Find the answer to your Linux question:
Results 1 to 7 of 7
Hi All! (First post alert- sorry if I step on anyone's toes). A fellow poster over on DaniWeb suggested I talk to the experts over here and see if anyone ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2011
    Posts
    2

    [SOLVED] Possible attack- how to stop it?


    Hi All!

    (First post alert- sorry if I step on anyone's toes).

    A fellow poster over on DaniWeb suggested I talk to the experts over here and see if anyone can help me with some problems I've been having with VPS security...

    [Edit- sorry for the lack of hyperlinks- my lack of posts on this forum is preventing me from posting them]

    I have a VPS web server running CentOS with Apache and all the other good web server jazz. The main website hosted on the server is "jettison quarterly [dot] com" (IP: 184.82.106.92) Lately I've noticed (by stumbling across in a Google search when testing my SEO) that another domain "42639104591279053 [dot] forth [dot] arraymultisort [dot] info" (or really "any_string [dot] forth [dot] arraymultisort [dot] info") is apparently forwarding all requests to my IP address. The reason I'm pretty certain they're forwarding and haven't stolen/cloned my site is because if I access that site from home, my home IP address shows up in my access logs.

    I'm fairly certain this is a fledgling attack. Every once in a while my access logs will show something like this (just a sample):

    Code:
    111.164.160.222 - - [23/Mar/2011:06:06:33 -0500] "GET /currentIssue/cover.jpg HTTP/1.1" 200 17424 "http : // 8683227610213234105 . forth . arraymultisort . info/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 672; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
    
    111.164.160.222 - - [23/Mar/2011:06:06:42 -0500] "GET /images/logo.png HTTP/1.1" 200 5556 "http : // 8683227610213234105 . forth . arraymultisort . info/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 672; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
    
    111.164.160.222 - - [23/Mar/2011:06:06:33 -0500] "GET /currentIssue/cover.jpg HTTP/1.1" 200 17424 "http : // 8683227610213234105 . forth . arraymultisort . info/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 672; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" 111.164.160.222 - - [23/Mar/2011:06:06:42 -0500] "GET /images/logo.png HTTP/1.1" 200 5556 "http : // 8683227610213234105 . forth . arraymultisort . info/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 672; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
    where that domain seems to be referring style sheets, javascript files, images, etc.

    So the real question is: Is there a way that I can block this site from forwarding itself to my site's IP address and essentially cloning my site?

    I can think of a few reasons why I don't want this happening:
    -The site (after doing some WHOIS searches) is clearly meant for malicious purposes
    -The owner is listed as being in China (although not necessarily a red flag, I've had my fair share of problems with Chinese spiders and the like in the past)
    -In some cases, they're stealing search engine hits
    -Since it began, I've been getting some very strange query strings appearing in my access logs (eg. "?kw=%E4%B8%80%E5%93%81%E6%A5%BC%E8%AE%BA%E5%9D%9B %E6%9C%80%E6%96%B0%E5%9C%B0%E5%9D%80")
    -I don't know who this is and what they're doing.

    It's that last part that makes me the most suspicious- I can't figure any reason for this to be happening unless there's some kind of spoofing, injection attacks, or XSS attacks being in the works.

    So please enlighten me- does this seem like a real threat I should be concerned about? If so, how do I go about stopping it?

    Thanks much,
    Ty

    PS- Also, just for clarification, I have done a fair amount of Googling for a related problem before I posted here. However, IMO they were fairly feeble searches, the main problem being that I'm not really sure what terms to search for (I don't know if this kind of thing has a name, rather, I don't know what to call it).

    So I'd like to add that any information anyone can provide about the nature of what I've been seeing, whether it's a common type of attack on security, and/or what it's called, would also be appreciated.

  2. #2
    Linux Newbie reginaldperrin's Avatar
    Join Date
    Oct 2010
    Location
    Christchurch, New Zealand
    Posts
    122
    Hmmm...
    I looked at your other posts (via googling the url you posted) and looked at the clone site too.
    As you probably worked out, when you append that string of characters to their url (?kw=%E4%B8%80...), you get a series of Chinese characters which Google translate says is: "Add product House Forum Latest".

    It doesn't appear from what you say or have posted that you are under attack. It appears more than they are simply cloning your site and plagiarising your work, claiming it as their own.

    Not a lot that can be done legally, I guess that their (Chinese) authorities won't respond particularly well to any requests you make of them, it is probably too trivial. Having said that, it wouldn't hurt to attempt to get their own legal system working against them, you never know, it might just work.

    As you can obviously pin-point the Get requests etc, then you can obviously determine the originating IP address. Blocking them will simply cause them to access the site's resources from a different address.
    It might take a small amount of work, but what you can do is redirect requests from those unwanted IP addresses to a bogus set of html pages or resources that has some porno image or text, or whatever you decide.

    My guess is that they won't realise for a while, and whatever benefit they have gained from the plagiarism, will be more than lost.
    It might turn into a bit of a cat-and-mouse game for a short while, and it will require vigilance on your part, but they will give up sooner than you, and target an easier mark.

    Good luck.

  3. #3
    Linux User
    Join Date
    Nov 2008
    Location
    Tokyo, Japan
    Posts
    260
    I am not a security expert, so I can only speculate.

    But the forwarding site could simply be protecting attackers from identification. So you don't know where they are really coming from, they might just be using an illicit forwarding service that some Chinese mob set up or something.

    If your site doesn't have any information besides usernames and passwords that could be of value to them, and your organization doesn't work with any larger companies that could be the target of an advanced persistent threat (i.e. they aren't plan to use you to get to them), then I wouldn't be too terribly concerned.

    My guess is they are probably pen-testing, trying to find ways of spaming your site, or are simply looking for valid mail addresses to spam.

  4. #4
    Linux Newbie reginaldperrin's Avatar
    Join Date
    Oct 2010
    Location
    Christchurch, New Zealand
    Posts
    122
    You could also put on your own html pages your correct URL, along with an accompanying message saying something like "if the address doesn't read <insert correct url here>, then you are at a fake site for Jettison Quarterly. Click here to go to the correct site <insert correct url link here>".

    If this is on every main page, then readers will quickly determine whether they are in the right place or not.

  5. #5
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28
    There should be a referrer field and we should be able to use that to restrict access to secondary files. This wouldn't be fool-proof because the referrer field could be spoofed. This might be do-able in the access files. It's not especially clean, but have a look at www [dot] linuxhowtos [dot] org [slash] System [slash] referrerspam [dot] htm?ref=news.rdf

    There are other ways, but this looks simplest. Maybe instead of having a blacklist, use a white list and put your server on it and only filter secondary pages (graphics).

  6. #6
    Just Joined!
    Join Date
    Sep 2006
    Posts
    11
    and i'm wondering why this post is here

  7. #7
    Just Joined!
    Join Date
    Mar 2011
    Posts
    2
    Thanks all, I got it solved

    I combined reginaldperrin and Dustspeck's suggestions into a nifty PHP check that displays a page informing the user that they are at the wrong site (in the case that the correct host is not in the URL).

    Thanks for the great tips and insight,
    Ty

    PS to dwpbike- Sorry if this was in the wrong forum. It might help to suggest a more appropriate forum (or just not say anything at all) instead of not providing anything useful and being a bit of a flamer. Just saying.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •