Jump to content

Archived

This topic is now archived and is closed to further replies.

Juto

Advancend hacking attempt

Recommended Posts

For the past weeks one of my sites has been attacked by 178.17.165.186, by using strings like:

 

www.mysite.com/index.php?language=en//json.php?action=3&module=../../../../../../../../../../../../..//proc/self/environ%0000

 

As you can see the hacker is uisng the json library. The attempts also has been targeting the admin side.

 

The script used varies from time to time, but is not auto generated, most likely the hacker have an arsenal and do manualy tests.

The ip is listed on at least one honeypot, further investigations lead to trabia.net and on the honeypot site a warning is given for that site as being a "high risk" site.

 

So, what you can do is to deny both trabia.net and the ip in your catalogs htaccess

 

Cheers

 

Sara

Share this post


Link to post
Share on other sites

In your /.htaccess file, you should be able to add

order allow,deny
deny from 178.17.165.186
allow from all

Your hosting control panel should have a "Deny IP address" function to do this for you. You can add more "deny" lines for other troublemakers.

 

Depending on the exact setup of your host server, you might need to add some sort of <if module> tags around the above code. Ask your host if the above code doesn't work for you.

Share this post


Link to post
Share on other sites

×