Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The first day in the life of a website

Published: 2007-03-26
Last Updated: 2007-03-26 15:10:31 UTC
by Arrigo Triulzi (Version: 1)
0 comment(s)
It has been a rather long time since I had to set up a website from scratch so I was rather amazed when I started looking at the logs of a system which went live around 15:00 CET last Saturday.

The setup, a standard Apache running on OpenBSD 4.0, consists of an SSL password-protected virtual host, a single page redirecting from the non-SSL virtual host to the SSL version if you forget the 's' and a blank page waiting for connections on the direct IP address without the correct Host: directive.

The interesting logs are obviously the ones for the direct IP address accesses...

The preamble

83.180.231.X - [24/Mar/2007:15:12:30 +0100] "GET / HTTP/1.1" 200 291 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.2pre) Gecko/20070223 Camino/1.1b"
217.172.253.X - - [24/Mar/2007:15:43:33 +0100] "GET / HTTP/1.0" 200 274 "-" "-"
217.172.253.X - - [24/Mar/2007:16:30:06 +0100] "GET / HTTP/1.0" 200 274 "-" "-"
208.11.16.X - - [25/Mar/2007:01:05:00 +0100] "\x10\x01" 501 - "-" "-"
217.172.239.X - - [25/Mar/2007:12:39:37 +0200] "GET / HTTP/1.0" 200 274 "-" "-"
82.165.42.X - - [25/Mar/2007:15:11:15 +0200] "GET / HTTP/1.1" 200 274 "-" "Mozilla/5.0"

So, the first one, no prizes for guessing correctly, would be yours truly testing that the site works (hey, I actually have a valid User-Agent!).

Barely 20 minutes later someone visits a completely unannounced website with no www.domain CNAME assigned to it from Poland (hi there!), twice, from the same IP on some DSL provider in Lodz.  Then, someone from the USA visits, middle of the night for me, comfortable mid-morning coffee script-kidding for him, sitting on wythenet.com trying a nice hex escape to try and tickle the server for information. Then around midday our friend from Poland comes again (my dear chap you might benefit from a database to archive the info...) but from a different net and "closing the first day of life" we are visited by a well-hacked server in Germany.

Making good(?) use of the collected information

So, after the in-depth mapping of the server (which is, incidentally running nothing bar Apache, no modules, ServerTokens appropriately set, etc.) the first script kiddie "attacks":

208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /phpmyadmin/main.php HTTP/1.0" 404 295 "-" "-"
208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /phpMyAdmin/main.php HTTP/1.0" 404 295 "-" "-"
208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /db/main.php HTTP/1.0" 404 287 "-" "-"
[...]

So this is the gentleman coming in from the USA who has gathered the data from his "scan" and is now attacking the sites after breakfast (his breakfast of course, middle of the afternoon for Europe).  He is finished quite quickly:

208.11.16.X - - [25/Mar/2007:16:25:21 +0200] "GET /admin/phpMyAdmin-2.6.4-rc1/main.php HTTP/1.0" 404 311 "-" "-"

To make the Sunday more interesting we have someone trying to SSL brute force the server:

194.235.70.X - - [25/Mar/2007:17:17:25 +0200] "GET /sumthin HTTP/1.0" 404 283 "-" "-"

The line above is the signature of the ATD OpenSSL Mass Exploiter and if you bother looking for the IP address on Google you will see that the particular sort-of-obfuscated IP has been active for a while (and has now finally been reported to the guilty party).

What about day 2?

Monday morning is boringly quiet until after lunch when we have someone looking for FrontPage vulnerabilities:

85.25.140.X - - [26/Mar/2007:14:33:35 +0200] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 404 316 "-" "core-project/1.0"

I guess the logic might be "new host, middle of a large colo block, could well be FrontPage...", seems to be a one-off but comes from one of those large server4you farms in Germany so could well be the result of the European scanning on Saturday.

Obviously 24 hrs must be the standard "nobody checks their logs for that long" period because our last visitor from Sunday now returns and plays PHP games:

82.165.42.X - - [26/Mar/2007:15:30:14 +0200] "GET / HTTP/1.0" 200 274 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /index.php HTTP/1.0" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /wbb2/index.php HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /board/index.php HTTP/1.0" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
[...]

Welcome back!

Somewhat more thorough than our US scanner he is done faster since he is on a faster and very close (three hops...) link to my server:

82.165.42.X - - [26/Mar/2007:15:30:35 +0200] "POST /database/main.php HTTP/1.0" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

At which point the obvious observation is that these days you barely have the time to put a website up before it is visited, catalogued and exploited (fortunately with untargeted automated tools).

Reader quiz

Now, for extra points, who spotted the time change in the preamble where the timezone offset goes from GMT+1 (CET) to GMT+2 (CEST)?

Ciao,

Arrigo
Keywords:
0 comment(s)
Diary Archives