H3XED

Analyzing a Recent Exploit Attack with HTTP Request Log

Aug 7, 2015   Web Development   Nick Vogt   Comments
Please note that this post is over a year old and may contain outdated information.
On Monday July 20th at 10AM, H3XED received 13,507 http requests over the course of about 6 minutes (38 per second) from IP 87.69.252.212, which is located in Israel. The user agent was Java/1.8.0_05 and they were mostly GET requests. They were looking for exploitable endpoints by running through a long list of URLs and checking for response codes. Here is a breakdown and analysis of the attack.


Access Pages


The bot was looking for unsecured and exploitable pages on the site, such as hidden admin pages or files that might contain credentials (e.g. _userdb.php, admin_login.zip). They didn't find any, and thankfully the server handled the traffic without a problem. It's a good lesson that you should make sure all pages are secure, even if there are no links pointing to them.

View the complete log of http requests in Excel format.

Most requests were met with a 404 response, but when the bot received a 200 response (a valid page), it hit it a second time to double-check, and then hit it a third time from user agent USERAGENTAAA (same IP). It seems to be that the Java/1.8.0_05 bot looks for the existence of pages and then the USERAGENTAAA bot does something else with them; perhaps it downloads them and analyzes them for useful information (usernames, passwords, email addresses, etc).


CloudFlare


CloudFlare challenged 165 of the requests. I had Security set to Low as I don't want to inconvenience legitimate visitors. I am surprised that CloudFlare didn't catch on, receiving 38 hits per second sustained over 6 minutes, all from the same IP address. I have since increased the security level a notch. Ideally CloudFlare would have caught on much earlier and avoided most of the requests making their way to my server.


Server-Side Analytics


I only noticed the attack because of server-side analytics. JavaScript analytics would have been oblivious to the activity. When checking the dashboard on Google I also noticed that the "service provider" was listed as "please send abuse/spam complaints to abuse@012.net.il".
Share This Post
Twitter

Comments (0)

Share This Post
Twitter
H3XED © Nick Vogt   RSS   Policies   Twitter