{"id":1585,"date":"2013-02-04T09:20:39","date_gmt":"2013-02-04T17:20:39","guid":{"rendered":"http:\/\/www.wellgolly.com\/?p=1585"},"modified":"2013-12-22T10:17:23","modified_gmt":"2013-12-22T18:17:23","slug":"checking-the-logs","status":"publish","type":"post","link":"https:\/\/www.wellgolly.com\/?p=1585","title":{"rendered":"Checking the logs"},"content":{"rendered":"<p>We\u2019ve been getting hit with SSH login attempts. Sometimes there were thousands per minute and they slowed the machine to a crawl. So we installed <a href=\"http:\/\/www.fail2ban.org\">fail2ban<\/a> and that has slowed the attempts considerably.  <\/p>\n<p>Recently one site has been hit with huge numbers of SQL injection attacks (18,000) per day. Right now, I trap them and return a static page.<\/p>\n<p>Here&#8217;s what my URL looks like:<\/p>\n<p>\/products\/product.php?id=1<br \/>\nThis is what an attack looks like:<br \/>\n<pre><code class=\"\u2019smaller\u2019 preserve-code-formatting\" style=&#8217;overflow: auto; width: auto;&#8217;>\n\/products\/product.php?id=-3000%27%20IN%20BOOLEAN%20MODE%29%20UNION%20ALL%20SELECT%2035%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C%27qopjq%27%7C%7C%27ijiJvkyBhO%27%7C%7C%27qhwnq%27%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35--%20\n<\/code><\/pre><\/p>\n<p>I know for sure that this isn\u2019t just a bad link or fat-fingered typing so I don&#8217;t want to send them to an overview page. I also don\u2019t want to use any resources on my site delivering static pages.<\/p>\n<p>First I get the productID, then check to see if it is a number. If it is, all is good and I skip the rest of this code. If not, they might have an extra space in the URL from copying and pasting, so I give them the benefit of the doubt and strip them out. If productID is still not a number, I send the page not found response and kill the rest of the page load.<br \/>\n<pre><code class=\"\u2019smaller\u2019 preserve-code-formatting\">\n$productID = (isset($_GET[&#039;id&#039;]) ? mysql_real_escape_string($_GET[&#039;id&#039;]) : &#039;55&#039;);\n\n\/\/ Attempts have been made to exploit the database with long strings. \n\/\/ This stops it without filling up the error log.\nif ( !is_numeric($productID) ) {\n&nbsp;&nbsp;&nbsp;&nbsp;$url = $_SERVER[&#039;REQUEST_URI&#039;];\n&nbsp;&nbsp;&nbsp;&nbsp;$ref = $_SERVER[&#039;HTTP_REFERER&#039;];\n&nbsp;&nbsp;&nbsp;&nbsp;$ip&nbsp;&nbsp;= $_SERVER[&#039;REMOTE_ADDR&#039;];\n&nbsp;&nbsp;&nbsp;&nbsp;error_log(&quot;long string in products.php: URL is $url and IP is $ip &amp; ref is $ref&quot;);\n&nbsp;&nbsp;&nbsp;&nbsp;$productID=preg_replace(&#039;\/[\\s]+\/&#039;,&#039;&#039;,$productID);\n&nbsp;&nbsp;&nbsp;&nbsp;if ( !is_numeric($productID) ) {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;error_log(&quot;Still a long string in products.php after replacement: URL is $url and IP is $ip &amp; ref is $ref&quot;);\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;header(&quot;HTTP\/1.0 404 Not Found&quot;);\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;die();\n&nbsp;&nbsp;&nbsp;&nbsp;}\n}\n<\/code><\/pre><\/p>\n<p>The bot thinks that there isn\u2019t a page there and usually goes away. Sometimes it tries a few more times, but not the thousands of times it used to.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve been getting hit with SSH login attempts. Sometimes there were thousands per minute and they slowed the machine to a crawl. So we installed fail2ban and that has slowed the attempts considerably. Recently one site has been hit with huge numbers of SQL injection attacks (18,000) per day. Right now, I trap them and &hellip; <a href=\"https:\/\/www.wellgolly.com\/?p=1585\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Checking the logs<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[],"class_list":["post-1585","post","type-post","status-publish","format-standard","hentry","category-computers"],"_links":{"self":[{"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/posts\/1585","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1585"}],"version-history":[{"count":0,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/posts\/1585\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}