HTTP Server Intrusion Detection Script

April 3, 2010 – 9:05 pm

If you are running a web server and want to keep it secure, we have a tool that works great at detecting scans for scripts and vulnerabilities. It is especially adept at identifying the differences between legitimate traffic and hackers in third world countries.

If you’d like to demo our product please contact our sales team and arrange a demonstration or explanation of features.

Features:

• Detects attempts to access web application vulnerabilities
• Reports access attempts
• Provides whois.net information for each offender
• Operates 24 hours a day without additional load on server
• Integrates with any web server running PHP
• Emails intrusion alarm alerts

Future Potential Features:

• Provide automatic ALARM LEVEL feedback based on analysis of whois.net info
• Automatically deny hosts based on repeated failures
• Ability to whitelist certain IPs, organizations or blocks

This sample is a FALSE ALARM in that ir is a Yahoo spider robot doing its rounds and asking for a robot.txt file, which is relatively harmless in the grand scheme of things. Nonetheless, it presents you with the classic sample of output generated by an access attempt made to the system. Also, IP addresses have been partially masked.

Site license available for $25. Use it on as many websites/servers as you desire.

Have it installed by our experts for $99.

Call, chat with us or email us for a free demo.

Here is a sample of a potential “attempted hack” reported by our software:

———————————————————————————

SERVER INTRUSION ATTEMPT DETECTED

Intruder IP address:67.195.112.xx

——————————————————————————–

Automatic reverse search results follow:

ARIN: WHOIS Database Search

ARIN WHOIS Database Search
Relevant Links: ARIN Home Page ARIN Site Map
Training: Querying ARIN’s WHOIS

Search ARIN WHOIS for: 67.195.112.xx

OrgName:    Yahoo! Inc.
OrgID:      YHOO
Address:    701 First Ave
City:       Sunnyvale
StateProv:  CA
PostalCode: 94089
Country:    US

NetRange:   67.195.0.0 – 67.195.255.255
CIDR:       67.195.0.0/16
NetName:    A-YAHOO-US8
NetHandle:  NET-67-195-0-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment:
RegDate:    2007-09-13
Updated:    2007-12-07

RAbuseHandle: NETWO857-ARIN
RAbuseName:   Network Abuse
RAbusePhone:  +1-408-349-3300
RAbuseEmail:  network-abuse@cc.yahoo-inc.com

RTechHandle: NA258-ARIN
RTechName:   Netblock Admin
RTechPhone:  +1-408-349-3300
RTechEmail:  rauschen@yahoo-inc.com

OrgAbuseHandle: NETWO857-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-408-349-3300
OrgAbuseEmail:  network-abuse@cc.yahoo-inc.com

OrgTechHandle: NA258-ARIN
OrgTechName:   Netblock Admin
OrgTechPhone:  +1-408-349-3300
OrgTechEmail:  rauschen@yahoo-inc.com

# ARIN WHOIS database, last updated 2010-04-02 20:00
# Enter ? for additional hints on searching ARIN’s WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html

Other WHOIS Servers: AfriNIC APNIC LACNIC RIPE InterNICRequest Bulk Copies of ARIN WHOIS DataCopyright © 1997-2007 American Registry for Internet Numbers. All Rights Reserved.

——————————————————————————–

URL Transaction Request Information:

Server IP:GET

404

xxx.graphinex.com

*/*

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

gzip, x-gzip

Apache/2.2.11 (Win32) PHP/5.2.8

xxx.graphinex.com

192.168.2.xxx

80

67.195.112.xx

C:/wamp/www/

admin@localhost

C:/wamp/www/xxx.php

35877

/robots.txt

CGI/1.1

HTTP/1.0

GET

/robots.txt

/xxx.php

/xxx.php

963428348

———————————————————————-