...
- Your log files (hopefully you are adequately keeping audit logging turned on) may show attempts to login from strange addresses or multiple failures in a row that you don't expect. Web access logs may show many requests from the same IP including strange URLs.
- If you allow anonymous updates to your websites (i.e. no login required), junk data or what looks like spam may be inserted into your application's database or email forms.
- If web application uses a database and vulnerable to input injection, regular database queries with altered SQL could take longer to run, connection pools may fill up and requests hang waiting for new connections.
What you should do:
- If notified by OIT Security about a potential vulnerability, act quickly to respond and correct the problem or work with them to think of possible mitigating controls until a fix can be produced.
- Configure audit logging and retention at an appropriate level such that a scan will not completely wipe out prior recent log data, not just for these scans but also for the inevitable time when a real hacker will attempt to attack your system. Audit logging retention settings will vary depending on system.
- Be aware of any account lockout policies or other denial of service controls you have configured on your systems.
- Don't specifically block IPs of scans in a blacklist manner, because the real hackers will use different IPs and methods each attack. Instead if you can limit access, do it in a comprehensive way only allowing a whitelist of IPs and users that should have legitimate access. We will intentionally not publish the times and sources of these scans.
...