Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Logs from attempted intrusions into my site

  • 14-05-2012 2:53pm
    #1
    infodox
    Registered Users, Registered Users 2 Posts: 126 ✭✭


    So over the last ~24 hours or so there have been repeated, determined attempts to break into my website. Obviously enough, it seems some script kiddy out there (likely Antisec affilliated) is a little bit miffed that I became one of the "Corrupt Whitehats", etc, and has been trying his/her VERY best to "own and expose" or whatever. Either that or it is a robot running vuln scanners that has a fixation on my site :)

    So, I figured, I would sanitize (remove innocent people) the logs (error, agent and site) and post them up for all to see, with some comments and such for the hell of it.

    User Agent Log
    http://pastebin.com/eQU4MZ38
    You can see a LOT of Nikto, then some "down for everyone or just me", indicative of attempted DoS or firewall kicking the guy.

    Note "Evasions: None" in the Nikto scans - VERY lame IMO.

    Here is the error_log file generated by Nikto scans against the box.
    http://pastebin.com/5LvECCfw

    Pretty friggin lame, it was ALL 404. Good luck finding CGI bugs or SQLi on a site made of static HTML and Javascript with NO user input ;)

    I am insulted!

    And finally the site_logs.
    http://pastebin.com/YHZmJe8a

    As one can see, the Nikto user in question failed miserably at evading detection and believed his VPN service would protect him. I have reported the attacks to the VPN provider in the hopes they MIGHT warn their users against such idiocy.

    I hope these logs are of use to someone in the future for writing IDS signatures, or at least so they know what to look for.

    ~infodox


Comments

  • #2
    JimmyCrackCorn
    Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    Id need to see the raw logs but its either dos or a crawl.

    Then my guess is he tried to check the site using a browser mid dos.

    The IP addresses would help a little. My guess is its someone playing with tools more so than a real DOS.


  • #3
    infodox
    Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    The IP addresses are in some of the logs (the only things I removed were a few innocent users and the full-path's to my site in the error logs for security reasons), it is all coming from behind the Mullvad VPN. It appears to be someone using Nikto to scan the whole site, then seemingly getting "blocked" and using downforeveryoneorjustme to check the site. Though given the sheer amount of traffic generated (10mb+), I would guess there was maybe a small bit of packeting - a MONTHS use of my site generates that much traffic with a reasonable amount of visitors.

    Quite amusing to see that the person responsible did not know about Nikto's "evasion" setting...


Advertisement