WhiteSites Blog

Hacker Attacks and Invalid character in a Base-64 string

Posted on Jan 13, 2010 by Paul White

On my websites I have them setup to email me anytime a server error happens.  If you ever get an error like "Invalid character in a Base-64 string",  This is likely a hacker attack.   In my case it was on the members login on my client's website.  I logged in and shut down the site.  10 minutes later I started it back up and the hacker had left.  Interesting is what the HTTP RAW data reveled.

HTTP_X_FORWARDED_FOR:84.0.182.175, 84.0.162.91, 84.0.237.176, 84.0.228.6, 84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37 HTTP_PROXY_CLIENT_IP:84.0.182.175, 84.0.162.91, 84.0.237.176, 84.0.228.6, 84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37 HTTP_CLIENT_IP:84.0.182.175, 84.0.162.91, 84.0.237.176, 84.0.228.6, 84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37

Never seen these values before.  According to the logs the IPs were from hundreds of compromised systems. However they all had these values in common.   I am going to add a rule to detect the Class A IP in the 80.x.x.x block in the HTTP_X_FORWARDED_FOR, and block.  Hopefully this helps some other people out
Permalink
3930 Visitors
3930 Views

Categories associated with Hacker Attacks and Invalid character in a Base-64 string

Discussion

No Comments have been submitted
name
Email Needed to confirm comment, but not made public.
Website
 
 
When you Post your Comment, you'll be sent a confirmation link. Once you click this link your thoughts will be made public.. Posts that are considered spam will be deleted, Please keep your thoughts and links relavent to this Article