Wednesday, February 07, 2007 9:43 AM
by
nairdo
Hacker Detection
When worked at Motorola there were many people that I admired, but there was one who was inspiring. He was a network security type guy, and it seemed to me that he could spot a hacker a mile away. Anyway his work has inspired me to keep watch over certain behaviors on our website. Publicly I won't go into which tripwires I use to detect when an attempted hack is taking place, but I will show you the obvious signs of a hacker as seen in a web server log:
This looks fairly normal. Time is 8:20.
2007-02-07 08:20:49 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 - - - 200 0 0 18 515
2007-02-07 08:26:04 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 - - - 200 0 0 18 656
2007-02-07 08:37:43 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 - - - 200 0 0 18 171
2007-02-07 08:37:44 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 - - - 200 0 59780 18 796
2007-02-07 08:37:58 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 - - - 200 0 59780 18 406
... nothing too suspicious so far except perhaps his looking for login.html...but wait....
2007-02-07 08:38:00 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 - - www.cccev.com 200 0 0 39 171
2007-02-07 08:38:00 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - www.cccev.com 200 0 0 274 93
2007-02-07 08:38:00 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11;+U;+Nessus) - www.cccev.com 200 0 0 258 109
2007-02-07 08:38:00 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - www.cccev.com 200 0 0 274 171
2007-02-07 08:38:02 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 200 0 59780 129 531
2007-02-07 08:38:03 IPSWAZ0014ATL2 216.25.73.73 GET /login.html - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 268 93
2007-02-07 08:38:03 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 200 0 59780 258 390
... What is he looking for now? All kinds of things!
2007-02-07 08:38:03 IPSWAZ0014ATL2 216.25.73.73 GET /commoncgi/servlet/CCGIServlet ApHost=PDT_InterScan_NT&CGIAlias=PDT_InterScan_NT&File=logout.htm 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 353 62
2007-02-07 08:38:03 IPSWAZ0014ATL2 216.25.73.73 GET /MSWSMTP/Common/Authentication/Logon.aspx - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 302 0 577 298 296
2007-02-07 08:38:03 IPSWAZ0014ATL2 216.25.73.73 GET /intruvert/jsp/admin/Login.jsp - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 287 62
2007-02-07 08:38:04 IPSWAZ0014ATL2 216.25.73.73 GET /ControlManager/default.htm - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 284 125
2007-02-07 08:38:35 IPSWAZ0014ATL2 216.25.73.73 GET /robots.txt - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 200 0 481 268 93
2007-02-07 08:38:35 IPSWAZ0014ATL2 216.25.73.73 GET /CVS/Entries - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 269 78
2007-02-07 08:38:35 IPSWAZ0014ATL2 216.25.73.73 GET /NonExistant2018489247/ - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 280 62
2007-02-07 08:38:35 IPSWAZ0014ATL2 216.25.73.73 GET /.cobalt/ - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 266 78
2007-02-07 08:38:35 IPSWAZ0014ATL2 216.25.73.73 GET /AdminWeb/ - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 267 78
2007-02-07 08:38:35 IPSWAZ0014ATL2 216.25.73.73 GET /Admin_files/ - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 270 62
2007-02-07 08:38:35 IPSWAZ0014ATL2 216.25.73.73 GET /Administration/ - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 273 62
2007-02-07 08:38:36 IPSWAZ0014ATL2 216.25.73.73 GET /AdvWebAdmin/ - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 270 62
2007-02-07 08:38:36 IPSWAZ0014ATL2 216.25.73.73 GET /Install/ - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 266 62
... and this goes on and on and on. Notice how the tool he is using is only hitting the server about 4-8 times a second -- not so much that it would look suspicious...
2007-02-07 08:43:37 IPSWAZ0014ATL2 216.25.73.73 GET /typo3/dev/translations.php ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 429 62
2007-02-07 08:43:37 IPSWAZ0014ATL2 216.25.73.73 GET /testsite/typo3/dev/translations.php ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 438 78 20
... and on and on and on...
2007-02-07 08:43:33 IPSWAZ0014ATL2 216.25.73.73 GET /owls/glossaries/index.php file=/etc/passwd 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 300 78
...
2007-02-07 08:43:35 IPSWAZ0014ATL2 216.25.73.73 GET /scripts/commerce.cgi page=../../../../../etc/passwd%00index.html 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 502 2 447 322 93
2007-02-07 08:43:36 IPSWAZ0014ATL2 216.25.73.73 GET /cgi-bin/commerce.cgi page=../../../../../etc/passwd%00index.html 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 502 2 447 322 109
2007-02-07 08:43:36 IPSWAZ0014ATL2 216.25.73.73 GET /about/involvement/default.aspx Mode=debug 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 200 0 71489 287 406
...
2007-02-07 08:43:37 IPSWAZ0014ATL2 216.25.73.73 GET /typo3/dev/translations.php ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 429 62
2007-02-07 08:43:37 IPSWAZ0014ATL2 216.25.73.73 GET /testsite/typo3/dev/translations.php ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 438 78 20
... but then the behavior changes slightly. There are longer pauses in between the GETs and it looks like he's using another client (possibly from a UNIX variant to Windows)...
2007-02-07 08:43:38 IPSWAZ0014ATL2 216.25.73.73 GET /cgi-bin/admin/setup.php - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 281 78
2007-02-07 08:43:38 IPSWAZ0014ATL2 216.25.73.73 GET /cgi-bin/ - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 404 0 1813 266 78
2007-02-07 08:43:38 IPSWAZ0014ATL2 216.25.73.73 GET /admin/setup.php - 80 - 204.238.82.4 Mozilla/4.75+[en]+(X11,+U;+Nessus) - www.cccev.com 401 2 1920 273 78
2007-02-07 08:43:51 IPSWAZ0014ATL2 216.25.73.73 GET /default.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 59780 127 2000
2007-02-07 08:43:53 IPSWAZ0014ATL2 216.25.73.73 POST /HomePage.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 59716 10691 1781
2007-02-07 08:43:55 IPSWAZ0014ATL2 216.25.73.73 GET /Homepage.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 59716 192 1765
2007-02-07 08:43:59 IPSWAZ0014ATL2 216.25.73.73 GET /ministries/Adult/CurrentDevotions.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 80397 217 3609 2007-02-07 08:44:32 IPSWAZ0014ATL2 216.25.73.73 POST /Homepage.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 59716 10691 36767
2007-02-07 08:44:36 IPSWAZ0014ATL2 216.25.73.73 GET /about/involvement/ServingAtCentral.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 77316 218 40798 2007-02-07 08:44:36 IPSWAZ0014ATL2 216.25.73.73 GET /weekend/SermonArchives.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 94462 206 40798
2007-02-07 08:44:36 IPSWAZ0014ATL2 216.25.73.73 GET /connecting/requestprayer.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 77572 208 40908
2007-02-07 08:44:39 IPSWAZ0014ATL2 216.25.73.73 GET /connecting/StartingPoint.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 77699 208 7500
2007-02-07 08:44:57 IPSWAZ0014ATL2 216.25.73.73 POST /requestprayer.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 0 11402 17610
2007-02-07 08:44:57 IPSWAZ0014ATL2 216.25.73.73 POST /SermonArchives.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 0 10819 17516
2007-02-07 08:44:57 IPSWAZ0014ATL2 216.25.73.73 GET /about/default.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 0 185 17610
... and ultimately the hacker targets one particular page and really starts to hammer it with a variety of strange input...
2007-02-07 08:52:02 IPSWAZ0014ATL2 216.25.73.73 GET [EDITOR DELETED PAGE NAME FOR SECURITY PURPOSES] oID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 577 1249 703
2007-02-07 08:52:20 IPSWAZ0014ATL2 216.25.73.73 GET [EDITOR DELETED PAGE NAME FOR SECURITY PURPOSES] oID=A 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 577 225 9781
2007-02-07 08:52:20 IPSWAZ0014ATL2 216.25.73.73 GET [EDITOR DELETED PAGE NAME FOR SECURITY PURPOSES] oID=AA 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 577 226 656
2007-02-07 08:52:20 IPSWAZ0014ATL2 216.25.73.73 POST /Homepage.aspx - 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 200 0 59716 10692 3140
2007-02-07 08:52:20 IPSWAZ0014ATL2 216.25.73.73 GET [EDITOR DELETED PAGE NAME FOR SECURITY PURPOSES] oID=AAA 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 577 227 140
... and on and on for a long time...
2007-02-07 09:08:46 IPSWAZ0014ATL2 216.25.73.73 GET [EDITOR DELETED PAGE NAME FOR SECURITY PURPOSES] oID=............................................................................................................................................................... 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 577 736 2703
2007-02-07 09:08:47 IPSWAZ0014ATL2 216.25.73.73 GET [EDITOR DELETED PAGE NAME FOR SECURITY PURPOSES] oID=%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22%22 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 577 611 2296
...
2007-02-07 09:21:20 IPSWAZ0014ATL2 216.25.73.73 GET [EDITOR DELETED PAGE NAME FOR SECURITY PURPOSES] oID=%3C%3C%3C 80 - 204.238.82.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - www.cccev.com 302 0 577 233 92453
... and then finally giving up after almost exactly 1 hour.
Now when you couple all of this along with some other suspicious things (more on this later) and take into consideration yesterday's DOS attack against the Internet's Root Servers, you have to wonder what might be going on and go investigate further.