WhiteSites Blog

Website Security Tip remove catch all bindings

May 23, 2010 by Paul White

A few months ago I noticed that one of my clients websites seemed to be getting spikes of traffic.  However with spikes in traffic most clients would report an increase in sales or business.  When looking at the stats server, the requests were for pages and files that were not even on the server, and were for technologies ( PHP ) that I do not run on m box.  If you see requests for files like /prx2.php, /phpmyadmin/config/config.inc.php, /roundcubemail/readme, or /webmail/readme.  You might want to read this article.

Read
5095 Visitors
5095 Views

Hacker Attacks and Invalid character in a Base-64 string

Jan 13, 2010 by Paul White

On my websites I have them setup to email me anytime a server error happens.  If you ever get an error like "Invalid character in a Base-64 string",  This is likely a hacker attack.   In my case it was on the members login on my client's website.  I logged in and shut down the site.  10 minutes later I started it back up and the hacker had left.  Interesting is what the HTTP RAW data reveled.

HTTP_X_FORWARDED_FOR:84.0.182.175, 84.0.162.91, 84.0.237.176, 84.0.228.6, 84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37 HTTP_PROXY_CLIENT_IP:84.0.182.175, 84.0.162.91, 84.0.237.176, 84.0.228.6, 84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37 HTTP_CLIENT_IP:84.0.182.175, 84.0.162.91, 84.0.237.176, 84.0.228.6, 84.0.220.100, 84.0.147.233, 84.0.159.1, 84.0.84.37

Never seen these values before.  According to the logs the IPs were from hundreds of compromised systems. However they all had these values in common.   I am going to add a rule to detect the Class A IP in the 80.x.x.x block in the HTTP_X_FORWARDED_FOR, and block.  Hopefully this helps some other people out

Read
4086 Visitors
4086 Views

SQL injection IP blacklist from the botnet

Aug 26, 2008 by Paul White

The BotNet seems to be growing faster than ever.  I have included a list of all the IPs, I have caught attempting SQL injection via querystring.  If you have your own blacklist, feel free to add these to your list.

Read
5257 Visitors
5257 Views

protecting against SQL injection attacks using querystring

Aug 15, 2008 by Paul White

If you run a website that is based on SQL, or MySQL. This is a must read.  Some of my websites recently have been under attack by bots that are trying a new method of SQL injection attack. 

Read
5725 Visitors
5725 Views

HTTP black lists stop comment spammers

Jun 4, 2008 by Paul White

I got sick of seeing failed viewstate in my event logs. so I wrote some code that checks visitors against a HTTP blacklist.  I found that one of my blacklists was full of false positives.  Not that the given IP wasn't abusive at one point in time but I found it was full of proxies of which are frequently used by legitimate users.  After comparing some user logs I found that I was blocking a few of my member.  The HTTP blacklist from Project Honey Pot works, but had the problem with proxies as I stated above.  However one that I have had much better luck with is the one by stopforumspam.com.
If you are looking to stop comment spammers from seeing your site, I highly recommend them.  Read on for a code snippet that shows how I implimented this block

Read
3508 Visitors
3508 Views

Stop Spam with Grey Listing in SmarterMail

Apr 17, 2008 by Paul White

For the longest time I had the wrong definition of what grey listing is.  Once I figured out what it really is, and implemented it on my server running SmarterMail 4.x. I saw a huge drop in spam.  If you hate spam, this might very well solve all your problems.  Read this article for information on how it works and why it works.

Read
3973 Visitors
3973 Views

asp.net http module for project honey pot http IP blacklist

Mar 31, 2008 by Paul White

Project Honey Pot
If there is one things that developers agree on, its that hackers, and spammers should be hunted down, and Killed, ( I mean brought to justice ).  The guys over at Project Honey Pot are leading the fight against spam.  They have setup a HTTP Blacklist that developers can use to validate their visitors IP.  The only problem is writing some code to utilize it might be a little advanced for some.  I have created an HTTP Module for ASP.NET that will validated your visitors before they get into your site.  I even commented my code ( something I usually don't do ), so others can learn.  Give it a try and let me know what you think. 

Read
2 Comments
9765 Visitors
9765 Views

Dictionary attack IP list

Mar 31, 2008 by Paul White

This is a list of IPs that tried to send email to users that don't exist on one of my client's sites.  SmarterMail can be setup to reject these IPs after X failed attempts.  Feel free to add these to your blacklists.

Read
6340 Visitors
6340 Views

How to stop Real Player from downloading your videos with ASP.NET

Mar 11, 2008 by Paul White

Coming soon!!  Even though you can never block computer savy people from downloading your videos. The latest Real Player makes it so easy that even a computer handicaped person could download videos from your members sites.  After some hacking I figured out how to bock Real Player from stealing your videos.  All I am going to say is it involves an Http Handler, and an ISAPI entry to manage your .MPG extensions.  I should have a full write up on how to do this within a few days.

Read
1 Comments
5090 Visitors
5090 Views

Stop Hackers and Spam Bots in IIS

Mar 1, 2008 by Paul White


If you get a ton of server errors in your event logs in IIS. You might be under attack from hackers and spam bots attempting to inject comments and links in your submit forms.  The notorious Viewstate Failed Error seems to be the result of their attempts.  I have found an awesome resource to take care of this, and block these rejects for good. 

Read
9557 Visitors
9557 Views