May 23, 2010 by Paul White
A few months ago I noticed that one of my clients websites seemed to be getting spikes of traffic. However with spikes in traffic most clients would report an increase in sales or business. When looking at the stats server, the requests were for pages and files that were not even on the server, and were for technologies ( PHP ) that I do not run on m box. If you see requests for files like /prx2.php, /phpmyadmin/config/config.inc.php, /roundcubemail/readme, or /webmail/readme. You might want to read this article.
Jan 13, 2010 by Paul White
On my websites I have them setup to email me anytime a server error happens. If you ever get an error like "Invalid character in a Base-64 string", This is likely a hacker attack. In my case it was on the members login on my client's website. I logged in and shut down the site. 10 minutes later I started it back up and the hacker had left. Interesting is what the HTTP RAW data reveled.
HTTP_X_FORWARDED_FOR:18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
HTTP_PROXY_CLIENT_IP:126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
HTTP_CLIENT_IP:184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
Never seen these values before. According to the logs the IPs were from hundreds of compromised systems. However they all had these values in common. I am going to add a rule to detect the Class A IP in the 80.x.x.x block in the HTTP_X_FORWARDED_FOR, and block. Hopefully this helps some other people out
Aug 26, 2008 by Paul White
The BotNet seems to be growing faster than ever. I have included a list of all the IPs, I have caught attempting SQL injection via querystring. If you have your own blacklist, feel free to add these to your list.
Aug 15, 2008 by Paul White
If you run a website that is based on SQL, or MySQL. This is a must read. Some of my websites recently have been under attack by bots that are trying a new method of SQL injection attack.
Jun 4, 2008 by Paul White
I got sick of seeing failed viewstate in my event logs. so I wrote some code that checks visitors against a HTTP blacklist. I found that one of my blacklists was full of false positives. Not that the given IP wasn't abusive at one point in time but I found it was full of proxies of which are frequently used by legitimate users. After comparing some user logs I found that I was blocking a few of my member. The HTTP blacklist from Project Honey Pot works, but had the problem with proxies as I stated above. However one that I have had much better luck with is the one by stopforumspam.com.
If you are looking to stop comment spammers from seeing your site, I highly recommend them. Read on for a code snippet that shows how I implimented this block
Apr 17, 2008 by Paul White
For the longest time I had the wrong definition of what grey listing is. Once I figured out what it really is, and implemented it on my server running SmarterMail 4.x. I saw a huge drop in spam. If you hate spam, this might very well solve all your problems. Read this article for information on how it works and why it works.
Mar 31, 2008 by Paul White
If there is one things that developers agree on, its that hackers, and spammers should be hunted down, and
, ( I mean brought to justice ). The guys over at Project Honey Pot are leading the fight against spam. They have setup a HTTP Blacklist that developers can use to validate their visitors IP. The only problem is writing some code to utilize it might be a little advanced for some. I have created an HTTP Module for ASP.NET that will validated your visitors before they get into your site. I even commented my code ( something I usually don't do ), so others can learn. Give it a try and let me know what you think.
Mar 31, 2008 by Paul White
This is a list of IPs that tried to send email to users that don't exist on one of my client's sites. SmarterMail can be setup to reject these IPs after X failed attempts. Feel free to add these to your blacklists.
Mar 11, 2008 by Paul White
Coming soon!! Even though you can never block computer savy people from downloading your videos. The latest Real Player makes it so easy that even a computer handicaped person could download videos from your members sites. After some hacking I figured out how to bock Real Player from stealing your videos. All I am going to say is it involves an Http Handler, and an ISAPI entry to manage your .MPG extensions. I should have a full write up on how to do this within a few days.
Mar 1, 2008 by Paul White
If you get a ton of server errors in your event logs in IIS. You might be under attack from hackers and spam bots attempting to inject comments and links in your submit forms. The notorious Viewstate Failed Error seems to be the result of their attempts. I have found an awesome resource to take care of this, and block these rejects for good.