External Query Attack
A couple of times over the past few weeks, my server has been hammered by a series of "scanning" type URL entries.
They all come from the same IP address: 188.165.251.129
Which is in France and shows up as being blacklisted on at least four blacklists.
What this attack does is uses my URL and a valid php file name.
https://mydomain.com/help.php
Then it adds on an "a=..." query which I assume is an attempt at looking for vulnerablities.
So for example:
https://mydomain.com/help.php?a=noscr+and+1=1&i=newLog
It then cycles through nearly 100 of these variations. *See below for a list of other attempted options.
I have two questions:
1) What is the best way to handle this type of "scanning"
2) What does the following list of queries tell you they are trying to do?
Thanks.
*Here is a sample of attempted queries:
a=noscr+and+1=1&i=newLog
a=tour+-6863+union+all+sel
a=tour+%2527-6863+union+al
a=tour+%2527-6863+union+al
a=tour%2527)+AND+(SELECT+8
a=demo+%2527-6863+union+al
a=demo+-6863+union+all+sel
a=demo+-6863+union+all+sel
IP ADDRESS:
They all come from the same IP address: 188.165.251.129
Which is in France and shows up as being blacklisted on at least four blacklists.
What this attack does is uses my URL and a valid php file name.
https://mydomain.com/help.php
Then it adds on an "a=..." query which I assume is an attempt at looking for vulnerablities.
So for example:
https://mydomain.com/help.php?a=noscr+and+1=1&i=newLog
It then cycles through nearly 100 of these variations. *See below for a list of other attempted options.
I have two questions:
1) What is the best way to handle this type of "scanning"
2) What does the following list of queries tell you they are trying to do?
Thanks.
*Here is a sample of attempted queries:
a=noscr+and+1=1&i=newLog
a=tour+-6863+union+all+sel
a=tour+%2527-6863+union+al
a=tour+%2527-6863+union+al
a=tour%2527)+AND+(SELECT+8
a=demo+%2527-6863+union+al
a=demo+-6863+union+all+sel
a=demo+-6863+union+all+sel
IP ADDRESS:
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The best thing to do is block the IP address, but it is still possible that you could get attacked from a different IP. If that is not an option, I would suggest you contact the admin of the IP range (from whois database) asking them to check the situation. It is quite possible that they have been attacked and their systems are used without their knowledge.
It belongs to OVH ISP and Hosting, located in France.
I would contact them with this information at abuse-mailbox: abuse@ovh.net
I would contact them with this information at abuse-mailbox: abuse@ovh.net
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can block by IP address but the question I always wrestle with is can I potentially block a legitimate IP? Or are the odds of this IP being legit so low that I should just block anyway.
The fact that I'm catching all of these attempts indicates to me that my block is working, but I always wonder if I'm missing something. Is there any way to check if you've been hacked?