As a technical writer with a Master's Degree in Computer Science, I share my knowledge and experience for educational purposes to help you.
How Strong Is Your Cybersecurity?
Many companies fail to protect their websites from cyber-attacks, allowing hackers to find backdoor access to steal customer data. An extreme example was a data leak from a Facebook server in 2019 where hackers located personal information on 419 million users.1
I’ll show you how I implemented a routine on my website to block bots in real-time that are searching for ways to gain entry.
Begin by Monitoring for Hacking Attempts
I have taken the following steps to monitor and stop attacks on my website as they happen. Of course, large corporations and government agencies can protect their computers that way too. But they don't, as evidenced by all the reports of customers' data being stolen.
The process is done with code to monitor and discover cyber-attacks that seek to compromise security.
When I have high traffic from one IP, it could be a hacker trying multiple ways to find a back door for access to data or to install malware. In my case, it's useless for them since I don't have any doorways like that. But they don't know that and try anyway.
Their attempts return a 404 error, indicating they tried to go to a page that does not exist. For known vulnerable access points, I monitor for repeated 404 errors from the same IP address. That's how I catch them in the act.
The software code I wrote tracks their activity in real-time to determine if they are attempting to hack into my site.
These hackers continue their search with bots that scour the Internet until they find another site with weak security and an open door that allows access.
I capture info such as:
- The visitors IP address
- Their location in the world
- The site and the page they were looking at before they came to my website
- The page they were trying to see
- The web browser they were using
- Some of their system information
How can you make use of that info to block hackers? The trick is to automate it.
Repeated 404 errors from the same IP address indicates possible hacking. When I look up their DNS authenticity, that sometimes shows, “Could be forged: hostname does not exist.” I find that to be an obvious clue that the visitor is up to no good.
It's quite easy to write a routine to block hacker bots automatically. I'll explain how to automate the process to block these hackers to stop cyber-attacks. But we need to begin with a review of how to track hacking activity.
How to Track Hacking Activity on a Website
I programmed my website to send me emails of hacker attempts with all the data. So I can see what they are trying to achieve. It's usually a search to find a back door access, admin scripts, SQL database scripts, and PHP setup code. This type of activity indicates an attempt to gain access to my server through one of these routines.
I notice that these attempts always have IP addresses from foreign countries such as China, Japan, Bangladesh, India, Russia, Brazil, Ukraine, Lithuania, and Jordan. It’s rare to catch a hacker from the U.S.
Some of these attacks are so vicious they take up a lot of bandwidth, hitting hundreds of non-existent pages in seconds. They are hoping to find a backdoor entry to log in and get vital information.
I keep my customer records offline and not available over the Internet. And I don't have any scripts online that would allow access to any data. But the hackers don't know that, so they try.
You might be wondering why I get hit with these attacks. The fact is that criminals who run the code to do this are not going after any particular person or company. Instead, their bots scan randomly through all IP addresses, so they hit every computer server eventually, and websites run on computer servers.
They eventually will find a business or government website that is easy to penetrate. When they find an insecure website, they can plant executable code to search for useful information such as customer records.
How Hackers Get Access to Website Data
Since I have software to track what hackers are looking for, I discovered a particular targeted search that happens almost every day. Hackers are searching for a file by the name of crossdomain.xml.
I don’t have that file on my server, but they keep scanning computers until they find it on any server somewhere. It may be a government installation or a big corporate office computer. Eventually, they find one that has this file, and once they do, they have a field day collecting data.
I am shocked that so many companies leave this code on their websites. And worse, they don't monitor it closely to know who is accessing it. Since I find hackers searching for this every day, I figure it must be quite prevalent. I wonder if some Webmasters don’t even realize they have it on their server.
While monitoring cyber-attack attempts on my site, I also see many bots searching for a way in through WordPress.
I don’t use WordPress. Instead, I write my own code. But hackers don’t know that either, and their bots merely search for known WordPress vulnerabilities anyway.
About 70% of WordPress sites do not include security updates or use outdated WordPress software that is vulnerable to cyber-attacks, and hackers take advantage of that to steal data. That statistic is from a study by Sandro Gauci, CEO of EnableSecurity.2
How to Block Hackers and Stop Cyber Attacks
This section is for web programmers who want to implement the code on their site.
Make a 404.php file and specify that to be the page to display when someone clicks to a non-existent page or enters a non-existent page in their browser. That method will also capture bots that go around the Internet, searching for backdoor scripts that allow access.
Make the page display a friendly error telling a legitimate visitor that they stumbled upon a non-existent page. Include options to find their way around your website.
Now for the critical part:
Write PHP code that monitors hacker attacks. The method is to keep track of how many requests ended up with error-404s by the same IP address within a specified time—say 30 seconds.
If more errors occur than is a reasonable number for a human, it is most likely a cyber-hacker bot. Examine the requests for files that include SQL, admin, cross-domain, login, scripts, setup, and anything else that could provide a method of access to a hacker.
If there is a match, then you can safely assume this is a hacker. No one else would be looking for these types of scripts and getting continuous 404 errors while searching.
The next step of the PHP routine is to capture the following data:
- The HTTP referrer (where they came from)
- The redirect status (status code)
- The HTTP user agent (browser info)
- The server signature (webserver info)
- Any other data you might want to track
Write additional PHP code that blocks that IP address. On an Apache server, you do that by adding a deny record to the "htaccess" file. That's the trick to block the hacker, and it takes just milliseconds to write that record to the file.
As an additional benefit, you can include PHP code to send the details of the hacker attempt to an administrator’s email address for follow-up, or you can post that information to a report file to print out anytime for review.
A Central Database of Hacker IP Addresses Is Strongly Needed
It would be helpful to share the IP addresses collected from hackers with other field office computers so they can block any discovered hackers too.
With this method, cyber hackers can be stopped in real-time before they succeed in getting through and compromising a server. If they try again from a different IP address, that too will be blocked in real-time. They won't have a chance!
Another way to enhance this implementation is to send hacker's IP addresses to a central database. I think the United States Cyber Command for Cybersecurity would be just the right place for that!
There presently are several sites where you can report hackers. Even the FBI has an online “File a Complaint Center” that includes reporting computer intrusions and hacking.3 However, the data has to be entered by a human, and it's time-consuming. I wish webmasters could use an API send data to that in real-time when it happens, but they don't provide an interface to do that.
I think all Webmasters need to work together to control cybercrime. Then, they can shut the door to these attacks, and the Internet can be more secure for us all.
Real-Time World Map of Internet Attacks
- Priyanshu Sahay. (April 4, 2021). “Facebook Data Hacked – 500 Million Accounts Leaked Online.” HackersOnLineClub.com
- Wayne Mullins. (January 2, 2020). “How to increase security while developing a WordPress site” - UpdraftPlus
- FBI Internet Crime Complaint Center
This content is accurate and true to the best of the author’s knowledge and is not meant to substitute for formal and individualized advice from a qualified professional.
© 2011 Glenn Stok