Chinese Hacker-Bots attempting to exploit our systems 24/7

asp.net security web-server iis-6 ids

Our sites our constantly under attack from bots with IP addresses resolving to China, attempting to exploit our systems. While their attacks are proving unsuccessful, they are a constant drain on our servers resources. A sample of the attacks would look as such:

2010-07-23 15:56:22 58.223.238.6 48681 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.4/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:23 58.223.238.6 48713 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.5/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:23 58.223.238.6 48738 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.6/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48761 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.7/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48784 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.8/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:24 58.223.238.6 48806 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.6.9/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48834 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48857 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:25 58.223.238.6 48886 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:27 58.223.238.6 48915 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:27 58.223.238.6 48997 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.0/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49023 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.1/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49044 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.2/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:28 58.223.238.6 49072 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.3/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:29 58.223.238.6 49094 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.4/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:29 58.223.238.6 49122 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.5/scripts/setup.php 400 - Hostname -
2010-07-23 15:56:30 58.223.238.6 49152 xxx.xx.xx.xx 80 HTTP/1.1 GET /phpMyAdmin-2.7.6/scripts/setup.php 400 - Hostname -

They are litterally hitting our servers 24/7, multiple times each second, looking to find an exploit. The IP addresses are always different, so adding rules to the firewall for these attacks only serve as short term solutions before they start up again.

I'm looking for a solid approach to identifying these attackers when the website is served. Is there a programatic way to add rules to IIS upon identifying a IP address or a better way to block these requests?

Any ideas or solutions for identifying and blocking these IP addresses would be very welcomed. Thanks!


Solution 1:

Please don't blacklist entire countries, or even large address blocks.

Consider the implications of these actions. Even blocking a single address could block the connectivity to your site for a significant number of users. It's entirely possible the legitimate owners of the hosts don't know their boxes have been 0wned.

You did show traffic coming "24/7"... but I would ask you to evaluate whether the drain on your resources is really significant (I see three hits a second max from that log snippet).

Do investigate your options. Make sure your servers are indeed hardened, conduct your own vulnerability assessment and review of your site code. Look into per-source rate-limiters, web application firewalls, and the like. Secure your site, preserve your resources, and do what makes sense for your business needs.

I say this as someone whose services used to be regularly blocked by the Great Firewall of China. If your site ends up being good enough, maybe they'll even block their users from getting to you!

Solution 2:

I block entire countries. The Chinese have ONLY purchased a single item from over 3000 of my sites and yet they used to account for 18% of my bandwidth. Of that 18% about 60% of it was bots looking for scripts to exploit.

  • update - After many years I turned off blocking China. I was flooded with real non-bot traffic on a few key terms from Baidu. After about 400,000 hits over a weeks time I made one sale only after I had created a special page in Simplified Chinese. Not worth the bandwidth. I am going back to blocking them.

You could also set up a simple htaccess rule to redirect them to the Chinese version of the FBI every time they look for anything starting with phpmyadmin without case.

Related

GCP - Shared VPC vs VPC Peering among projects - main differences?
Ubuntu: borked my sudoers file, how can I fix it?
How can I determine the power demand of an HP server's power supply under load?
Best way to block a country by IP address?
OpenSSL returns different SSL certificate to that shown by Chrome
Dynamic proxy with nginx based on url param
Limit Apache to a single IP
Max distance for cat5e in 1000Mbps / 1 Gigabit
After upgrading to 2008 R2 Enterprise and installing more RAM, Windows can only see 4.00 GB
HP DL380p Gen8 (p420i controller) I/O oddity on XFS partitions
Non-dot-wildcard (*-foo.example.com) for bind?
SAS vs. Nearline/MDL SAS - What is the difference?