Fun and Games with Hackers: How to Fend Off a Script KiddieNovember 15, 2012 8:54 am ·
There are two groups who are never welcome to visit my sites; spammers and hackers. Over the years I have developed a number of web sites for clients, and a couple for myself. The spammers are easy; they can be blocked and booted and their ‘bots can be defeated. The hackers are a little more challenging, but they can also be fun to deal with.
My latest site at http://coboldinosaur.com/pages/articles.html was up less than a month when it got its first visit from script kiddie hackers and the fun began.
Yes, fun. The kiddie hackers are amusing, and if you have a site designed to meet the lame script based attack of clueless fools; entertaining. A good professional hacker can crack any site. There is no such thing as a hack proof site, but the pros don’t go after sites unless there is profit to be gained and most sites don’t have anything they are interested in.
So here comes the amateur hacker; a script kiddie trying to get to my database. They try to connect using all the common paths that could work. Not going to find it that way. I don’t use a common path, or a conventional name for the database and tables, and I have a unique arrangement for user accounts. Even if a hacker manages to work through it and crack a password, they will find themselves in a rubber room or on flypaper. The rubber room bounces them around in a couple pages with no exit. The flypaper is loaded with worthless stuff that looks interesting. Either one keeps them occupied with time-wasting effort.
A non-conventional design is the first step to security. If you are using common off-the-shelf software and/or widely implemented templates and plugins, you are vulnerable as soon as some idiot finds an exploit and posts it on a hacker site. Here is an example from the PHP topic on Experts Exchange. So you need to add a few twists with some custom code when using off the shelf hacker magnets. I do sites with custom code, so I just use unique architecture for every site.
Step two is detection. I can see exactly what a hacker is doing and trying because I use up to 25 custom logs to report everything that I have decided I want to know about. I don’t have to dig through access logs. If a hacker starts to get too close I just make a change so the path they are on will dead end.
You cannot protect a site unless you know what is going on. All sites have logs, mostly they are ignored because they are difficult to analyze. So do your own logging with simple code like this: http://coboldinosaur.com/pages/scripts/Custom_Logging_Site_Events.html. Log everything that is out of the ordinary into a set of custom logs that should be empty unless somebody is trying to mess with you. The logging can be invoked from anywhere including scripts that come down through the host, not just http: requests. They can also be put in daemons or jobs being run with CRON.
As the dumb kids bounce around my site, they provide information and I can attach variables to their sessions to make tracking easier. If they are stupid enough to use a browser with cookies enabled, I can identify them the second they come on the site even when they are not trying to hack. As long as I can continue gathering information, I let them wander in the wilderness.
That is part three of the security model. Gather information, don’t give it. The last thing you want to do is block an IP while it is still possible to learn more about the hacker and their attack vector. The IP is probably just a proxy and they will switch to another. If you block them, they are aware you have seen them and they may change the attack vector. Instead get information. The name of the script, referrer, user agent, and the sequence of steps gives you additional ways to identify them and what exploit they are trying. With patience you may get enough information to be able to track them even when they do legitimate stuff, and not trying to hide.
You also never want to help them by returning a real error message. A blank page tells them nothing. I like to send a 403 to a hacker for a not found page, then watch them try and find a way to get to what they think must be good stuff. Every time they try a new wrinkle I have a chance to find out more about them.
Once I have all the information I think I can get, they get a message page. I let them know that I have been tracking their activities and the next time they attempt to hack I will retaliate. If they try it again they get a response that will crash their computer. Am I going to post that? No, that is something that could be used by morons to attack others. If you notice I am not giving much information of how I track, because that would help the hackers hide; but every transaction requires an exchange of information between the server and whatever they are using for a client. Capture and use the information.
Most script kiddies will stop after three or four failed attempts; if it goes beyond that you have enough information to respond. Don’t go easy. If you have the skills, download a harmless but very annoying bit of adware. If you can get their real IP or the name of the service provider, then contact the admin and notify them of the hacking and indicate you will block their netblock and report the IP to all the blacklists if they do not act. Hackers are scum and deserve absolutely no mercy. Service providers that fail to act against hackers using their facilities deserve to be put out of business.
As for the idiots with unsecured open proxies; they are either stupid (no cure for that) or they are maggots enabling criminal activity and protected by corrupt bureaucrats and politicians. Either way, they belong on public blacklists so web site operators can find them and block them.
Is all this worth the effort? Probably not; but it is recreational and educational. It keeps me up to date on what is being tried by the script kiddies and identifies ways I can make my sites more secure.
The best is when I get an email from a throw away email address whining about how I messed up their computer. That makes my day!
Just in case you missed it my site is at http://coboldinosaur.com/pages/cdHome.html and I never pass up a chance to post my link when it is appropriate.
About the author: COBOLdinosaur has been participating on Experts Exchange since 2000. He has amassed close to 4 million points and earned a genius certificate in HTML as well as 11 other certifications.