Use a bit of common sense - if you start poking around in the internals of the site and start seeing URLs with "attack_attempt" in them, DON'T CLICK ON THEM, and certainly don't go around publicising the URL (do you know how many times a day these pages get spidered by search engines?!?). Someone had tried running an WinNT/IIS attack on this Linux/Apache server, so I reconfigured the error CGI to block the IPs of these attackers just in case they try something else. Of course I had to test it.

In answer to your question, no-one gets banned from TIB. If you read it carefully you'll see that web pages are still available, it just closes all other services just in case they run some other, possibly more successful, attack.

The obvious answer is to stop people looking at the stats full stop.

[the stats page - ed.]

and [snip - ed.] I found the following link :

[snip obviously dodgy URL with the words "attack_attempt" and "LOG_THIS" in it]

I clicked on it, and found a page obviously designed for someone who was trying to hack the site, saying that my IP has been blocked from all but web access, that the sysadmin has been notified, and that the host of this machine will be notified.

My question for the server admin is :

- does your server do all of the above (banning etc), and then redirect the user to that above page? (which means that I haven't been unfairly banned etc)
- or, does your server redirect them to the above page, and, when someone loads up that page, ban them, notify the sysadmin etc? (which means I would have been unfairly banned etc).

Hopefully it is the first, and not the second . If it is the second, I would suggest a modification in the script to remove this URL from the usage history

Thanks,

Matt

Stop clicking on obviously dodgy URLs and you won't see things like this. >Sheesh.

It was an interesting URL, and it was displayed on a public page, and purposely made an active link, for the purposes of clicking it.

>Use a bit of common sense - if you start poking around in the internals
>of the site

It's not really the internals of this site, the URL, which I won't write up, which I found on a public posting elsewhere, from one of the webmasters, is extremely simple. It is very polished, designed for public viewing. It's not exactly a text page with raw stats... It has computer generated graphs, all nicely explained for the public.

>and start seeing URLs with "attack_attempt" in them, DON'T CLICK
>ON THEM

I assumed it was a news article about some kind of attack attempt, maybe about argonet, or 'The Iconbar' itself. It was an active link, and publicised for clicking, on a public page.

>and certainly don't go around publicising the URL (do you know how
>many times a day these pages get spidered by search engines?!?).

Publicising the URL would be to post it on CSA.* or something. And, that's not the kind of thing that I would do anyway.

>Someone had tried running an WinNT/IIS attack on this Linux/Apache
>server, so I reconfigured the error CGI to block the IPs of these attackers
>just in case they try something else. Of course I had to test it.

I completely agree with you here!

>In answer to your question, no-one gets banned from TIB. If you read it
>carefully you'll see that web pages are still available, it just closes all
>other services just in case they run some other, possibly more successful, attack.

I know that, I was just wondering whether I had been 'limited' by viewing that page, or whether the script limited the user, *then* directed them to this page. I didn't really want the host of this computer getting a message saying I was trying to crack your machine, you see.

>The obvious answer is to stop people looking at the stats full stop.

If you click on the 'staff only' forum it asks for your login, and then only lets you in if you are a member of staff. This login could also be applied to the stats page.

Or, there could just be a few lines in the stats generating script which finds the offending actively linked URL, and replaces it with a plain text saying [WinNT/IIS attack attempts].

Matt