How to Stop Cyber Hacker Attacks on Your Website
I have taken steps to monitor and stop hacker attacks in real-time on my website. I wonder why large corporations and government agencies can't protect their computers too?
In May 2011, the following companies notified me that a hacker stole my personal info from their computers: Best Buy, Citigroup, Home Depot, Capital One, and JC Penny.
There are ongoing reports of data that is compromised on large corporate and government computer systems. Sears and Kmart reported a data breach in 2017. Even the Equifax credit reporting agency was attacked in July 2017.
I was wondering how all these companies I do business with had failed to protect my data.
With this combined data, Epsilon probably knows more about you than any individual company. Just imagine that in May of 2011, all your personal information that was on their database got out to hackers.
May 2011 Cyber Attack on Citibank and Others
According to Reuters, 360,000 Citigroup accounts were hacked in the May cyber attack. Citibank should know how to protect their client's data from cyber threats. They have the resources, but they don't know how to fix it. A simple monitoring algorithm, as I do, would have stopped it before 100 hacks, not 360,000.
Those warning notices assured me that the breach did not include critical data required to commit fraud. However, that didn’t leave me with any secure feeling. Steal a little from one firm, more from another, and before you know it, they have all the data required to steal my identity.
I monitor my credit activity with a monitoring firm, so if someone were to apply for a loan in my name, they would notify me immediately. Therefore, I’m not worried for myself, but these ongoing cyber-attacks make me wonder how these big corporations can be so lacking with security.
In June 2011 a hacker group broke into a publicly allocated portion of the Senate’s website. Luckily they were stopped from getting into an internal part of the network by the site’s firewall. (Source: reuters.com).
Google Got Hacked Too
Even Google was hacked! In June 2011 hundreds of Gmail accounts were compromised by a hacker in China. Some of them belonged to U.S. Government officials. (Source: Washington Post).
We have to ask ourselves how safe our privacy is if all these trusted companies were hacked at the same time. They evidently do not have strong enough defenses in place to catch and trap cyber attacks.
They can block hackers in real-time, but I don't see that anyone is doing enough to implement that safety measure. Computer systems that are online with the Internet need to have better controls in place to avoid hackers from getting through. They are continuously trying.
Processes need to be implemented that block predators the instant their attack is apparent.
How I Protected My Website
I have taken additional steps with my business web site. I wrote some code to monitor and discover cyber attacks that seek to compromise security.
You might be familiar with the page on websites that tell you that you've reached a non-existent page. It's known as a 404 error page. If you click on a link to a page that no longer exists or if you mistype a URL link, you will get that 404 error.
I went a step further with my website by creating real-time monitoring of hacking attempts on my server. I wrote software for a 404 error routine that captures information about the visitor who got a 404 error.
I capture info such as
- the visitors IP address,
- their location in the world,
- the site and the page they were looking at before they clicked to my website,
- the page they were trying to see,
- the web browser they were using,
- and even some of their system information.
A large number of simultaneous 404 errors from the same IP address indicates possible hacking. I look up their DNS authenticity, and sometimes that indicates, “Could be forged: hostname does not exist.” I find that to be an obvious clue that the visitor is up to no good.
I wonder how many big companies monitor their web traffic in real-time for security reasons? If I can do it, so can they—and they should.
Now I know what you're thinking. How can I make use of the info to block the hacker?
The trick is to automate it. I like to get notified in real-time via email to know what's going on with my website. However, telling a human being is not necessary. It's quite easy to write a routine to block hacker bots automatically. I'll explain a little later how to automate the process to stop hackers in their tracks. It's technical, so I'll leave it for last.
How to Find Out What Hackers Are Up To
Since I programmed my website to send me emails of hacker attempts with all the data, I get to see what they are trying to achieve. It's usually a search to find back door access, admin scripts, SQL database scripts, and PHP setup code. This activity indicates an attempt to gain access to our server through one of these routines.
I'm noticing that these attempts always have IP addresses from foreign countries such as China, Japan, Bangladesh, India, Russia, Brazil, Ukraine, Lithuania, and Jordan. It’s rare for me to catch a hacker from the U.S.
Some of these attacks are so vicious they take up a lot of bandwidth, hitting hundreds of non-existent pages in a matter of seconds. They are hoping to find one that is a back door entry to log in and get vital information from the rest of the server.
I don't have any scripts online that would allow access to my data, but the hackers don't know that. Some scripts they are searching for, allow them to plant executable code to search for things like customer records.
They are just using bots to scan every computer in the world, or in a selected country. Anyway, I keep my customer records offline with no connection to the Internet in any way whatsoever.
The hackers are doing this across the web. Eventually, they find a computer server where they can get in, and sometimes they find something useful.
How Companies Allow Access to Their Data Without Knowing It
Since I wrote code to send me emails showing what these hackers are looking for, I have discovered a particular targeted search that happens almost every day. Hackers are looking for a file by the name of crossdomain.xml.
I don’t have that file on my server, but they keep scanning computers until they find it on some server somewhere. It may be a government installation or a big corporate office computer. Eventually, they find one that has this file, and once they do, they have a field day collecting data.
I am shocked that so many websites use this without monitoring it closely. That is the only reason why hackers are searching through all sites until they find it. I feel that since I get hackers searching for this every day, it must be quite prominent. I wonder if some Webmasters have it on their server and don’t even realize it.
How to Stop Hackers in Their Tracks with Cyber Attack Blocking
This last section is for Webmasters. Anyone else who’s interested can follow along to get the jest of what I’m about to explain. I'll explain it in English so anyone can follow along.
I’m not going to show my code that I wrote for my site, and it's not for sale either, but I will explain what needs to be done. Programmers and webmasters will understand this.
Make a 404.php file and specify that to be the page to display when someone clicks to a non-existent page or enters a non-existent page in their browser. That method will also capture bots that go around the Internet searching for back doors. Back doors are scripts that allow access.
Make the page display a friendly error telling a legitimate visitor that they stumbled upon a non-existent page. Include options to find their way around your website.
Now for the critical part:
Write PHP code that monitors hacker attacks. The method is to keep track of how many requests ended up with error-404's by the same IP address within a specified time—say 30 seconds.
If more errors occur than is a reasonable number for a human, then it is most likely a cyber hacker bot. Examine the requests for files that include SQL, admin, crossdomain, login, scripts, setup, and anything else that could provide a method of access to a hacker.
If a match is found, then you can safely assume this is a hacker. No one else would be looking for access scripts and getting continuous 404 errors while searching.
The next step of the PHP routine is to capture
- the HTTP referrer (where they came from),
- the redirect status (status code),
- the HTTP user agent (browser info),
- the server signature (webserver info),
- and any other info you might want to track.
Write additional PHP code that blocks that IP address. On an Apache server, you do that by adding a deny record to the "htaccess" file. That's the trick to block the hacker, and it'll be done in milliseconds.
You can also include PHP code to send the details of the hacker attempt to an administrator’s email address for follow up. You can also post the info to a report file that can be printed later for review.
A Central Database of Hacker IP Addresses Is Strongly Needed
Imagine if everyone would share their hacker’s IP address with other field office computers so they can block any discovered hackers too. The possibilities are endless.
With this method, cyber hackers can be stopped in real-time before they succeed with getting through and compromising a server. If they try again from a different IP address, that too will be blocked in real-time. They won't have a chance!
I have other ideas to enhance this implementation, such as developing a way to send hacker's IP addresses to a central database. The United States Cyber Command for Cybersecurity is just the place for that! How about it?
There presently are several sites where you can report hackers. Even the FBI has a “File a Complaint” link on their website for this purpose. But the data has to be entered by a human and it's time-consuming. I wish I could just let the code I wrote interface with something like that when it happens.
I think all Webmasters need to work together to control cybercrime. The door can be shut to these attacks, and the Internet can be much more secure for us all.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2011 Glenn Stok