Mailing webmaster on attacks

Nuke Soldier Joined: Apr 30, 2003 Posts: 23

Hi,

After a short 'discussion' on how to react on nuke attacks whitout blocking
whole countries because of a few monkeys i looked at the phpnuke code
to see if there could be another method.

I found out that is so easy (with only a few lines of code) to send the
admin a message instead of the showing the 'I don't like you' message.
Or both, it doesn't matter. The function is called from those places in the code where normaly the message would appear.

The message could contain the used method and the IP address of the attacker. From there is up to the admin what to do with this information but more important is that the admin is aware of the attacks. Ok, there are IDS's and loganalysers but i'm sure that many nukers don't use them (or look at them frequently). So an attack could go on and on until they succeed whitout the knowledge of the admin. Since i've create a 'mailAdmin' function it's real simple from here to call this function from where ever necessary in the nuke code (or
blocks/modules).

Any how, what do you cracks think of this? I know that this all depends
on the way nuke handles attacks and it's useless for new methods (until
the next security fix) but at least it's something to start with i think.
Another method could be to send a message and adding the IP adres to
a .htaccess (or a iptable rule in linux, or add the ip adres to /etc/hosts.deny) altough i think this opens more exploits then stopping
them.

So could this be something?

Jan

Major Joined: Jan 13, 2003 Posts: 892

I think writing to a log file or database would be better then filling up the inbox with messages.

Blocking the givin addy is a great idea and as you point out there are many ways to accomplish that. The NSS files in the downloads section is a pretty good example of how to do this automatically. Say when access to admin.php is attempted. I've used that part of it to log snoops. I disabled (didn't include) the actual banning just bans them from accessing admin.php a second time now not the whole site. And limited access to admin.php to my ISP's IP block ruling out the rest of the internet. Better yet if your the only admin and have a static IP.

Not rock solid protection but another thing people can try without having to have access to the firewall or other systems files.

Currently there are only 3 IPs in my log of people who accessed admin.php but no doubt they clearly got the message.

Nuke Soldier Joined: Apr 30, 2003 Posts: 23

I don't like the idea that 'nuke' starts writing to a file. I think it's better
to leave that part to Apache/PHP IMHO. A better methode would be
writing to a database. But then again, everybody reads mail but only a
few (relative) have the discipline to check a table. Perhaps a nice option
would be to show those attacks in the admin part.

I will certainly check those NSS file to see how this is done. Thanks
for the tip!

Jan

Sergeant Joined: May 30, 2003 Posts: 88

Not to be critical, but if you run your site on your own box (i.e. Linux based) most of the distribution come with iptables as default since 2.4 kernel. Use iptables build in functions to create custome block lists Smile

this way you can kill attackers before they even get to you site Smile

I know sometime it might seems like overkill but damn ! my site was accessible on net for 4 days and I got scanned by script -kiddies about hundred times ... good thing most of them came from about 20 ip addies Smile

Another funny thing: those idiots don't even bother to find out what OS you're using! Looking through the logs I found that most of the huck attempts were trying to exploit old IIS volnurability .... and that is on my Linux box Smile

))) Who produces thouse idiots ?!

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

Rasputin,

I've been wanting to do this but haven't had time to look into it close enough. Let's say I have an IP (200.105.122.98 or whatever) that I want to block from my site entirely. I want to add this rule but I want to leave intact whatever is there right now. What's the simplest way to do that?

Private Joined: Apr 07, 2003 Posts: 45

Raven check out a neat app called firewall builder, it is a nice GUI to IPTables, IPChains and a few others. Here is a nice tutorial

http://www.giac.org/practical/GSEC/James_Coffey_GSEC.pdf

You can then write any rules you like for your server.

Also you can check out Firestarter

http://firestarter.sourceforge.net/

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

Thanks!

Sergeant Joined: May 30, 2003 Posts: 88

Raven,
Sorry it took me so long to reply. Here is the link to exelent firewall script that has very good comments inside itself and very easily modified for a single box: http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/