=demo+-6863+union+all+sel ect+1,1,1, 1,CONCAT(0 x3a6f79753 a,0x424476 4877697569 706b,0x3a7 0687a3a),1 ,1%2523
IP ADDRESS:
They all come from the same IP address: 188.165.251.129
Which is in France and shows up as being blacklisted on at least four blacklists.
What this attack does is uses my URL and a valid php file name.
https://mydomain.com/help.php
Then it adds on an "a=..." query which I assume is an attempt at looking for vulnerablities.
So for example:
https://mydomain.com/help.php?a=noscr+and+1=1&i=newLog
It then cycles through nearly 100 of these variations. *See below for a list of other attempted options.
I have two questions:
1) What is the best way to handle this type of "scanning"
2) What does the following list of queries tell you they are trying to do?
Thanks.
*Here is a sample of attempted queries:
a=noscr+and+1=1&i=newLog
a=tour+-6863+union+all+sel
a=tour+%2527-6863+union+al
a=tour+%2527-6863+union+al
a=tour%2527)+AND+(SELECT+8
a=demo+%2527-6863+union+al
a=demo+-6863+union+all+sel
a=demo+-6863+union+all+sel
IP ADDRESS:
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The best thing to do is block the IP address, but it is still possible that you could get attacked from a different IP. If that is not an option, I would suggest you contact the admin of the IP range (from whois database) asking them to check the situation. It is quite possible that they have been attacked and their systems are used without their knowledge.
It belongs to OVH ISP and Hosting, located in France.
I would contact them with this information at abuse-mailbox: abuse@ovh.net
I would contact them with this information at abuse-mailbox: abuse@ovh.net
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can block by IP address but the question I always wrestle with is can I potentially block a legitimate IP? Or are the odds of this IP being legit so low that I should just block anyway.
The fact that I'm catching all of these attempts indicates to me that my block is working, but I always wonder if I'm missing something. Is there any way to check if you've been hacked?