Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Example of hacking URLs

  1. #1
    Andy101's Avatar
    Andy101 is offline Code Otaku
    Join Date
    Aug 2009
    Location
    Kanazawa
    Posts
    1,310
    Thanks
    177
    Thanked 308 Times in 235 Posts

    Example of hacking URLs

    I captured many hacking attempts by IP address 222.88.240.132 to one of my websites using these URLs:

    [0] => join.php
    [1] => signup
    [2] => signup
    [3] => signup
    [4] => wp-login.php
    [5] => tiki-register.php
    [6] => user/register
    [7] => sign_up.html
    [8] => signup/
    [9] => signup.php
    [10] => signup.php
    [11] => forums/index.php
    [12] => registration_rules.asp
    [13] => register.php
    [14] => register.php
    [15] => profile.php
    [16] => ucp.php
    [17] => register.php
    [18] => signup.php
    [19] => account/register.php
    [20] => join.php
    [21] => join_form.php
    [22] => signup
    [23] => signup
    [24] => join.php
    [25] => signup.php
    [26] => member/register
    [27] => register/
    [28] => signup.php
    [29] => signup.php
    [30] => register.php
    [31] => join.php
    [32] => blogs/load/recent
    [33] => member/join.php
    [34] => join.php
    [35] => signup
    [36] => signup
    [37] => signup
    [38] => wp-login.php
    [39] => tiki-register.php
    [40] => user/register
    [41] => sign_up.html
    [42] => login.php
    [43] => member.php
    [44] => member.php
    [45] => member/
    [46] => modules.php
    [47] => signup/
    [48] => member/reg.php
    [49] => reg.asp
    [50] => reg.asp
    [51] => logging.php
    [52] => register.php
    [53] => login.php
    [54] => login.php
    [55] => login.php
    [56] => reg.asp
    [57] => bokeindex.asp
    [58] => bokeapply.asp
    [59] => signup.php
    [60] => signup.php
    [61] => register.php
    [62] => forums/index.php
    [63] => registration_rules.asp
    [64] => register.php
    [65] => register.php
    [66] => profile.php
    [67] => ucp.php
    [68] => register.php
    [69] => member/index_do.php
    [70] => signup.php
    [71] => account/register.php
    [72] => register.aspx
    [73] => post.php
    [74] => register.php
    [75] => member/register.php
    [76] => member.php/register.php
    [77] => register.php
    [78] => member/register.php
    [79] => member.php/register.php
    [80] => register.php
    [81] => reg.php
    [82] => login.php
    [83] => join.php
    [84] => join_form.php
    [85] => signup
    [86] => signup
    [87] => join.php
    [88] => signup.php
    [89] => member/register
    [90] => register/
    [91] => signup.php
    [92] => login.php
    [93] => signup.php
    [94] => register.php
    [95] => join.php
    [96] => blogs/load/recent
    [97] => member/join.php

    98 requests (with some rotation of the HTTP_USER_AGENT value) over a period of exactly 9 hours.

  2. #2
    TopDogger's Avatar
    TopDogger is offline Über Hund
    Join Date
    Jan 2009
    Location
    Hellfire, AZ
    Posts
    3,101
    Thanks
    349
    Thanked 917 Times in 701 Posts
    That is a hacker looking for vulnerable scripts. It looks like a variation of the Brute Force Attack that WordPress sites have been getting hit with since April. Once they find the login, the script will try to break the admin password.

    Wordpress Brute Force Attack on Admin Password

    222.88.240.132 is China (CHINA, HENAN, ZHENGZHOU). I have had so many attacks from China over the past year that I had to block most of China on my server. There isn't any traffic from China that has any value at all.
    Last edited by TopDogger; 15 June, 2013 at 14:22 PM.
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


  3. #3
    Andy101's Avatar
    Andy101 is offline Code Otaku
    Join Date
    Aug 2009
    Location
    Kanazawa
    Posts
    1,310
    Thanks
    177
    Thanked 308 Times in 235 Posts
    There is no traffic from China that has any value at all.
    This is a pity.

    To get this information I wrote a script to log error 404 text page requests. I am thinking about how to automatically ban IP addresses server-wide that switch the user agent and mainly trigger error 404 page requests. With Apache server it is a bit awkward since the server software doesn't support more than 1 IP address block globally (unless I am wrong). But I think nginx (server software) does.

  4. #4
    TopDogger's Avatar
    TopDogger is offline Über Hund
    Join Date
    Jan 2009
    Location
    Hellfire, AZ
    Posts
    3,101
    Thanks
    349
    Thanked 917 Times in 701 Posts
    You can block IPs with a script and a database. Just keep track of the IPs that hit the 404 page along with an incrementing count. Once they reach a certain count--perhaps 10--their access to any page should be blocked. You will probably see some overhead because you will have to check the user's IP every time they request a page in order to block them. For the hackers, just generate a status code 403 or redirect them back to their own IP.
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


  5. #5
    robjones's Avatar
    robjones is offline Trail Boss
    Join Date
    Dec 2008
    Location
    Lone Star State
    Posts
    1,116
    Thanks
    517
    Thanked 442 Times in 293 Posts
    Grr. And this is why we no longer can safely allow chinese accts to even sign up. Have blocked a ton of their ips, may have to hit more.
    -- Do not meddle in the affairs of dragons, for you are crunchy and good with ketchup. --

  6. #6
    TopDogger's Avatar
    TopDogger is offline Über Hund
    Join Date
    Jan 2009
    Location
    Hellfire, AZ
    Posts
    3,101
    Thanks
    349
    Thanked 917 Times in 701 Posts
    I heard on the news this morning that Chinese hackers broke into Google and have had access to Google accounts for a year without Google's knowledge. This is not the first breach of Google's security by Chinese hackers. I do find it hard to believe that a tech company like Google is this inept when it comes to security. It appears that Google is no more intelligent than military contractors.
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


  7. #7
    Andy101's Avatar
    Andy101 is offline Code Otaku
    Join Date
    Aug 2009
    Location
    Kanazawa
    Posts
    1,310
    Thanks
    177
    Thanked 308 Times in 235 Posts
    I decided to put an IP block list in the root of my web server using a .htaccess file as follows:

    Code:
    order allow,deny
    allow from all
    
    
    # Chinese (CN) IP addresses follow: http://www.wizcrafts.net/chinese-blocklist.html
    deny from 1.80.0.0/13 1.192.0.0/13 1.202.0.0/15 14.144.0.0/12 14.208.0.0/12 27.8.0.0/13 27.16.0.0/12 27.36.0.0/14 27.40.0.0/13 27.54.192.0/18 27.106.128.0/18 27.115.0.0/17 27.152.0.0/13 27.184.0.0/13 36.248.0.0/14 42.96.128.0/17 58.16.0.0/15 58.20.0.0/16 58.21.0.0/16 58.22.0.0/15 58.34.0.0/16 58.37.0.0/16 58.38.0.0/16 58.40.0.0/16 58.42.0.0/16 58.44.0.0/14 58.48.0.0/13 58.56.0.0/15 58.58.0.0/16 58.59.0.0/17 58.60.0.0/14 58.68.128.0/17 58.82.0.0/15 58.100.0.0/15 58.208.0.0/12 58.242.0.0/15 58.246.0.0/15 58.248.0.0/13 59.32.0.0/13 59.40.0.0/15 59.42.0.0/16 59.44.0.0/14 59.51.0.0/16 59.52.0.0/14 59.56.0.0/13 59.72.0.0/16 59.108.0.0/15 59.174.0.0/15 60.0.0.0/13 60.11.0.0/16 60.12.0.0/16 60.24.0.0/13 60.160.0.0/11 60.194.0.0/15 60.208.0.0/13 60.216.0.0/15 60.220.0.0/14 61.4.64.0/20 61.4.80.0/22 61.4.176.0/20 61.48.0.0/13 61.128.0.0/10 61.135.0.0/16 61.136.0.0/18 61.139.0.0/16 61.145.73.208/28 61.147.0.0/16 61.152.0.0/16 61.154.0.0/16 61.160.0.0/16 61.162.0.0/15 61.164.0.0/16 61.175.0.0/16 61.177.0.0/16 61.179.0.0/16 61.183.0.0/16 61.184.0.0/16 61.185.219.232/29 61.187.0.0/16 61.188.0.0/16 61.191.0.0/16 61.232.0.0/14 61.236.0.0/15 61.240.0.0/14 110.6.0.0/15 110.51.0.0/16 110.52.0.0/15 110.80.0.0/13 110.88.0.0/14 110.96.0.0/11 110.173.0.0/19 110.173.32.0/20 110.173.64.0/18 110.192.0.0/11 110.240.0.0/12 111.0.0.0/10 111.72.0.0/13 111.128.0.0/11 111.160.0.0/13 111.172.0.0/14 111.176.0.0/13 111.228.0.0/14 112.0.0.0/10 112.64.0.0/14 112.80.0.0/12 112.100.0.0/14 112.111.0.0/16 112.122.0.0/15 112.224.0.0/11 113.0.0.0/13 113.8.0.0/15 113.12.0.0/14 113.16.0.0/15 113.18.0.0/16 113.62.0.0/15 113.64.0.0/10 113.128.0.0/15 113.136.0.0/13 113.204.0.0/14 114.28.0.0/16 114.80.0.0/12 114.104.0.0/14 114.112.0.0/14 114.216.0.0/13 114.224.0.0/11 115.24.0.0/15 115.32.0.0/14 115.48.0.0/12 115.84.0.0/18 115.100.0.0/15 115.148.0.0/14 115.152.0.0/15 115.168.0.0/14 115.212.0.0/16 115.239.228.0/22 116.1.0.0/16 116.2.0.0/15 116.4.0.0/14 116.8.0.0/14 116.16.0.0/12 116.52.0.0/14 116.76.0.0/15 116.90.80.0/20 116.112.0.0/14 116.128.0.0/10 116.204.0.0/15 116.208.0.0/14 116.224.0.0/12 116.254.128.0/18 117.21.0.0/16 117.22.0.0/15 117.24.0.0/13 117.32.0.0/13 117.40.0.0/14 117.44.0.0/15 117.79.224.0/20 117.80.0.0/12 118.72.0.0/13 118.112.0.0/13 118.120.0.0/14 118.132.0.0/14 118.144.0.0/14 118.180.0.0/14 118.186.0.0/15 118.192.0.0/16 118.248.0.0/13 119.0.0.0/13 119.8.0.0/15 119.10.0.0/17 119.18.192.0/20 119.36.0.0/16 119.57.0.0/16 119.60.0.0/16 119.88.0.0/14 119.96.0.0/13 119.112.0.0/13 119.120.0.0/13 119.128.0.0/12 119.144.0.0/14 119.164.0.0/14 119.176.0.0/12 119.233.0.0/16 120.0.0.0/12 120.24.0.0/14 120.32.0.0/13 120.40.0.0/14 120.68.0.0/14 120.192.0.0/10 121.0.16.0/20 121.8.0.0/13 121.16.0.0/12 121.32.0.0/14 121.60.0.0/14 121.76.0.0/15 121.204.0.0/14 121.224.0.0/12 122.51.128.0/17 122.64.0.0/11 122.119.0.0/16 122.136.0.0/13 122.156.0.0/14 122.188.0.0/14 122.192.0.0/14 122.198.0.0/16 122.200.64.0/18 122.224.0.0/12 123.4.0.0/14 123.8.0.0/13 123.52.0.0/14 123.64.0.0/11 123.97.128.0/17 123.100.0.0/19 123.112.0.0/12 123.128.0.0/13 123.150.0.0/15 123.152.0.0/13 123.164.0.0/14 123.184.0.0/14 123.196.0.0/15 123.232.0.0/14 124.42.64.0/18 124.64.0.0/15 124.67.0.0/16 124.114.0.0/15 124.126.0.0/15 124.128.0.0/13 124.160.0.0/16 124.163.0.0/16 124.192.0.0/15 124.200.0.0/13 124.226.0.0/15 124.228.0.0/14 124.236.0.0/14 124.240.0.0/17 124.240.128.0/18 124.248.0.0/17 125.40.0.0/13 125.64.0.0/12 125.79.0.0/16 125.80.0.0/13 125.88.0.0/13 125.104.0.0/13 125.112.0.0/12 159.226.0.0/16 175.0.0.0/12 175.16.0.0/13 175.24.0.0/14 175.30.0.0/15 175.42.0.0/15 175.44.0.0/16 175.46.0.0/15 175.48.0.0/12 175.64.0.0/11 175.102.0.0/16 175.106.128.0/17 175.146.0.0/15 175.148.0.0/14 175.152.0.0/14 175.160.0.0/12 175.178.0.0/16 175.184.128.0/18 175.185.0.0/16 175.186.0.0/15 175.188.0.0/14 180.76.0.0/16 180.96.0.0/11 180.136.0.0/13 180.152.0.0/13 180.208.0.0/15 182.18.0.0/17 182.112.0.0/12 183.0.0.0/10 183.64.0.0/13 183.160.0.0/13 192.74.224.0/19 221.204.0.0/15 202.43.144.0/22 202.46.32.0/19 202.66.0.0/16 202.96.0.0/12 202.111.160.0/19 202.112.0.0/14 202.117.0.0/16 202.165.176.0/20 202.196.80.0/20 203.69.0.0/16 203.86.0.0/18 203.86.64.0/19 203.93.0.0/16 203.169.160.0/19 210.5.0.0/19 210.14.128.0/19 210.21.0.0/16 210.32.0.0/14 210.51.0.0/16 210.52.0.0/15 210.192.96.0/19 211.76.96.0/20 211.78.208.0/20 211.86.144.0/20 211.90.0.0/15 211.92.0.0/14 211.96.0.0/13 211.136.0.0/13 211.144.12.0/22 211.144.96.0/19 211.144.160.0/20 211.147.208.0/20 211.147.224.0/23 211.152.14.0/24 211.154.64.0/19 211.154.128.0/19 211.155.24.0/22 211.157.32.0/19 211.160.0.0/13 211.233.70.0/24 218.0.0.0/11 218.56.0.0/13 218.64.0.0/11 218.88.0.0/13 218.96.0.0/14 218.102.0.0/16 218.104.0.0/14 218.108.0.0/15 218.194.80.0/20 218.200.0.0/13 218.240.0.0/13 219.128.0.0/11 219.223.192.0/18 219.232.0.0/16 219.234.80.0/20 219.154.0.0/15 220.112.0.0/16 220.154.0.0/15 220.160.0.0/11 220.181.0.0/16 220.192.0.0/12 220.228.70.0/24 220.248.0.0/14 220.250.0.0/19 220.252.0.0/16 221.0.0.0/12 221.122.0.0/15 221.176.0.0/13 221.192.0.0/14 221.200.0.0/14 221.204.0.0/15 221.206.0.0/16 221.207.0.0/16 221.208.0.0/12 221.212.0.0/16 221.214.0.0/15 221.216.0.0/13 221.224.0.0/13 221.228.0.0/14 221.232.0.0/13 222.32.0.0/11 222.64.0.0/12 222.80.0.0/12 222.132.0.0/14 222.136.0.0/13 222.168.0.0/13 222.172.222.0/24 222.176.0.0/13 222.184.0.0/13 222.208.0.0/13 222.241.0.0/19 222.245.0.0/16 223.4.0.0/14 223.64.0.0/11
    I got the list from: Block Chinese and Korean IP Addresses From Apache Based Servers with .htaccess Blocklist

    With this list in place, I can add any new ones that I manually spot with my trap script.

    I tested a page load speed on my server with this .htaccess in place with so many ip addresses/ranges and it was 10ms, so no impact on page speed (an SEO factor).
    Last edited by Andy101; 16 June, 2013 at 13:10 PM. Reason: Added some more thoughts

  8. #8
    TopDogger's Avatar
    TopDogger is offline Über Hund
    Join Date
    Jan 2009
    Location
    Hellfire, AZ
    Posts
    3,101
    Thanks
    349
    Thanked 917 Times in 701 Posts
    You might want to take a look at the following script. I use it and it has been very effective at blocking bots and automated scrapers. It automatically denies their IP through the .htaccess file. I think it can easily be modified to suit your needs.

    Bot-trap, a bad web robot blocker
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


  9. #9
    Gavo is offline Newbie Net Builder
    Join Date
    Dec 2012
    Posts
    19
    Thanks
    0
    Thanked 4 Times in 3 Posts
    Wordpress total security has a feature that ban's IP after a set amount of 404 errors, along with stopping brute force attempts on logins.

    I'm not a fan of mass IP range banning, IP usage changes all the time so you don't know what your banning or the location can change after you ban.

  10. #10
    iowadawg's Avatar
    iowadawg is offline Free Cell Champion
    Join Date
    May 2010
    Location
    Not in Texas
    Posts
    2,139
    Blog Entries
    4
    Thanks
    170
    Thanked 365 Times in 314 Posts
    Hmmm....they may try any page they want.
    But on my blog....they end up at my main page.
    So I see a lot where they try join.php, login.php, and so forth.
    I wonder if this works?

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •