Monday, December 29, 2014

The Russians Are Coming! How To Block IP Addresses Of Malicious Users From Accessing Your Websites

Where are all these hits from Russian and Chinese IP Addresses coming from on my website?

The Russians are coming! The Russians are coming! No this isn't something out of Red Dawn (a great movie by the way). This is about those Siberian script kiddies who keep trying to hijack your website. After installing my xampp control panel, setting up apache as my webserver, and coding my website on phpStorm, I was ready to start selling my simple wares. After making a few sales, I noticed a strange trend, 20% of my website traffic was coming from Russia, and 10% from China. Even Kim Jung Un had visited my site from Korea. Upon closer inspection in looking into my apache server error logs, I notice (shockingly) that they weren't there to buy my product - those bastards were trying to hijack my website!

What to look for if you think your web server has been hijacked

How do you know if your apache web server has been hacked? Unfortunately, there is a long list of places to check because hackers have almost as many places to infiltrate as Kim Kardashian. First, we need to determine if your web server has been infected or hijacked.



Symptoms many hacked servers will show if they've been infected or hacked

  • Netstat shows strange external connections to your computer
  • Google Analytics shows you have visitors from strange lands
  • Your web page takes longer to load than usual
  • You notice a lot of traffic going to your dynamic pages - such as a contact form
  • Traffic spikes at odd times, on odd pages, or at odd hours
  • People contact you saying they don't want to receive emails that you never sent
  • A cloned version of your website with the contact information changed
  • Your configuration files for apache, php, mysql or other web application have recently been updated or changed.
  • Your log files for php or apache are showing numerous errors from external IP addresses
  • Bots are pattern process oriented.  Perhaps you've noticed that a particular IP address or geo-location is accessing your website at a specific time each day
  • You notice a cron job (a computer task that fires at a specific time) that you didn't authorize or create
  • Google informs you your website has been infected with malware
  • Your webserver unexpectedly shuts down, or you can no longer access administrative areas
This list is by no means complete, as a great hacker will often leave little - if any - clues they were there. I'll continue to update the list as I come across different/new symptoms. Now let's turn our focus on how to fix the problem once we realize our sites have been compromised.

Techniques You Can Use To Secure Your Website

Any web security professional - or person with a lick of common sense for that matter - will tell you that the best approach to handling your website's security is a multi-tiered approach. That means having multiple levels of AuthN (authentication) and AuthZ (authorization) control built into your server. Each of the following topics represent such a breath of information that to speak on them here would make this article painstaking long to both read and write. Hence, I'll provide a brief summary of each topic below with a link to a more indepth article.

Controlling Access To Your Website

  • Setup A Honey Pot - A 'honey pot' is basically a trap set for malware to fall into and be easily identified. Entire communities have been setup to honey pot and track malware sponsoring IP addresses.  Read this article: how to protect your website with a honey pot to learn more about restricting access to your website.






  • PHP Code - I love turning the tables on referral spammers. I created this elegant little piece of code to turn your website from the hunted into the hunter. Read my article on how to stop Russian referral spam from darodar.com to learn how to easily turn the spammer into the spammee :)






  • .htaccess - Your ironclad gatekeeper. Here's an indepth article on how to use your .htaccess file to block russian spam. Apache uses the .htaccess files to grant or restrict access to your website based on the end user's IP address. Spam lists are maintained at sites like this one that block Russian and other regional IP addresses that are the biggest perpetrators of spam.

3 comments:

  1. Thank you for such a well written article. It’s full of insightful information and entertaining descriptions. Your point of view is the best among many.
    guest posting

    ReplyDelete
  2. casino - Coyote Casino Resort - Coyote Casino Resort
    Looking for a good time while you play at club w88 Coyote Casino 생방송바카라 Resort 강원랜드 쪽박걸 in Coos Bay? Get ready 유흥후기 for a night of fun and friendly gaming 벳 익스 at Coyote Casino Resort.

    ReplyDelete
  3. Hacky Mchackerson: The Russians Are Coming! How To Block Ip Addresses Of Malicious Users From Accessing Your Websites >>>>> Download Now

    >>>>> Download Full

    Hacky Mchackerson: The Russians Are Coming! How To Block Ip Addresses Of Malicious Users From Accessing Your Websites >>>>> Download LINK

    >>>>> Download Now

    Hacky Mchackerson: The Russians Are Coming! How To Block Ip Addresses Of Malicious Users From Accessing Your Websites >>>>> Download Full

    >>>>> Download LINK l1

    ReplyDelete

Feel free to send along any questions, comments, or hacks you'd like to see :)