Under attack

Yesterday morning I woke up to several hundred (or was it thousand?) messages from the online contact form on my website.  They came from what was clearly an automated dumb probe: all within a few minutes just before 4 a.m.  The probe had tried filling different fields with all kinds of payloads: fishing Unix paths, fishing Windows paths, escaped and unescaped commandline sequences including shellshock, SQL injection attacks, Javascript/XSS fragments, attempts to send mail or proxy HTTP.  Oh, and some fragments whose potential purpose eludes me.

OK, no big deal: just a few minutes of my time.  Dumb bots attack websites all the time.  Whatever vulnerabilities my server has (and I’m sure there are some), that kind of bot probing my contact form is no threat – except insofar as it could become a DoS.

This morning, another 740 messages.  From an even briefer probe: all at 03:59 and 04:00.  Checked the IP they all came from, and firewalled it off.  With a DROP rule, of course.  If it recurs from elsewhere, I’ll have to take a view on whether this approach can be extended or is useless.

If I can be arsed, maybe I’ll stay up and tail the log tonight, starting 03:50 or so.  Wonder if the perpetrator can be pwned while in action?  On second thoughts, maybe not at that hour, doubly not after the couple of pints I regularly enjoy on a Thursday evening.

Advertisements

Posted on March 16, 2017, in internet, security. Bookmark the permalink. 1 Comment.

  1. Another 730 craps this morning, from 04:00 to 04:02. Still a single IP address, but a different one, and not even on the same subnet (202.83.18.143 vs 136.18.172.122 – broadband.actcorp.in and abts-kk-dynamic-136.18.172.122.airtelbroadband.in). I guess firewalling is useless. 😦

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: