Recovering hacker attacks from a small number of access logs

Recovering hacker attacks from a small number of access logs

In the martial arts world, we often mention "bodies can talk", while in the world of cyber attack and defense, logs are the most important means of tracking. Today, we will talk about how to restore the entire hacker attack process and common attack methods through just a few lines of access requests.

Every day, a large number of attackers exploit the vulnerabilities of various plug-ins to attack WordPress and Joomla sites.

The following describes how to use Google Dork to defend against attacks.

Google Hacking is the most common attack method for hackers to find attack targets. Google is used to find websites that may contain vulnerabilities.

For example, if you use the inurl operator to find a wordpress site with incorrect configuration, [inurl: "wp-content" "index of"], almost every exposed vulnerability in the web world, you can use Google hacking to find the target. Using Google Hacking technology, attackers simply enter a search term in the search box and then process the search results. Is it that simple? Apparently not. Next let's take a look at the obstacles and problems encountered by large-scale batch retrieval.

Difficulty 1: Due to Google's restrictions, millions of sites can be returned for each instant search, but you can obtain up to 1000 sites.

Difficulty 2: In addition, not all websites contain vulnerabilities. Generally, the ratio of the expected vulnerabilities is below 1000 (of course, this is not static, the publication date of the test vulnerability ).

Difficulty 3: Google will pop up a verification code for abnormal and frequent requests to organize Google Hacking automation.


How can attackers overcome the obstacles mentioned above?

Next we will officially enter our topic. Let's take a look at the common techniques of these smart attacks through several logs.

5.157.84.31 - - [01/Oct/2015:13:07:39 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwp-content+revslider+site%3Amobi&num=100&start=600 HTTP/1.1" 302 2920 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401 Firefox/21.0"5.157.84.31 - - [01/Oct/2015:13:08:33 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dcom_adsmanager+%2Blogo+site%3Adj&num=100&start=300 HTTP/1.1" 302 2916 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130406 Firefox/23.0"5.157.84.31 - - [01/Oct/2015:13:08:33 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwp-content+%2Brevslider+site%3Amobi&num=100&start=500 HTTP/1.1" 302 2928 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0”

PHP Proxy

All the preceding three requests are in the php file "des/freesans. fr. php. After retrieval, it is found that this is an open-source web Proxy program. By using the proxy program, you can not leave your own real IP address, so as to break through the IP address restrictions and initiate a request to Google.

As shown in the preceding log, attackers use a proxy program to perform Google Hacking:

Docks

From the above request, the statement for extracting the Dock is:

1. [wp-content revslider site: mobi]

2. [com_adsmanager + logo site: dj]

3. [wp-content + revslider site: mobi]

From the first and third requests, attackers are looking for a wordpress site using the Slider Revolution plug-in. (Slider Revolution is a vulnerability exposed last year. So far, hackers have been searching for websites containing this vulnerability)

The second request looks like a Joomla site using the AdsManager plug-in, because some versions have the preceding vulnerability.

So far, let's summarize the common google dock trick methods used by attackers:

1. Use the site + top-level domain name to bypass the 1000 return result restrictions mentioned above. Google hacking using site: mobi, site: com, site: org site: net, etc, then we can obtain the suspicious site URLs of 1000 mobi suffix domain names, the suspicious site URLs of 1000 com suffix domain names, the suspicious site URLs of 1000 org suffix domain names, and the suspicious site URLs of 1000 net suffix domain names. site url. When we use different site + top-level domain names, we will get more than 1000 vulnerable URLs.

2. Break through the IP address restriction. Attackers often use the following trick to restrict bypas IP addresses.

Use & num = 100 to increase the number of responses per page, thus reducing the number of requests.

Distributed proxy, which uses multiple bots to initiate requests in turn.

This explains why attackers do not care about the websites they want to attack. They want to possess all the CPU and computing resources they can use.

3. Counterfeit UA

Counterfeit UA makes the request look like a large number of different real users from an ISP. As shown in the following text, each UA seems the same, but there are slight differences.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 21.0) Gecko/20130401 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 23.0) Gecko/20130406 Firefox/23.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv: 23.0) Gecko/20131011 Firefox/23.0

Through the analysis of the above three statements, we understand the following actions of attackers:

1. Why are attackers not focusing on a single vulnerability, but on so many different vulnerabilities. (For larger discovery of websites that can be attacked)

2. Why is software update and patching so important for every website. (Otherwise, your website may be targeted by hackers in batches)

3. How can an attacker discover a large number of vulnerability sites in a short time. (Using google Dock Technology)

4. How do they use the compromised hosts to continue expanding the attack results. (Install the web Proxy program on the compromised host and continue google hacking through the proxy Program)

5. Why is your IP address a very important resource for attackers. (Distributed and anonymous attacks can be implemented)