Trick to use against idiots who try to hack your site

TL:DR version: some examples of how some lifewaster hacker-wannabes try to gain unauthorised access to sites and blogs and how you can simply and effectively block them

Obviously, some people have too much time on their hands, and dont appreciate life enough in order to do something useful with theirs, so they spend hours and days trying to hack into other peoples servers, websites, and webapps. How do I know this ? Well, this year only, Ive found and filtered out over 300 IP addresses and user agents, behavioral patterns and 404s (not found messages) in the logs of THIS SITE ALONE (I manage several sites and blogs, both for myself and coworkers and some companies, all on different servers), that have all indicated that some idiots spend hours a day trying to hack into wordpress, joomla, and other CMS (content-management system) based sites.

Some of the IP addresses clearly indicate that they do have some serious resources at their disposal, like hacking attacks coming from datashack.net, a company or hosting service with several thousands of IP addresses, or ovh.net, again, with several hundreds of IPs at their disposal. Some of the log entries (see some examples below) clearly indicate that they either have no clue how a webserver actually operates, or they base their attacks on outdated information from 10 years ago, when hacking into a server was possible simply by knowing what components the CMS has and looking for ones that can be exploited via SQL injections or concurrent command executions.

Obviously, almost all major CMS engines are constantly being improved, and security flaws are consistently being patched by all well-known platforms, however, it looks like some of these life-wasters and hacker wannabes havent found out about that and try EVERY DAY the same tactict, the same M.O (modus operandi), on THE SAME SITE, in some cases from the same IP address. Now if that is not a good example of insanity, I dont know what is 🙂

Here are some of the stupid and mindless ways some of these lifewasters have tried to hack into some of my servers/sites:

Datashack net, / wholesaleinternet com, the biggest idiots of all
Hackers not welcome graphic.

Hackers NOT welcome. Learn how to simply and effectively block IP addresses from ever accessing your site again

They constantly look for mc editor plugins, or other javascript-based WYSIWYG (what you see is what you get) rich-text editors that could be exploited, probably to gain control over a site or at least over some of its parts, to upload some meaningless political message or racial or other idiotic propaganda. Ive seen enough hacked sites during my 3 decades in IT to know that for some hacking attempts, this is the goal. Here are some examples of what theyve tried:

[Fri Jun 12 16:19:55 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/config
[Fri Jun 12 16:19:55 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/images
[Fri Jun 12 16:19:55 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/typo
[Fri Jun 12 16:19:54 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/FileZillaPortable
[Fri Jun 12 16:19:54 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/BACKUP
[Fri Jun 12 16:19:54 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/biblioteca
[Fri Jun 12 16:19:54 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/allister
[Fri Jun 12 16:19:53 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/tts
[Fri Jun 12 16:19:53 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/Link
[Fri Jun 12 16:19:53 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/Worship
[Fri Jun 12 16:19:52 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/kaiseki
[Fri Jun 12 16:19:52 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/FileZilla.xml
[Fri Jun 12 16:19:52 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/PortableFileZilla
[Fri Jun 12 16:19:52 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/nma2013
[Fri Jun 12 16:19:51 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/cmw
[Fri Jun 12 16:19:51 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/MYIMPDATA
[Fri Jun 12 16:19:51 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/filezilla-recupero-password
[Fri Jun 12 16:19:51 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/tgda
[Fri Jun 12 16:19:50 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/arriba
[Fri Jun 12 16:19:50 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/FileZilla
[Fri Jun 12 16:19:50 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/ViK_baza
[Fri Jun 12 16:19:49 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/eagle
[Fri Jun 12 16:19:49 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/~visionpl
[Fri Jun 12 16:19:49 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/lightbox
[Fri Jun 12 16:19:49 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/documents
[Fri Jun 12 16:19:48 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/web_97
[Fri Jun 12 16:19:48 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/k
[Fri Jun 12 16:19:48 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/download
[Fri Jun 12 16:19:48 2015] [error] [client 198.204.230.130] File does not exist: /home/serverusername/public_html/anothersite/dropbox

This is just one TINY example, theyve tried OVER 3000 different strings and paths, until Ive discovered them in the logs and blocked them.

Heres another example of blatant stupidity from a russian ptn.ru IP block.

[Tue Jan 20 21:07:15 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/administrator
[Tue Jan 20 21:07:12 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/wp-login
[Tue Jan 20 21:07:10 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/wp-login.php
[Tue Jan 20 21:07:08 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/wp
[Tue Jan 20 21:07:06 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/blog
[Tue Jan 20 21:07:05 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/site
[Tue Jan 20 21:07:02 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/admin
[Tue Jan 20 21:06:59 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/section
[Tue Jan 20 21:06:57 2015] [error] [client 5.142.96.115] File does not exist: /home/serverusername/public_html/wordpress

The cool thing is that the site they tried to hack into this way, IS NOT EVEN A WORDPRESS SITE !.

And then some other mindless creatures have tried this:

[Thu Jun 18 18:09:16 2015] [error] [client 178.32.3.81] File does not exist: /home/serverusername/public_html/oneofthesites/?page=shop
[Thu Jun 18 18:09:16 2015] [error] [client 178.32.3.81] File does not exist: /home/serverusername/public_html/oneofthesites/?page=shop
[Thu Jun 18 18:08:56 2015] [error] [client 178.32.3.81] File does not exist: /home/serverusername/public_html/oneofthesites/?page=shop
[Thu Jun 18 18:08:54 2015] [error] [client 178.32.3.81] File does not exist: /home/serverusername/public_html/oneofthesites/?page=shop
[Thu Jun 18 18:08:54 2015] [error] [client 178.32.3.81] File does not exist: /home/serverusername/public_html/oneofthesites/images/stories
[Thu Jun 18 18:08:54 2015] [error] [client 178.32.3.81] File does not exist: /home/serverusername/public_html/oneofthesites/images/stories
[Thu Jun 18 18:08:34 2015] [error] [client 178.32.3.81] File does not exist: /home/serverusername/public_html/oneofthesites/images/stories
[Thu Jun 18 18:08:31 2015] [error] [client 178.32.3.81] File does not exist: /home/serverusername/public_html/oneofthesites/images/stories

which, from the query string theyve submitted, (?page=shop) clearly indicates they thought it was some php/mysql based CMS, while the site was a simple, barebones, made in notepad kind of pure html site 🙂

Now if they still think they are smart and strive to be hackers, me thinks theyve got some serious learning to do.

Needless to say, all of the IP addresses have been checked, and all these activities have been reported to the ISP or their direct superior maintainer (the IP block / company / AS above them), but in some cases, like datashack net, wholesaleinternet com/net, and the russian ptn ru, has absolutely no effect whatsoever, since its obvious from the large distinct number of IP addresses that the head of the company must know about the abuse / hacking attempts (datashack alone has some 24 thousand Ip addresses, which Ive found on the net simply searching for datashack.net attacks). Reporting the abusers is one thing, but if you care about your sites / servers, you will also take precautions so that next time, the IP addresses once caught or discovered, will NEVER HAVE ACCESS to the same site again.

The simplest and most straight-forward way is to use .htaccess and some simple redirect rules, to tell your servers that certain IP addresses are FORBIDDEN any resource on the site / server, and if you also have access to a linux box (I sincerely hope you do, who in their right minds still uses windoze anyway ?!), a handy little script that helps you quickly create the entries for that .htaccess, to block the attackers IPs, is also handy.

So, heres what you need to enter into your .htaccess to make sure that an IP address will not have access to anything on your site (its like REJECT in firewall rules).

Make sure you have rewrite available in your .htaccess. Most servers nowadays do. Check if you have these two entries in your .htaccess:

RewriteBase /

RewriteEngine On

If you dont have these entries, create them. If you already had them, create the rules to tell your server that certain IP addresses are forbidden:

RewriteCond %{REMOTE_ADDR} ^194.60.72.12$

RewriteRule ^.*$ [F]

This works if you only want to block one single IP address.

If you have several IP addresses that you want to reject and if you care for your server, you will then you have to use the OR operator to tell the server to parse the entire list of forbidden IPs and reject them. So youll use something like this:

RewriteCond %{REMOTE_ADDR} ^194.190.14.246$ [OR]
RewriteCond %{REMOTE_ADDR} ^198.245.53.202$ [OR]
RewriteCond %{REMOTE_ADDR} ^46.118.155.216$ [OR]
RewriteCond %{REMOTE_ADDR} ^142.54.184.178$

RewriteRule ^.*$ [F]

Please notice that in this case, ALL the entries end with the [OR] operator, EXCEPT the last one, which makes sense, since theres no other IP to check after it.

Now, to make things simple, lets say you discover in your logs today, that using some similar MOs as presented in this articles, some IP addresses have tried to gain unauthorised access to your site, or tried to exploit xmlrpc.php on your wordpress installation, or have done whatever other malicious activity on your site. (Simply put, theyve tried to hack you 🙂 ).

Create a simple bash script that will accept an IP address as a parameter passed to it as a string (dont worry if you dont understand right away, youll see in a moment what it means), and return an entry that can be inserted by simple copy/paste, into your .htaccess file to block that ip.

Creating a bash script is very, very easy. You can use any text editor youd like, I recommend using nano, directly in the terminal window.

Create a file named htd, or htaccessdeny, or whatever easy-to-remember name youd like to give it. Type this into the terminal and press enter:

nano htd

And when nano brings up the empty file, type this (you can even copy/paste from right here):

echo RewriteCond %{REMOTE_ADDR} ^$1\$ [OR]

and press CTRL+X, and choose to save the file. If you have experience with bash and/or youre an experienced linux user, youve already figured out what this does, but for those who dont understand that command line, it simply means output this text: RewriteCond %{REMOTE_ADDR} and add THE IP ADDRESS added after the scripts invocation AND THEN ADD this text: $ [OR] to it.

So when executing the script, like this:

htd 142.54.184.178

and pressing enter, it will give you the line:

RewriteCond %{REMOTE_ADDR} ^142.54.184.178$ [OR]

in return. Keep in mind, that in order to execute the script, it has to be permitted execution capabilities (chmod-ed), so you have to tpye

chmod +x htd

in the terminal to do that. Also, since this script runs without root privileges (it doesnt do anything that would require root privilege), you are the only user on the machine/pc that has access to it, and you obviously have to have the directory in which the script resides, included in your path. If you dont have the directory included in your path, you have to use a dot and a forward slash in front of your command line, like this:

./htd 142.54.184.178

Or you can sudo or su to become root, and then LINK symbolically the script, to the system-wide accessible scripts directory, like this:

sudo ln -sf ./htd /usr/sbin/htd

From that point forward, you can most certainly issue htd followed by some IP address, to get the line you need to insert into your .htaccess to block the bad player / hacker wannabe lifewaster from ever accessing anything on your site again.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *