bwall Posted May 25, 2012 Share Posted May 25, 2012 So I made a bunch of taunting 404 images on my server after I kept getting people checking to see if I had phpmyadmin. I figured I'd share them, and see if anyone else has some good ones. Quote Link to comment Share on other sites More sharing options...
digip Posted May 25, 2012 Share Posted May 25, 2012 (edited) I took a different approach. Try it on mine, and it sends the request and URL to the FBI. I do however have a funny one for general timthumb searches. RedirectMatch temp ^(.+)thumb(.+)php$ http://www.youtube.com/watch?v=iRyF5aP3B7c Edited May 25, 2012 by digip Quote Link to comment Share on other sites More sharing options...
bwall Posted May 25, 2012 Author Share Posted May 25, 2012 I took a different approach. Try it on mine, and it sends the request and URL to the FBI. I do however have a funny one for general timthumb searches. RedirectMatch temp ^(.+)thumb(.+)php$ http://www.youtube.com/watch?v=iRyF5aP3B7c This got me thinking. Maybe we should make a collective of ips found vuln scanning us, and block them in Apache, fireBwall, and/or iptables. I already have a long list of people who tried to port scan firebwall.com, who are now dropped from the server. So the idea would be setup commonly scanned pages that are traps, that send the IP to the others who use the service, possibly via P2P communication. The same with port scans detected. Probably would be a good idea to have a timeout value on the IPs' bans, just long enough for people to update any vulnerable software they are running. Quote Link to comment Share on other sites More sharing options...
digip Posted May 25, 2012 Share Posted May 25, 2012 ReL1K has a tool called artillery, that auto bans attacks. https://www.secmaniac.com/download/ Quote Link to comment Share on other sites More sharing options...
bwall Posted May 25, 2012 Author Share Posted May 25, 2012 ReL1K has a tool called artillery, that auto bans attacks. https://www.secmaniac.com/download/ The port traps are actually pretty easy to implement in iptables. Just add the ip to a list when it syns to the trap port, and set a rule to block any IP on that list. I am a fan of the honeypot approach, as I wrote http://honeyports.sourceforge.net/ a few years back, but what I'm proposing is a cross system P2P block list between trusted peers to stop attacks that your computers might not be vulnerable to, but someone else's could be. Or if they aren't vulnerable to something you are vulnerable to, getting the word to others that they should block communication with that IP. We could easily add a way for artillery to submit to this list. I'm thinking that it would be a daemon running on the machine, that anything with access could write to the "new blocked IP" file, and it would continually check if it had new entries, then upload them, while also managing the P2P communication from the others. Quote Link to comment Share on other sites More sharing options...
digip Posted May 26, 2012 Share Posted May 26, 2012 The only flaw I see in the P2P model, is one node gets whacked, it propagates to all trusted nodes?? You would need to have a way to prompt each node, to authorize the changes, so its not automatic. Otherwise, someone who gets on a few trusted nodes could wreck havoc for the rest and bring down the defenses. Quote Link to comment Share on other sites More sharing options...
bwall Posted May 26, 2012 Author Share Posted May 26, 2012 The only flaw I see in the P2P model, is one node gets whacked, it propagates to all trusted nodes?? You would need to have a way to prompt each node, to authorize the changes, so its not automatic. Otherwise, someone who gets on a few trusted nodes could wreck havoc for the rest and bring down the defenses. How would they be prompted? If they can only add IPs to be blocked, it would not be very effective at taking down defenses. If a false IP is added, maybe a message signed with an administrative key could be sent out to remove the IP from the list. I guess that would be generated for every P2P net that used it. Quote Link to comment Share on other sites More sharing options...
digip Posted May 26, 2012 Share Posted May 26, 2012 How would they be prompted? If they can only add IPs to be blocked, it would not be very effective at taking down defenses. If a false IP is added, maybe a message signed with an administrative key could be sent out to remove the IP from the list. I guess that would be generated for every P2P net that used it. I see what you are saying now. I thought that it was a trusted list for firewall rules in and outbound that was propagated between nodes. Like if someone blacklisted update servers and white listed their own to propagate rule changes, but if it only blocks failed hack attempts and sends just that list, then that would be fine. Quote Link to comment Share on other sites More sharing options...
bwall Posted May 26, 2012 Author Share Posted May 26, 2012 I see what you are saying now. I thought that it was a trusted list for firewall rules in and outbound that was propagated between nodes. Like if someone blacklisted update servers and white listed their own to propagate rule changes, but if it only blocks failed hack attempts and sends just that list, then that would be fine. It might be a good idea to have a white list for stopping IPs from getting on the list, but that would be something static I would imagine. So machines can make sure they don't block their update servers. Quote Link to comment Share on other sites More sharing options...
vdub Posted May 27, 2012 Share Posted May 27, 2012 This got me thinking. Maybe we should make a collective of ips found vuln scanning us, and block them in Apache, fireBwall, and/or iptables. I already have a long list of people who tried to port scan firebwall.com, who are now dropped from the server. So the idea would be setup commonly scanned pages that are traps, that send the IP to the others who use the service, possibly via P2P communication. The same with port scans detected. Probably would be a good idea to have a timeout value on the IPs' bans, just long enough for people to update any vulnerable software they are running. I think it would be funner to make a honey pot. Figure out some way to exploit them when they try. Maybe make a botnet of script kiddies. Could be fun. How hard would it be to use some common exploits that install some kind of malware that we can use to follow where they go, or even use them against each other. It would only effect the people that are obviously trying to hack the site. Quote Link to comment Share on other sites More sharing options...
digip Posted May 27, 2012 Share Posted May 27, 2012 I think it would be funner to make a honey pot. Figure out some way to exploit them when they try. Maybe make a botnet of script kiddies. Could be fun. How hard would it be to use some common exploits that install some kind of malware that we can use to follow where they go, or even use them against each other. It would only effect the people that are obviously trying to hack the site. Depends on your host provider, but more than likely, it would get your account canceled and possibly issues with the law in your jurisdiction. If it was your home machine, maybe not so, but your ISP might see it and block you from getting online. I have always liked the idea of traps though. If you break into my system, I see no reason not to have an offensive-defense setup, but I am not a lawyer, so don't know how that works. Quote Link to comment Share on other sites More sharing options...
Anton Posted June 14, 2012 Share Posted June 14, 2012 Hahhahah willi wonka one is funny ahaha lol. Quote Link to comment Share on other sites More sharing options...
xero Posted June 14, 2012 Share Posted June 14, 2012 EPIC LULZ! this is super awesome! Quote Link to comment Share on other sites More sharing options...
bwall Posted June 14, 2012 Author Share Posted June 14, 2012 That's what my current 404 is. Quote Link to comment Share on other sites More sharing options...
digip Posted June 14, 2012 Share Posted June 14, 2012 That's what my current 404 is. Yeah, got that last night when I foobared my bookmarks trying to find the decoder page again...lol. Got it worked out now. Found it using badjojo..lol Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted June 14, 2012 Share Posted June 14, 2012 I never get tired of hacker cat : ) http://http://cheezburger.com/4452786432 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.