Is there any reason this URL would attack hackers?
http://www.joelaiken.com/ja/exp.ja?file=holly_giftcert&action=gc

I'm getting lots of hits from Russia.... annoying

Joel Aiken

Hi,
I had the same problem with my website. I asked to Google support and this is the solution.
In Google Analytics go to Administration menu, then to Filters. Create a new filter with:
"include only" + "traffic to the host name" + "equal to" + your name host (youwebsite.com).
Finally save the filter.
Google explained to me russian hackers use this method to lower the score of your website in Google results.
Why? We cannot understand russian logic.

SQL Injection attacks. Assumption is that you might use query string or form variables and don't properly escape them causing the database to be corrupted.

+++ Rick ---

Rick,

The hackers are not able to manipulate any of my data because I use password-required logins.
However, my server still has to process each of these hacker hits until the server determines they are not logged in.
I have been blocking the hacker ip addresses in IIS, but then I keep seeing new hacker ip addresses.

Should I use a different technique for my URLs? The ones I'm using now are obviously drawing the attention of hackers.
All the hackers I'm seeing are in Russia.

The URL in question is:
http://www.joelaiken.com/ja/exp.ja?file=holly_giftcert&action=gc
"holly_gift_cert" is wcs script file
and in that file there is a variable called "action" which controls the action required.
At the beginning of the wcs file, there is code checking for proper login credentials which have been stored as session variables.

This particular wcs file went for a while without the code checking for valid users.
It was a trial project and when I went live with it, I forgot to put the user-validity check in it.
During this period, hackers were able to add bogus records to the data files, but were unable to edit existing records.
Now, since I inserted the missing code, the hackers can't do anything to the data.
Maybe during the period of vulnerability, that particular URL was circulated among the hacker community.
That make any sense?

I use this same pattern of coding in nearly everything I do.
The above explanation might explain why I'm seeing hits to this particular URL and not other very similar URLs.

Thanks,
Joel

I don't think there's anything specific 'attracting' hackers. Most Web sites are constantly under attack - any place where data is entered (POST operations) and anything that includes query string data is a target because the assumption is that the data on the inputs hit the database and possibly allow for SQL vulnerabilities.

There's very little you can do about this. IP Addresses will change constantly (Bot farms). At some point I had really massive issues with the sample Guestbook on the Web Connection Sample site - after which I changed the behavior slightly and moved the URL. Most of the time the bot attacks are harmless - they're relatively low frequency and if you can see what they are doing you can often deflect them easily.

BUt as you point out they cause traffic on your server and your application which again probably is not a big deal either. Unless you are getting seriously slammed with denial of service attack it's probably not something you need to worry about too much - because while you can shift the problem around and maybe temporarily fix it, it'll come back.

The best way to keep this from happening is to build your application from the start so that a login is required - before a bot ever gets a chance to get into the application. Once in, the URLs exist and even if they are protected they'll get hit. But if you start with Auth from the very beginning the bots never have a chance to find the URLs in the first place.

+++ Rick ---