Six Ways a Russian Hacker Attacked My Website
Until today, the "russian hacker" seemed like a piece of news-hyped fantasy. It turns out, that ju...
For further actions, you may consider blocking this person and/or reporting abuse
1) the FTP might not be his. It was pretty easy and common in the past to search for anonymous writeable FTP servers, FTP servers with leaked credentials (accidentally left in source code on github or elsewhere) and to misuse them as an attack vector.
2) the w;w;w might be an attempt to call a "w" command on linux which displays list of active users. Like here:
user@host:~# w
20:19:41 up 218 days, 13:22, 1 user, load average: 0.09, 0.08, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/1 111.222.333.444- 20:18 5.00s 0.04s 14.70s mosh-server new -c 256 -s -l LANG=en_US.UTF-8 -l LC_CTYPE=UTF-8 -l LC_ALL=en_US.UTF-8
I've had similar incidents where someone whos IP address indicated they were from Russia tried various of these tactics to access my employers website via one of the CMS pages. They automate it because automation is easy, and they can try and gain access whilst they sleep. Some of them have so many things to try, it effectively becomes a DoS attack.
Fortunately I have a Web Application Firewall (WAF) in place, and they are able to identify countries by IP (to some limited degree). As we don't do business with Russia for legislative purposes, I was able to block the entire country. It's not something I particularly wanted to do, but they changed IP address once I blocked the one they were coming from.
It's always going to be game of cat-and-mouse, with people wanting to control as many servers as possible to instigate DDoS attacks, mine cryptocurrency, or steal data
Fortunately my security was tight, so they all failed- but it is very disquieting that people actually dedicate themselves to this type of thing. Thanks for the follow by the way :)
What do you recommend such as a web security steps or configurations that you recommend to keep my website safe? Is coded in php.
There are a lot of things you can do. Some basic ones are:
Super helpfull!! Thanks ❤😊
Btw I didn't know that sha512 exists 😂😂
<script>alert("haha");</script>
It usually is a good idea to start with a simple payload like "hack_test". Proving you have remote file upload for a less malicious file is a good way to confirm the vulnerability exists before properly exploiting it and uploading say a reverse shell.
As someone who's always been fascinated by cyber-security, but doesn't have any idea of where to start or what to learn, this was fascinating. I liked the fact you showed everything and got straight to the point. These hackers are quite scary when you think about how many potential websites they've compromised.
ну да, с русскими надо осторожней)
Nice article... I can see that more attack are always on PHP websites that's why most developers are now jumping to Go and python...
The truth is no website isn't prone to attacks. It does not depend on the language you use...
It depends on how crafty you are and how to mitigates attacks just like nastyox1 did.
This days I will share on GitHub the advanced security class I designed for people to use... It takes care of $_POST and $_GET including providing encryptions and preventing XSS too... And automatically block suspicious ip
Hey, thanks for sharing all the details of the attack, even though he didn't use any especially clever, still good to be reminded of what could go wrong.
Being Russian myself, I don't think his nationality has much to do with the contents of your post though ;-)
This post is so nice, thank's for sharing the whole process, useful! And btw bravo for your monitoring.
this content didn't make me to yell. thanks nastyox for some fresh piece of content.
Good one
Awesome, really valuable inforamtion.
Hi @nastyox,
Do you use only PHP or do you have an API with TLS and your application has some SPA on the frontend?
it's not an SPA, but there's a frontend with an internal-facing API which we don't release to the public
Thanks for the quick reply @nastyox
You should play with some Honeypots
This is exactly what I thought when I noticed the attacks.
Nice
is this you, China?
Wow thanks for the heads up. I've always ignored most of the security concerns now I know.
We were also attacked by Russian hackers using SQL injection
OMG! This is so scary and also, it seems basic. Even when I was not aware of some of the methods. I guess I will dig a little on cyber security... Thanks for sharing!
grpck & pwck can be used to validate password file integrity.
google.com/amp/s/www.cyberciti.biz....
Just Decoupling your website Front End from the api , can make it better . there will be fewer option for him to capture any secret data.