SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    284
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    I guess I am getting hacking attempts on my site

    Hi,

    I checked my website's traffic log today and noticed lots of suspicious URLs in 404 error report as follows:

    Code:
    //phpMyAdmin/index.php
    //php-my-admin/index.php
    //phpMyAdmin-2.5.5-pl1/index.php
    //admin/pma/index.php
    //mysqladmin/index.php
    //phpMyAdmin-2.5.5-rc2/index.php
    ...
    My questions are:

    1. Should I worry about this?
    2. What precautions can I take?
    3. How can I prevent such users from accessing my site?

    Thanks for any advice.

  2. #2
    SitePoint Enthusiast ideamine's Avatar
    Join Date
    Feb 2012
    Location
    Queen of Arabian Sea
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Did you find something like the below entry in those files.

    ${eval(base64_decode($_SERVER[HTTP_REFERER]))}

    eval base functions can be used get information from databases

  3. #3
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    284
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ideamine View Post
    Hi,

    Did you find something like the below entry in those files.

    ${eval(base64_decode($_SERVER[HTTP_REFERER]))}

    eval base functions can be used get information from databases
    Sorry but which file are you talking about? The log file?

  4. #4
    SitePoint Enthusiast ideamine's Avatar
    Join Date
    Feb 2012
    Location
    Queen of Arabian Sea
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Check for the eval(base64_decode in all your php files. It is an automated hack which affects all the php files.

  5. #5
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    356
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    That looks like one of the many zombie bots that regularly try to find vulnerabilities in a website. Probably nothing to worry about, probably nothing you can easily do to stop such requests unless you are able to identify and block the IP (unlikely).
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon

  6. #6
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    284
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ideamine View Post
    Check for the eval(base64_decode in all your php files. It is an automated hack which affects all the php files.
    Thanks, I don't have that function in any of my files or content.

    Quote Originally Posted by Doug G View Post
    That looks like one of the many zombie bots that regularly try to find vulnerabilities in a website. Probably nothing to worry about, probably nothing you can easily do to stop such requests unless you are able to identify and block the IP (unlikely).
    Thanks for your input. Now I know it can't be prevented totally. I would like to add a security step something like "if X number of failed attempts, block that IP for Y minutes etc." but I have no idea how to do that.

  7. #7
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    356
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your input. Now I know it can't be prevented totally. I would like to add a security step something like "if X number of failed attempts, block that IP for Y minutes etc." but I have no idea how to do that.
    If you're on *nix something like fail2ban might help.
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon

  8. #8
    SitePoint Member
    Join Date
    Feb 2012
    Location
    Cebu
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Check the log files of your server as well as your scripts. You might be vulnerable of XSS attacks.

  9. #9
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,380
    Mentioned
    215 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by Nail Yener View Post
    Thanks for your input. Now I know it can't be prevented totally. I would like to add a security step something like "if X number of failed attempts, block that IP for Y minutes etc." but I have no idea how to do that.
    You could try Crawl Protect. It will block known "bad bots" and code injection attempts, and also gives you the option to ban those IPs from your site. (Don't be put off by the rather curious English on the site - the author's native language is French. )
    Don't be arrogant. Be kind to a koala that thinks it's a bear.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •