We've just had another apparent brute force attack on our software download system, which uses HTAccess. This time, 9998 attempts were made by the same IP address, but all failed. Usernames ranged from things like "member", "visitor" and "private" through to crude language and pornographic references. In some respects, it seems to have been more intended as an annoyance than anything. Last time it was only 99 attempts, and someone on this forum pointed out that it could have just been Gozilla making a download attempt (and that seems by far the most likely case). But this time it was IE that was used.

I'm wondering if there's any course of action that we can take. We know the IP, but is it possible for us to contact our host and somehow ban access from that IP or something? And I'm not really sure if it's a big deal. Nearly 10,000 attempts seems big to me, but for all I know that could just be a petty attack. It may have even been intended as a DoS attack for all I know.

Anyone know much about this sort of stuff? I'm no expert on it.

Don't having your host ban that IP address. Instead, look up who that IP address belongs to, and ask the company's abuse contact to kill that person's account.

Make sure that you send them the logfile lines corresponding to the attack (or at least, the first five and the last five).

Yup. Before you do anything, find out everything you can with the persons Ip address. Where he/she lives, what he does, which his ISP is etc etc. And then give the ISP and the local police department a lil visit.

And then give the ISP and the local police department a lil visit.

Will the local police even do anything?

Originally posted by vizi
And then give the ISP and the local police department a lil visit.

Will the local police even do anything?

Depends on your local police's willingness to do something about it. Usually a quick visit by the police is enough to deter it.

My local police are just catching up to cyberspace crimes and they're making some inroads.

Thanks for the advice.

We have managed to scavenge some info about the person, but not a lot. I'm not too worried anyway, I think it's more of a thing to keep an eye on than rigorously pursue. Of course, if they had gotten in it would have been a different story...

There is a good software program called neotrace, they even have another one called hacktrace, but it only works for your local machine..

I would research installing and IDS system on your server.

If you have a webpage with login and password you can use (with php) a sleep command, like sleep(5).
So when a user enters a wrong password the script waits 5 seconds. A normal user won't notice it, but a hacker trying 10000 logins has to wait at least 10000 * 5 seconds which is almost 14 hours. I don't know if this is possible with htaccess too.

This has not much to do with the topic but it's nice to know i think :)

Erik

i'm rather doubtful that someone sat down and used IE to guess 9998 times to try to get a valid user/password. the user agent field is probably not reliable in this case

that sleep idea sounds cool... like sandpitting spammers. of course, they could always do 10000 seperate http connections instead... but it would surely slow them down. (if they do do 100000 seperate http connections, they'll probably do multiple of them simultaneously, which might cause your server's max httpd process limit to be hit...)

The best solution of course is to count the invalid logins from each ip and deny it when there were more than x wrong passwords and at the same time use the sleep trick. This makes everything at least a bit more difficult for the average script kiddie.

Oh i remember there are programs to fill in the form in IE or any other program so they/he/she used IE but of course didn't do it manually.

Originally posted by eriky The best solution of course is to count the invalid logins from each ip and deny it when there were more than x wrong passwordsAny idea/suggestions eriky, on how a person would do this?

If you can program in php or perl it wouldn't be too hard to make this but I can't explain _exactly_ how to do this. I never wrote such a program so I don't have example code either.

I seriously doubt the police could do anything about it even if they wanted to. What's the crime?

If they actually got in and destroyed property maybe.

However if they are from outside the country ..or going
through proxy servers from all over the world you probably
couldn't find them if you wanted to. Especially if they initiated the attack from a hacked account,used a proxy server that deletes log files,etc.

[Edited by marcum on 04-12-2001 at 12:43 AM]

This thread seems to be getting some action a month after it died off!

marcum - I'm sure there is some sort of offence involved. If I threw a brick at a shopfront window, it would be more serious if the brick actually broke the window, but still an offence if it didn't. Cracking into a site is a similar sort of thing. I agree that the police couldn't/wouldn't do much though.

I realise it's not the sort of offence that attracts much attention or punishment, if any. Whether it's a "crime", "offence" or just someone being "naughty", it still has potential to do damage, and I think that's the important thing.

eriky - I don't think you couldn't use perl or PHP unless your authentication program was written in them. At least in our case, we use HTAccess. Any idea how to set such options as you suggest in a .htaccess file? Is it even possible?

Originally posted by Lawrence
This thread seems to be getting some action a month after it died off!
...
What eventually happened with the attacker? Did they keep coming back?

Originally posted by IntelligentHosting.com
Originally posted by Lawrence
This thread seems to be getting some action a month after it died off!
...
What eventually happened with the attacker? Did they keep coming back?

They never came back, and we haven't had any troubles since, so we haven't pursued the issue. It's amazing how many cracker sites give us their URLs when they download our product trial though!

It's all the tag alongs that annoy me - those who call themselves hackers because they can use a software tool given to them by someone else. At least the hardcore crackers have some skill at what they do.

We know the IP, but is it possible for us to contact our host and somehow ban access from that IP or something?


Yeah your host may be happy to know someone is hammering your site. They may then be happy to add them to the deny list.

On another note you may notice this user is a regular visitor? Why were they trying to get into your site? If it is a company site they may be competition or something if it is a pay for site then they may be a customer. What I would do if I was really concerned is check all my access logs for that same IP and see what else they were doing on my site and if they visit often. Knowing the motivation can help a lot on knowing if it is malicious or if they were simply trying out a new password cracker program. Someone trying to break a password once is not too big of a deal but if someone is really trying to get something from you perhaps it is best to figure out what they want and why. That is your concern more so than what happened.

Sorry for the sermon but this is the way I see this type of thing IMHO.

Originally posted by Lawrence
We've just had another apparent brute force attack on our software download system, which uses HTAccess. This time, 9998 attempts were made by the same IP address, but all failed. Usernames ranged from things like "member", "visitor" and "private" through to......

Strange Lawrence.. I notice you're in Australia (so am I) and there is no doubt these attacks occur everywhere and on everyone, but the number is virtually exactly the same as an attack we had a couple of days ago... over 9,000.

The damn logfile nearly croaked Eudora on me (because I'm too slack to remember to compress the inbox files until it stops working )

I actually tracked it to a guy who was testing a program that ran through passwords but based also on the fact that so many people create virtual accounts and leave the user name as the first 8 chars of the domain... the usual automatic set up...

Bloody nuisance...

Cheers.




:(

I actually tracked it to a guy who was testing a program that ran through passwords

"Testing" he calls it? :D

yes, "testing".... :rolleyes:

this was the message from the culprit after tracking him through IP's and related forums etc....


-----Original Message-----
From: XXXX Design <xxx_xxx@hotmail.com>
To: rug <xxx@xxxx***********>
Date: Tuesday, April 17, 2001 4:13 PM
Subject: Re: umm.. hello


LOL i was just playing with my progs :D
just testing some stuff im learning right now xxx.
dont mind me. im no harm to xxxxxxxxxxx

-xxxx

No remorse whatsoever, couldn't care a rat's bottom about the incident...

I'll stop here in the interests of not revealing my primitive instincts for reprisal....

I guess he wasn't worried about hiding his identity since you found him. :)

Originally posted by marcum
I guess he wasn't worried about hiding his identity since you found him. :)

No he wasn't too worried, but we didn't go as far as getting his physical address (although we told him otherwise) but we took the IP's he used for the 'attack', and scanned through some forums which seem to be a breeding ground for these types, and found a way of 'triangulating' his contact address from there...

Not very effective in stopping him I guess, but no harm was really done, only inconvenience caused (this time).

If he does it again, we will organise to block his IP....

There have been worse..