Bad guys flooding my web server

hypexr · 09-21-2005, 09:56 PM

I have a little photoblog that I am running from my web server at home. Its using pixelpost software, which is coded in php. There is a page photoblogindex.php?x=xref that shows the top refferals to my site.

There are scripts or worms or something that is continously connecting to my site to move the sites they are advertising up to the top of the list.

I first tried getting rid of the xref page and thought that this would help but when they try to connect to it it just brings up a template page and not a 404 or anything and the bots keep connecting thinking that they are working. This is bogging down my oldtimer of a computer and my internet connection.

I am looking for some advise because I can not figure out what to do. Should I do something with tcp wrappers? Special access rules? Something in apache config? The sites that they are promoting change names all fo the time so blocking certain reffering sites is a constant battle.

Scott

pembo13 · 09-22-2005, 01:41 AM

Could you provide soeme log dumps, and somre more specific data, maybe me or someone here can find a pattern and help you block it.

cs-cam · 09-22-2005, 06:49 AM

So the page they are connecting to no longer exists, ie. a human will never end up there? If so, just auto-ban any address that requests that page.

hypexr · 09-22-2005, 10:13 AM

I like that Idea. how do I do that? Its a php page so it request for the page is like this example.com/index.php?x=ref
Could I make the php page grab the ip address and then write this to a .htaccess file? or is there an easier way?

pembo13 · 09-22-2005, 10:49 AM

Quote:

Originally posted by hypexr
I like that Idea. how do I do that? Its a php page so it request for the page is like this example.com/index.php?x=ref
Could I make the php page grab the ip address and then write this to a .htaccess file? or is there an easier way?

That is a good idea, however, it would still be nice if you provided some data.

To supplement that idea, you might as well lof the ips and put them into the ip ban list.

XavierP · 09-22-2005, 12:53 PM

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

cs-cam · 09-22-2005, 06:46 PM

Have a look here for some code. That page is very helpful for a different but similar problem but some of the same principals apply.

Bruce Hill · 09-22-2005, 10:46 PM

This would probably be considered a bit of a lame way to avoid them, but I have
major hits from Windoze script kiddies trying exploits on my server in China. I just
changed the port from 80 to another port, and since July there have been zero of
those attempts. This does require adding the port to the link, which isn't a problem
as mine is just photos posted for "the folks back home" to view. It did, however,
eliminate the kids who aren't smart enough to do anything more than scan port 80,
and/or use non-intelligent software designed for Windoze. Which freed me up
to spend time on the real bad guys ...

hypexr · 09-22-2005, 10:52 PM

Yeah, changing the port is a good method for avoiding this kind of thing and I need to do it for ssh (these ssh bots are getting crazy also). I don't really want web visitors having to know about ports, though.

I read through all of those examples on your link cs-cam, they will be easy to modify for my situation. I can't wait to get the time to get that going. Thanks!!

slackhack · 09-22-2005, 11:07 PM

you should definitely password protect any page that lists referrers. that's what the bad guys are after, and as long as that's public, you're going to keep getting hit with new ones even if you clear out the current ones. do a google for "referrer spam" to find out more, and about prevention tactics and fixes.

>>edit: the wikipedia entry even has a sample blocking script:

http://en.wikipedia.org/wiki/Referer_spam