IIS7/Win32-Using PHP code to add IP to IIS ban list?
Posted: Mon Aug 18, 2008 2:56 pm
I have had a botnet pounding on my server, trying to exploit a particular peice of PHP code in my support site. The botnet swarmed my server and overflowed it by hitting this peice of code tens of thousands of times per hour. I've since removed the entire code snippet and taken the support site down for now, so the load this botnet is putting on my server is greatly reduced because the server is now returning a 404 error for every hit. I'd block the IP addresses, but the botnet is pretty vast and that would take forever of perusing through the logs and adding hundreds of IPs a day, this is not feasable.
However the actual peices of code that they are slamming are quite precise; most of the requests are for one particular file and there are a few requests for another copy of the same file.
What I am interested in doing is replacing this peice of source that it's looking for (it has to be PHP, not ASP, because its calling a .php file) with another peice of source, that adds the botnet machine to the IP block list in IIS. Effectively, I think, this would reduce the load on the server because instead of looking for the unfound file each time it would simply return a 403 access forbidden code, I could even twig a custom error page and keep it below say 50 bytes or turn off the returned error page altogether.
However I'm not sure at all how to do this. I'm not a strong PHP programmer but I can fumble my way around. Directly accessing the metabase is possible from ASP although I'm not quite sure on how to do that; and calling an ASP script from PHP to process the ban would probably result in more load than just returning a 404. IIS7 does allow however for a command line with arguments to add the IP restriction to the metabase, so if I could get PHP to execute a command line argument and insert the IP address variable into it that would result in a single instruction to add them to the block list, a second request would net a 403 with minimal load.
However I have no idea how to go about this. I'm not sure if PHP can execute a command line argument at all, as that would potentially be a huge security risk and they may have just not included it in the PHP engine for exactly that reason alone. However the code to do such a thing if it is in fact possible I beleive would be very small; it would merely collect the IP, execute the command line arg, and terminate. Any re-request would then be handled by IIS directly.
My support site is not even used by my clients anymore, its been down ever since I noticed the botnet traffic, so pretty well anything hitting this file is on the botnet and is unlikely to be a result of search. The collateral damage of banning anyone who hits this file should be nil.
Any idea how I might be able to go about this? It seems like it should be rediculously simple on the surface, but maybe that's my limited knowledge of PHP.
However the actual peices of code that they are slamming are quite precise; most of the requests are for one particular file and there are a few requests for another copy of the same file.
What I am interested in doing is replacing this peice of source that it's looking for (it has to be PHP, not ASP, because its calling a .php file) with another peice of source, that adds the botnet machine to the IP block list in IIS. Effectively, I think, this would reduce the load on the server because instead of looking for the unfound file each time it would simply return a 403 access forbidden code, I could even twig a custom error page and keep it below say 50 bytes or turn off the returned error page altogether.
However I'm not sure at all how to do this. I'm not a strong PHP programmer but I can fumble my way around. Directly accessing the metabase is possible from ASP although I'm not quite sure on how to do that; and calling an ASP script from PHP to process the ban would probably result in more load than just returning a 404. IIS7 does allow however for a command line with arguments to add the IP restriction to the metabase, so if I could get PHP to execute a command line argument and insert the IP address variable into it that would result in a single instruction to add them to the block list, a second request would net a 403 with minimal load.
However I have no idea how to go about this. I'm not sure if PHP can execute a command line argument at all, as that would potentially be a huge security risk and they may have just not included it in the PHP engine for exactly that reason alone. However the code to do such a thing if it is in fact possible I beleive would be very small; it would merely collect the IP, execute the command line arg, and terminate. Any re-request would then be handled by IIS directly.
My support site is not even used by my clients anymore, its been down ever since I noticed the botnet traffic, so pretty well anything hitting this file is on the botnet and is unlikely to be a result of search. The collateral damage of banning anyone who hits this file should be nil.
Any idea how I might be able to go about this? It seems like it should be rediculously simple on the surface, but maybe that's my limited knowledge of PHP.