We’ve been getting hit with SSH login attempts. Sometimes there were thousands per minute and they slowed the machine to a crawl. So we installed fail2ban and that has slowed the attempts considerably.
Recently one site has been hit with huge numbers of SQL injection attacks (18,000) per day. Right now, I trap them and return a static page.
Here’s what my URL looks like:
/products/product.php?id=1
This is what an attack looks like:
/products/product.php?id=-3000%27%20IN%20BOOLEAN%20MODE%29%20UNION%20ALL%20SELECT%2035%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C%27qopjq%27%7C%7C%27ijiJvkyBhO%27%7C%7C%27qhwnq%27%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35--%20
I know for sure that this isn’t just a bad link or fat-fingered typing so I don’t want to send them to an overview page. I also don’t want to use any resources on my site delivering static pages.
First I get the productID, then check to see if it is a number. If it is, all is good and I skip the rest of this code. If not, they might have an extra space in the URL from copying and pasting, so I give them the benefit of the doubt and strip them out. If productID is still not a number, I send the page not found response and kill the rest of the page load.
$productID = (isset($_GET['id']) ? mysql_real_escape_string($_GET['id']) : '55');
// Attempts have been made to exploit the database with long strings.
// This stops it without filling up the error log.
if ( !is_numeric($productID) ) {
$url = $_SERVER['REQUEST_URI'];
$ref = $_SERVER['HTTP_REFERER'];
$ip = $_SERVER['REMOTE_ADDR'];
error_log("long string in products.php: URL is $url and IP is $ip & ref is $ref");
$productID=preg_replace('/[\s]+/','',$productID);
if ( !is_numeric($productID) ) {
error_log("Still a long string in products.php after replacement: URL is $url and IP is $ip & ref is $ref");
header("HTTP/1.0 404 Not Found");
die();
}
}
The bot thinks that there isn’t a page there and usually goes away. Sometimes it tries a few more times, but not the thousands of times it used to.