Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Brute force attacks

[Lawrence]

We've just had another apparent brute force attack on our software download system, which uses HTAccess. This time, 9998 attempts were made by the same IP address, but all failed. Usernames ranged from things like "member", "visitor" and "private" through to crude language and pornographic references. In some respects, it seems to have been more intended as an annoyance than anything. Last time it was only 99 attempts, and someone on this forum pointed out that it could have just been Gozilla making a download attempt (and that seems by far the most likely case). But this time it was IE that was used.

I'm wondering if there's any course of action that we can take. We know the IP, but is it possible for us to contact our host and somehow ban access from that IP or something? And I'm not really sure if it's a big deal. Nearly 10,000 attempts seems big to me, but for all I know that could just be a petty attack. It may have even been intended as a DoS attack for all I know.

Anyone know much about this sort of stuff? I'm no expert on it.

[cperciva]

Don't having your host ban that IP address. Instead, look up who that IP address belongs to, and ask the company's abuse contact to kill that person's account.

Make sure that you send them the logfile lines corresponding to the attack (or at least, the first five and the last five).

[kunal]

Yup. Before you do anything, find out everything you can with the persons Ip address. Where he/she lives, what he does, which his ISP is etc etc. And then give the ISP and the local police department a lil visit.

[vizi]

Quote:

And then give the ISP and the local police department a lil visit.

Will the local police even do anything?

[BC]

Quote:

Originally posted by vizi

Quote:

Will the local police even do anything?

Depends on your local police's willingness to do something about it. Usually a quick visit by the police is enough to deter it.

My local police are just catching up to cyberspace crimes and they're making some inroads.

[Lawrence]

Thanks for the advice.

We have managed to scavenge some info about the person, but not a lot. I'm not too worried anyway, I think it's more of a thing to keep an eye on than rigorously pursue. Of course, if they had gotten in it would have been a different story...

[mybiz]

There is a good software program called neotrace, they even have another one called hacktrace, but it only works for your local machine..

I would research installing and IDS system on your server.

[eriky]

If you have a webpage with login and password you can use (with php) a sleep command, like sleep(5).
So when a user enters a wrong password the script waits 5 seconds. A normal user won't notice it, but a hacker trying 10000 logins has to wait at least 10000 * 5 seconds which is almost 14 hours. I don't know if this is possible with htaccess too.

This has not much to do with the topic but it's nice to know i think

Erik

[pyng]

i'm rather doubtful that someone sat down and used IE to guess 9998 times to try to get a valid user/password. the user agent field is probably not reliable in this case

that sleep idea sounds cool... like sandpitting spammers. of course, they could always do 10000 seperate http connections instead... but it would surely slow them down. (if they do do 100000 seperate http connections, they'll probably do multiple of them simultaneously, which might cause your server's max httpd process limit to be hit...)

[eriky]

The best solution of course is to count the invalid logins from each ip and deny it when there were more than x wrong passwords and at the same time use the sleep trick. This makes everything at least a bit more difficult for the average script kiddie.

Oh i remember there are programs to fill in the form in IE or any other program so they/he/she used IE but of course didn't do it manually.

[Website Rob]

Quote:

Originally posted by eriky The best solution of course is to count the invalid logins from each ip and deny it when there were more than x wrong passwords

Any idea/suggestions eriky, on how a person would do this?

[eriky]

If you can program in php or perl it wouldn't be too hard to make this but I can't explain _exactly_ how to do this. I never wrote such a program so I don't have example code either.

[marcum]

I seriously doubt the police could do anything about it even if they wanted to. What's the crime?

If they actually got in and destroyed property maybe.

However if they are from outside the country ..or going
through proxy servers from all over the world you probably
couldn't find them if you wanted to. Especially if they initiated the attack from a hacked account,used a proxy server that deletes log files,etc.

[Edited by marcum on 04-12-2001 at 12:43 AM]

[Lawrence]

This thread seems to be getting some action a month after it died off!

marcum - I'm sure there is some sort of offence involved. If I threw a brick at a shopfront window, it would be more serious if the brick actually broke the window, but still an offence if it didn't. Cracking into a site is a similar sort of thing. I agree that the police couldn't/wouldn't do much though.

I realise it's not the sort of offence that attracts much attention or punishment, if any. Whether it's a "crime", "offence" or just someone being "naughty", it still has potential to do damage, and I think that's the important thing.

eriky - I don't think you couldn't use perl or PHP unless your authentication program was written in them. At least in our case, we use HTAccess. Any idea how to set such options as you suggest in a .htaccess file? Is it even possible?

[SI-Chris]

Quote:

Originally posted by Lawrence
This thread seems to be getting some action a month after it died off!
...

What eventually happened with the attacker? Did they keep coming back?