Ok so I have been looking at my Log and I have been seeing a large number of requests for pages that simply do not exist.
such as this
The controller for path '/includes/setup.php' was not found or does not implement IController.
obviously this is not done in PHP and I have no directory called includes so that page was not found but I am getting large amounts of these requests one after another. This is a brand new domain name I am running and the site has only been up for just over a week now.
the ip addresses have shown to come from Russia and Czec
Any idea of what the best way to combat these sort of large feeler attacks
Attempts to hack it appears
- 657
- 7576
- 2011/8/10
- United States
scripter wrote:
1. You could setup IP restrictions.
2. Make sure that you turn on custom errors and give generic information about your application (e.g. do not publish stack traces or exception types).
Ok so I have been looking at my Log and I have been seeing a large number of requests for pages that simply do not exist.
such as this
The controller for path '/includes/setup.php' was not found or does not implement IController.
obviously this is not done in PHP and I have no directory called includes so that page was not found but I am getting large amounts of these requests one after another. This is a brand new domain name I am running and the site has only been up for just over a week now.
the ip addresses have shown to come from Russia and Czec
Any idea of what the best way to combat these sort of large feeler attacks
such as this
The controller for path '/includes/setup.php' was not found or does not implement IController.
obviously this is not done in PHP and I have no directory called includes so that page was not found but I am getting large amounts of these requests one after another. This is a brand new domain name I am running and the site has only been up for just over a week now.
the ip addresses have shown to come from Russia and Czec
Any idea of what the best way to combat these sort of large feeler attacks
1. You could setup IP restrictions.
2. Make sure that you turn on custom errors and give generic information about your application (e.g. do not publish stack traces or exception types).
- 31
- 203
- 2010/6/6
- United States
the generic error page I am already using but as far as the using of IP restrictions part that could become highly irritating
to have to keep going in and adding a new ip address to the block list.
Now this is just a quick thought that I would think has been done before but not sure how to get started with implementing it. What I am thinking is using a HTTPHandler to pick up on any requests to pages that don't exist. If a large number of those request come through from the same ipaddress than add that to a block IP list automatically.
Have you heard of any implementation of something like this before?
to have to keep going in and adding a new ip address to the block list.
Now this is just a quick thought that I would think has been done before but not sure how to get started with implementing it. What I am thinking is using a HTTPHandler to pick up on any requests to pages that don't exist. If a large number of those request come through from the same ipaddress than add that to a block IP list automatically.
Have you heard of any implementation of something like this before?
- 657
- 7576
- 2011/8/10
- United States
scripter wrote:
I have not seen it done, but that doesn't mean people aren't doing it. One thing you'll want to ensure is that it is a smart handler. It will need to take into account the time frame that the requests are happening in. Otherwise you might block your own IP addresses if you do custom development and receive a lot of 404's.
Another thing to consider is that if this is not a new website, but instead an updated version of a previously existing website then you will want to avoid blocking users who have bookmarked old URL's.
the generic error page I am already using but as far as the using of IP restrictions part that could become highly irritating
to have to keep going in and adding a new ip address to the block list.
Now this is just a quick thought that I would think has been done before but not sure how to get started with implementing it. What I am thinking is using a HTTPHandler to pick up on any requests to pages that don't exist. If a large number of those request come through from the same ipaddress than add that to a block IP list automatically.
Have you heard of any implementation of something like this before?
to have to keep going in and adding a new ip address to the block list.
Now this is just a quick thought that I would think has been done before but not sure how to get started with implementing it. What I am thinking is using a HTTPHandler to pick up on any requests to pages that don't exist. If a large number of those request come through from the same ipaddress than add that to a block IP list automatically.
Have you heard of any implementation of something like this before?
I have not seen it done, but that doesn't mean people aren't doing it. One thing you'll want to ensure is that it is a smart handler. It will need to take into account the time frame that the requests are happening in. Otherwise you might block your own IP addresses if you do custom development and receive a lot of 404's.
Another thing to consider is that if this is not a new website, but instead an updated version of a previously existing website then you will want to avoid blocking users who have bookmarked old URL's.
- 59
- 361
- 2010/10/8
- United States
I see these kinds of attempts almost every hour of every day. Not unusual. You can use a filter like urlscanner if your using iis to filter on strings, user agents and other header information. I don't run php so I block all requests for php files. I have extensive security in place at multiple levels to catch a majority of the problems but unless your prepared to work off a white list of IPs rather than a black list you'll never catch it all. In the last few days I've been seeing something somewhat new that appears to be designed similar to openquery.net techniques. It seems to be a pretty nasty one since it has some contradictory aspects to it that I haven't quite figured out. IP seems to be from microtrends but then it has some advertising referrer site and a third site that looks like a client for the advertising site. I'm still working out what they think they are trying to do. They are posting php pages so they aren't going to get anything from my server at this point.