Screw with "Hackers"

[dontcryforme]

I've been working on a personal project (for a decade now) and one thing I've always noticed was the port scanning attempts by possible hackers.

Lately I've taken security more seriously and I am monitoring these attempts basically 24/7 with custom built tools. The other day I noticed a code injection attempt. The idiot who tried to hack used a VPN, but in the injection code he used the IP of his hacking server so I had a bit of my own fun and started calling him some things.

Oh how I should not have done that. The port scanning and code injection attempts increased about 1000 times. From the logs everything seem secure and every time they just get directed to the error page.

This had me thinking, I hate ads on websites. I can see the "hackers" are directed and served my error pages. Maybe I can make some money from this by serving ads only on the error page. Even better, make the error page a new domain on its own and fill it with 100 ads on a single page.

This way I start making money or at least start breaking even on overheads, my users still get what they want still ad free and I might just make some money from the hacking attempts.

Any advice from other non-banking web developers would be appreciated.

 

[Scary_Turtle]

I've been working on a personal project (for a decade now) and one thing I've always noticed was the port scanning attempts by possible hackers.

Lately I've taken security more seriously and I am monitoring these attempts basically 24/7 with custom built tools. The other day I noticed a code injection attempt. The idiot who tried to hack used a VPN, but in the injection code he used the IP of his hacking server so I had a bit of my own fun and started calling him some things.

Oh how I should not have done that. The port scanning and code injection attempts increased about 1000 times. From the logs everything seem secure and every time they just get directed to the error page.

This had me thinking, I hate ads on websites. I can see the "hackers" are directed and served my error pages. Maybe I can make some money from this by serving ads only on the error page. Even better, make the error page a new domain on its own and fill it with 100 ads on a single page.

This way I start making money or at least start breaking even on overheads, my users still get what they want still ad free and I might just make some money from the hacking attempts.

Any advice from other non-banking web developers would be appreciated.

It's just the IP of the hackers external jumpbox. These are burnable you just try and get connections back from the host.

If you have something where people are attempting code injection you have a bigger issue.

He was probably annoyed and just increased the rate to 5000 or something not that serious but he is doing it because he thinks he has a chance with your system.

I am pretty sure a hacker is using an add blocker so will probably be a waste. Also most of these scans are automatic bots only when the bot finds something juicy does a hacker get involve, again pointing at something on the system/network.

 

[dontcryforme]

It's just the IP of the hackers external jumpbox. These are burnable you just try and get connections back from the host.

If you have something where people are attempting code injection you have a bigger issue.

He was probably annoyed and just increased the rate to 5000 or something not that serious but he is doing it because he thinks he has a chance with your system.

I am pretty sure a hacker is using an add blocker so will probably be a waste. Also most of these scans are automatic bots only when the bot finds something juicy does a hacker get involve, again pointing at something on the system/network.

I agree that many of these attempts are automated. Some I can see are not. The pages get fully served on many of these attempts which make me think there are some manual browsing with some of these attempts.

I guess I can only be sure when I actually try this. As for the ad blockers, that we will just also have to wait and see.

Edit: As for the code injection, I am not sure if I am worried or not. At first I was, but this isn't my first server I use for a website and the others were much less secure and had the same attempts. By default code injection is being managed and filtered in the database. On one of the apps I have built they tried for hours to inject SQL and they failed every time. It was so funny. This was a manual process and every time the guy just got a new data entry.

Edit 2: As for the bot informing the hacker of something juicy it would only be if an open port was found not related to 80/443 and if a page was served on a 200/success code and not any other expected error code which can be easily done and let the manual browsing begin.

 

[Clean Green]

I agree that many of these attempts are automated. Some I can see are not. The pages get fully served on many of these attempts which make me think there are some manual browsing with some of these attempts.

I guess I can only be sure when I actually try this. As for the ad blockers, that we will just also have to wait and see.

Edit: As for the code injection, I am not sure if I am worried or not. At first I was, but this isn't my first server I use for a website and the others were much less secure and had the same attempts. By default code injection is being managed and filtered in the database. On one of the apps I have built they tried for hours to inject SQL and they failed every time. It was so funny. This was a manual process and every time the guy just got a new data entry.

Silly question, but will your hacker or bot actually click on the ad? To my knowledge, you only get paid if the user clicks on it.

 

[dontcryforme]

Silly question, but will your hacker or bot actually click on the ad? To my knowledge, you only get paid if the user clicks on it.

I think there are two components to ads. You get paid a very small fee for x amount of views and a little bit more once clicked. So if you serve ads and they are just viewed, you do get some revenue.

Edit: Views/Impressions

 

[MagNorthDigital]

I'm coming at this from a tech stack perspective, not a moral one. Bots suck so much, and i've lost countless hours securing frontends against them. (clients, not what we built )

Turtle makes some good points.

Thing is, error page is still network cost and render for you. And it might be exponentially higher, due to traffic, than your actual site.

I'd call this a sugar pot, and it might work, in the same way an ad farm works, but you've got to find a way to keep your display costs down.

The problem of course is scaling. Once you get enough ants past the sugar trail, you're going to want to increase throughput.

Ironically you're inviting the problem you're trying to solve.

If hosting and render was free, you wouldn't care all that much. Chicken and Egg vibes.

Find a way to mitigate the "Project Sugar" costs, as well as actually give legit errors a proper ux friendly error page, and you'll be golden (syrup)

 

[dontcryforme]

I'm coming at this from a tech stack perspective, not a moral one. Bots suck so much, and i've lost countless hours securing frontends against them. (clients, not what we built )

Turtle makes some good points.

Thing is, error page is still network cost and render for you. And it might be exponentially higher, due to traffic, than your actual site.

I'd call this a sugar pot, and it might work, in the same way an ad farm works, but you've got to find a way to keep your display costs down.

The problem of course is scaling. Once you get enough ants past the sugar trail, you're going to want to increase throughput.

Ironically you're inviting the problem you're trying to solve.

If hosting and render was free, you wouldn't care all that much. Chicken and Egg vibes.

Find a way to mitigate the "Project Sugar" costs, as well as actually give legit errors a proper ux friendly error page, and you'll be golden (syrup)

Thanks, this is great advice. At the moment it is serving a nice UX friendly error page. (Thank you codepen and all the frontend developers creating portfolios).

I think the serving of the ads wont use too much of my server resources as that I think is handled client side with mostly JS (which is also how they block the ads with a JS injection from a browser ad on)?

 

[MagNorthDigital]

Thanks, this is great advice. At the moment it is serving a nice UX friendly error page. (Thank you codepen and all the frontend developers creating portfolios).

I think the serving of the ads wont use too much of my server resources as that I think is handled client side with mostly JS (which is also how they block the ads with a JS injection from a browser ad on)?

Yeah normally using ublock origin.

 

[Scary_Turtle]

I agree that many of these attempts are automated. Some I can see are not. The pages get fully served on many of these attempts which make me think there are some manual browsing with some of these attempts.

I guess I can only be sure when I actually try this. As for the ad blockers, that we will just also have to wait and see.

Edit: As for the code injection, I am not sure if I am worried or not. At first I was, but this isn't my first server I use for a website and the others were much less secure and had the same attempts. By default code injection is being managed and filtered in the database. On one of the apps I have built they tried for hours to inject SQL and they failed every time. It was so funny. This was a manual process and every time the guy just got a new data entry.

Edit 2: As for the bot informing the hacker of something juicy it would only be if an open port was found not related to 80/443 and if a page was served on a 200/success code and not any other expected error code which can be easily done and let the manual browsing begin.

Are you saying you are vulnerable to sql injection and the guy was pulling information from your database with each iteration. That would be bad and if they ran sqlmap would have your entire database within seconds.

I would run gowitness and take a pic of all of the websites then review later. One command, let finish and review in 5 mins see what is juicy like phpmyadim or something along those lines.

If you want to piss off hackers setup a cowrie box with telnet that's open which is a box that you can't escape and has no info. Setup porspoof, which when scaned shows all 65535 as open and takes forever to scan. Setup webladybyrinth which traps webcrawerls in a ladybrinth of endless links. Add canary tokens like usercredentials.txt to a website which triggers when someone opens it and send you their IP.

Those are some fun things you can do which is irritating as hell.

 

[Scary_Turtle]

Actually you can use https://www.activecountermeasures.com/free-tools/adhd/ which has a whole tool kit for pissing off attackers. I checked it out years ago and it has all the tools incorporated in it but not sure if it's kept up to date.

 

[dontcryforme]

Are you saying you are vulnerable to sql injection and the guy was pulling information from your database with each iteration. That would be bad and if they ran sqlmap would have your entire database within seconds.

I would run gowitness and take a pic of all of the websites then review later. One command, let finish and review in 5 mins see what is juicy like phpmyadim or something along those lines.

If you want to piss off hackers setup a cowrie box with telnet that's open which is a box that you can't escape and has no info. Setup porspoof, which when scaned shows all 65535 as open and takes forever to scan. Setup webladybyrinth which traps webcrawerls in a ladybrinth of endless links. Add canary tokens like usercredentials.txt to a website which triggers when someone opens it and send you their IP.

Those are some fun things you can do which is irritating as hell.

Lol, I literally said the exact opposite. Are you high or do you code for a bank?

 

[dontcryforme]

Are you saying you are vulnerable to sql injection and the guy was pulling information from your database with each iteration. That would be bad and if they ran sqlmap would have your entire database within seconds.

I would run gowitness and take a pic of all of the websites then review later. One command, let finish and review in 5 mins see what is juicy like phpmyadim or something along those lines.

If you want to piss off hackers setup a cowrie box with telnet that's open which is a box that you can't escape and has no info. Setup porspoof, which when scaned shows all 65535 as open and takes forever to scan. Setup webladybyrinth which traps webcrawerls in a ladybrinth of endless links. Add canary tokens like usercredentials.txt to a website which triggers when someone opens it and send you their IP.

Those are some fun things you can do which is irritating as hell.

How does any of this benefit me? Playing games when you can make money?

 

[Solarion]

I've been working on a personal project (for a decade now) and one thing I've always noticed was the port scanning attempts by possible hackers.

Lately I've taken security more seriously and I am monitoring these attempts basically 24/7 with custom built tools. The other day I noticed a code injection attempt. The idiot who tried to hack used a VPN, but in the injection code he used the IP of his hacking server so I had a bit of my own fun and started calling him some things.

Oh how I should not have done that. The port scanning and code injection attempts increased about 1000 times. From the logs everything seem secure and every time they just get directed to the error page.

This had me thinking, I hate ads on websites. I can see the "hackers" are directed and served my error pages. Maybe I can make some money from this by serving ads only on the error page. Even better, make the error page a new domain on its own and fill it with 100 ads on a single page.

This way I start making money or at least start breaking even on overheads, my users still get what they want still ad free and I might just make some money from the hacking attempts.

Any advice from other non-banking web developers would be appreciated.

Report them to the FBI for attempted money laundering. Send IP.

 

[deweyzeph]

If you're managing a VPS or bare metal web server that's sitting on the internet then you shouldn't have any ports open through your firewall except port 80 and port 443. You should be using some sort of VPN mesh network like Tailscale or OpenVPN or Wireguard to manage your servers so that the SSH (Linux) or RDP (Windows) port is never exposed to the internet. It's scary how many people don't even do this basic setup when managing a hosting server.

In our business we use machine learning to analyse login and access attempts to our system and block them automatically. We built a multi-classification model using features like IP geo data (IP address city, region, country, ISP, etc) and User Agent data. At first it was hard work because we had to manually train the model by sifting through log data and manually identifying bots, brute force attacks, etc, but was worth the effort. Our ML model now automatically identifies bad actors and adds banned IP addresses to our firewall and we very rarely get false positives and have completely stopped all brute force password attacks.

 

[dontcryforme]

For those who are interested, SQL injection can leak data, yes, but many development platforms have provisions in them as standard these days for that. How will you know if the SQL code injection was successful? It would have most likely not created the record to begin with and saved the command as plain text and commands like drop_db would have destroyed all the data. It didnt, because then I wouldnt have been able to see the injection attempt in the first place.

SQL injection was also likely the way the CIPC's platforms were hacked and the fact that they did not detect this to begin with was because they do not filter out the commands when their platform interacts with the database.

But you can never be too sure and too safe. We grew up in Africa.

Another level of security to add is to encrypt all the data at database level. All anyone will see when they look at the database is stuff like %RDXDEFT&YHIJey3h4uwhfsf65a&T*YUGVHJHGUfgrhj which does not make sense and would be a hassle to decrypt without the keys used to encrypt it.

This the CIPC also failed to do. Two very basic steps which some good web development platforms have built in as standard these days.

Other things that may make your platform insecure are things like:

- Not updating to the latest stable releases of OS, development platforms or dependencies
- Using too many dependencies
- Using dependencies from unknown and unreliable sources
- Using an out of the box solution like so many WordPress websites without having the knowledge to check and understand the source code
- Using too many different platforms and trying to link all those together

These are all things the CIPC failed to do and its not just them, even Harvard has fallen victim to these issues before. For some these are basics, for others these are the peak for them based on the Dunning Kruger Effect graph representation.

 

[dontcryforme]

If you're managing a VPS or bare metal web server that's sitting on the internet then you shouldn't have any ports open through your firewall except port 80 and port 443. You should be using some sort of VPN mesh network like Tailscale or OpenVPN or Wireguard to manage your servers so that the SSH (Linux) or RDP (Windows) port is never exposed to the internet. It's scary how many people don't even do this basic setup when managing a hosting server.

In our business we use machine learning to analyse login and access attempts to our system and block them automatically. We built a multi-classification model using features like IP geo data (IP address city, region, country, ISP, etc) and User Agent data. At first it was hard work because we had to manually train the model by sifting through log data and manually identifying bots, brute force attacks, etc, but was worth the effort. Our ML model now automatically identifies bad actors and adds banned IP addresses to our firewall and we very rarely get false positives and have completely stopped all brute force password attacks.

I've built something similar using IP-API.com, most of the bad actors use VPN's. There's an API to identify those as well. The response speed for ip-api is amazing

 

[deweyzeph]

I've built something similar using IP-API.com, most of the bad actors use VPN's. There's an API to identify those as well. The response speed for ip-api is amazing

Yes, we use them as well. The "mobile", "proxy" and "hosting" markers on the ip address geo data is very useful in our machine learning model. It's allows us to produce a very accurate model without accidentally locking any of our customers out.

 

[deweyzeph]

For those who are interested, SQL injection can leak data, yes, but many development platforms have provisions in them as standard these days for that. How will you know if the SQL code injection was successful? It would have most likely not created the record to begin with and saved the command as plain text and commands like drop_db would have destroyed all the data. It didnt, because then I wouldnt have been able to see the injection attempt in the first place.

SQL injection was also likely the way the CIPC's platforms were hacked and the fact that they did not detect this to begin with was because they do not filter out the commands when their platform interacts with the database.

But you can never be too sure and too safe. We grew up in Africa.

Another level of security to add is to encrypt all the data at database level. All anyone will see when they look at the database is stuff like %RDXDEFT&YHIJey3h4uwhfsf65a&T*YUGVHJHGUfgrhj which does not make sense and would be a hassle to decrypt without the keys used to encrypt it.

This the CIPC also failed to do. Two very basic steps which some good web development platforms have built in as standard these days.

Other things that may make your platform insecure are things like:

- Not updating to the latest stable releases of OS, development platforms or dependencies
- Using too many dependencies
- Using dependencies from unknown and unreliable sources
- Using an out of the box solution like so many WordPress websites without having the knowledge to check and understand the source code
- Using too many different platforms and trying to link all those together

These are all things the CIPC failed to do and its not just them, even Harvard has fallen victim to these issues before. For some these are basics, for others these are the peak for them based on the Dunning Kruger Effect graph representation.

I've been a .NET developer for many years so SQL injection is something that was solved in .NET a long time ago with the use of strongly-typed querystring variables and the Entity Framework. Most SQL injection attacks in .NET come about because of inexperienced developers using querystring parameters that accept any string, and then also by manually building out SQL queries directly from the querystring parameters without any kind of sanitising or checking. PHP has this problem too.

 

[Scary_Turtle]

Lol, I literally said the exact opposite. Are you high or do you code for a bank?

I read something very different but no need to be an ass.

 

[Scary_Turtle]

How does any of this benefit me? Playing games when you can make money?

Your post is called "screw with hackers" sigh