How to process hacking attempts?

I quite frequently see logentries like this:

Processing MenuController#menu (for 81.18.246.182 at 2010-09-29
21:06:22) [GET]
Parameters: {“anything”=>[“phpMyAdmin”, “config”, “config.inc.php”],
“p”=>“phpinfo()”}
Redirected to http://85.214.197.248/authentication/login
Filter chain halted as
[#Proc:0xb74c7784@/home/xxx/yyy.de/releases/20100929164559/vendor/rails/actionpack/lib/action_controller/verification.rb:82]
rendered_or_redirected.
Completed in 1ms (DB: 0) | 302 Found
[http://85.214.197.248/phpMyAdmin/config/config.inc.php?p=phpinfo();]

Obviously these guys try to find some weakness in my server. They very
often retry a list of login attempts to get some successful login
sending Parameters like this:
{“anything”=>[“phpMyAdmin”]}
{“anything”=>[“phpmyadmin”,“config”,“config.inc.php”],“p”=>“phpinfo()”}
{“anything”=>[“pma”,“config”,“config.inc.php”], “p”=>“phpinfo()”}
{“anything”=>[“admin”,“config”,“config.inc.php”],“p”=>“phpinfo()”}
{“anything”=>[“dbadmin”,“config”,“config.inc.php”],“p”=>“phpinfo()”}
{“anything”=>[“mysql”,“config”,“config.inc.php”],“p”=>“phpinfo()”}
{“anything”=>[“php-my-admin”,“config”,“config.inc.php”],“p”=>“phpinfo()”}
{“anything”=>[“myadmin”,“config”,“config.inc.php”],“p”=>“phpinfo()”}
{“anything”=>[“PHPMYADMIN”,“config”,“config.inc.php”],“p”=>“phpinfo()”}
{“anything”=>[“phpMyAdmin”,“config”,“config.inc.php”],“p”=>“phpinfo()”}
{“anything”=>[“p”,“m”,“a”,“config”,“config.inc.php”],“p”=>“phpinfo()”}

What’s the best way to process these hacking attempts?

If it’s from a consistent set of IP addresses, you can ban them. Not a
full solution obviously, but a good first step.

No, I tested 3 IP addresses: Russia, USA, Netherlands. But the attempts
listed above came from one origin.

Which response to banned address should be sent?

I guess, I simply should send a 404.

Since my server needs to be accessable from a quite small region and I’m
uninterested in getting it indexed by search engines, it would be
possible to reject any request, that comes from outside the region.

How to programmaticaly get the origin of an IP address?

I wouldn’t bother doing that from Rails. That’d be easier to set up
either
at the firewall or web server level.
Would use a lot less resources.

Simon

On Sun, 09 Jan 2011 19:35:23 +0800, Fritz T. [email protected]
wrote:

I guess, I simply should send a 404.

Since my server needs to be accessable from a quite small region and I’m
uninterested in getting it indexed by search engines, it would be
possible to reject any request, that comes from outside the region.

How to programmaticaly get the origin of an IP address?


Using Opera’s revolutionary email client: Opera Web Browser | Faster, Safer, Smarter | Opera

it is not wise to simply ban the ips, cause this can be a simple
botnet scanning. so, real users are not even aware of what’s foing on.

you can try to block this kind of requests on the webserver before it
goes to the rails stack like this (nginx)

location ~ \.php$ {
    deny  all;
}

That’s also not very wise, since I occasionally use phpmyadmin myself.
(In normal mode, it is stopped and a cronjob stops it automatically
every night for security.)

And what about webmin?

Fritz T. wrote in post #973449:

That’s also not very wise, since I occasionally use phpmyadmin myself.
(In normal mode, it is stopped and a cronjob stops it automatically
every night for security.)

That’s not wise at all. PhpMyAdmin has known security holes, and there
are better MySQL admin tools available anyway.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Sent from my iPhone

Please quote when replying.

Fritz T. wrote in post #973537:

And what about webmin?

What about it?

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Sent from my iPhone