Reporting Attack(s) to the ISP of Origin
If you have a good set of log files, then reporting the attack is not only easy, it's a very good idea. For example, imagine that your site is being attacked fairly frequently by a specific IP address. So far, the attacker has been unsuccessful, yet these attacks are eating up a lot of your resources because of checking, verifying, and reviewing the logs.
Now, assume that you see the following from the log files:
64.XXX.XXX.XXX - - [23/Jan/2011:01:15:49 -0400] "GET /?option=com_someExtension&Itemid=12& task=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 410 296 www.yourdomain.com "-" "libwww-perl/5.834" "-"
This is an attempt to break into a Joomla! site by attacking a vulnerable and popular extension. In this case, the site had already upgraded this third-party extension because of a published vulnerability. Yet, the bad guy doesn't know that, and continues to shake the virtual doorknob, hoping to get in. The action here is to block the IP address and report it.
You have all the information you need to report the attempted attack. The steps are simple:
- Locate the ISP who provides the IP address (which, for this example, is shown as 64.xxx.xxx.xxx).
- Package up enough of the logs to make a case that you are being attacked.
- Write a polite e-mail to report the incident(s) to the ISP.
Locating the ISP of the Offending IP Address
Visit your favorite WhoIs website to help you track down this information. One favorite ...
Get CMS Security Handbook: The Comprehensive Guide for WordPress®, Joomla!®, Drupal™, and Plone® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
