Useless hosting providers

Here wizards, magicians, sorcerers and everybody can rest a bit and talk about anything they like.

Just remember to respect the rules.

Useless hosting providers

Postby jiml8 » Oct 27th, '18, 02:59

My website came under attack today. Two IP addresses in Austria were making a determined attempt to do what looked like an sql injection (or a javascript injection, which would have to be based on some known vulnerability...) using both my contact form, and the credit-card order form. I receive an email for each of these, so I was receiving thousands of emails.

I ssh'ed into the account, and altered my .htaccess files to block them, but it didn't work. I'm not sure why; maybe I got the wrong .htaccess file or maybe it didn't work due to an already established connection. Or maybe some other reason.

So, I tried to set an iptables rule. Oops, no root access and a shared hosting environment.

So I called my hosting provider (Bluehost). They were singularly unhelpful; they would upsell me to a VPS package which would give me root, but they wouldn't do anything else. They seemed to have a problem with the fact that mine is a site that I wrote from end to end in PHP, not a wordpress or weebly site. Frankly, it if had been one of those, it likely would have been cracked by this attack, but I am security-focused, and my site didn't break.

So, after Bluehost demonstrated a manifest lack of interest in addressing attacks on sites they host, I decided the quickest way to proceed was to directly alter the scripts that were being attacked.

So, I added this line to each script:
if(preg_match('/^185.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_SERVER['REMOTE_ADDR'])) exit;

Quick, dirty, and blocks a big chunk of Europe. But effective in stopping the attack.

I suppose the best thing for me to do is to rate-limit access to these forms. Maybe 1 per minute maximum. That will take a bit of work, but I suppose it must be done...unless someone here has a better idea?

In the meanwhile, I considered it worth mentioning that Bluehost is singularly useless in helping their customers mitigate attacks. That is information worth knowing and passing around.
Posts: 1009
Joined: Jul 7th, '13, 18:09

Re: Useless hosting providers

Postby filip » Oct 27th, '18, 22:15

Ouch. That seems like a nasty brute force script attack.

Did you check .htaccess changes properly? Some IP or another spoofing might be involved too.

Timeout sounds good but be careful with IP blocking as that would hurt some legitimate customers. Security question, CAPTCHA and better provider could help also.
I've added a timeout after 3 failed attempts which is then doubled each time up to 24 hours on one of the websites I admin. Together with a notice of course. It's a very dedicated niche website so not a big target but I had no issues yet. And that hosting provider is very advanced and helpful too.
Posts: 413
Joined: May 4th, '11, 22:10
Location: Kranj, Slovenia

Re: Useless hosting providers

Postby jiml8 » Oct 28th, '18, 01:53

I have not looked further into the .htaccess thing.

The main .htaccess file for the site filters for a LOT of scammer/spammer sites and also has a specific "block this IP" section. Long ago, I got that working, tested it, and was satisfied. I have not revisited it since then until this attack. I added the two attacking IP addresses to the "block this IP" section, and it didn't work. So, maybe some change someplace by the hosting service has rendered this file ineffective; at this point I don't know and I am sufficiently busy that I don't want to dig into it.

I don't think the attack was random; it doesn't look like it was. The actual sequence of events was that my credit card form was attacked, and after I blocked it within a few minutes my contact form came under attack. I blocked THAT, then posted the post that heads this thread. Shortly afterward, my paypal processing form came under attack.

So someone wants into my site.

Now, the organization I work for (my client and I am one of the founders and part owner) is becoming successful, and given the nature of its business we have been anticipating that we would become high-value targets. We have recent evidence that we are being particularly targeted, and this attack is suggestive.

I have scanned the attacking IPs and both IPs look like they are the same computer. And that computer appears exploitable. So, right now, I am thinking about the fact that with a bit of work I probably could break in. That might be worth doing. If it weren't for the "bit of work" thing, I would already have done it.
Posts: 1009
Joined: Jul 7th, '13, 18:09

Return to The Wizards Lair

Who is online

Users browsing this forum: No registered users and 1 guest