Hacker Attacks and Invalid character in a Base-64 string
Posted on Jan 13, 2010 by
Paul WhiteOn my
websites I have them setup to email me anytime a server error
happens. If you ever get an error like "Invalid character in a Base-64
string", This is likely a hacker attack. In my case it was on the
members login on my client's website. I logged in and shut down the
site. 10 minutes later I started it back up and the hacker had left.
Interesting is what the HTTP RAW data reveled.
HTTP_X_FORWARDED_FOR:84.0.182.175, 84.0.162.91, 84.0.237.176,
84.0.228.6, 84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37
HTTP_PROXY_CLIENT_IP:84.0.182.175, 84.0.162.91, 84.0.237.176,
84.0.228.6, 84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37
HTTP_CLIENT_IP:84.0.182.175, 84.0.162.91, 84.0.237.176, 84.0.228.6,
84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37
Never seen these values before. According to the logs the IPs were from
hundreds of compromised systems. However they all had these values in
common. I am going to add a rule to detect the Class A IP in the
80.x.x.x block in the HTTP_X_FORWARDED_FOR, and block. Hopefully this
helps some other people out