Sunday, 27 April 2014

[EN] Bots in the log

Few weeks ago I decide to create another mini-honeypot.
To do this, I used Apache server with ModSecurity installed.

After few modifications of existing rules, next thing was to
create some 'log reader' to quick check if there is something
new (and interesting) in logs, or not. And of course, to
learn more about how bots are talking with my machine,
where they want to connect, and what 'exploits' they are

During last few weeks I was observing multiple GET and POST
requests to Apache (where I have only index.html and robots.txt
file, but it wasn't a hint for attackers, because they scanned
all possible vulnerabilities anyway ;)).

For example, few very often requests was related to vulnerable phpMyAdmin installation and other old webapps:
# grep GET modsec_audit.log
GET /phpTest/zologize/axa.php HTTP/1.1
GET /phpMyAdmin/scripts/setup.php HTTP/1.1
GET /pma/scripts/setup.php HTTP/1.1
GET /myadmin/scripts/setup.php HTTP/1.1
GET / HTTP/1.1
GET /robots.txt HTTP/1.1

This is not the problem to find out what vulnerabilities was
tried to reach, let's google it:

POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1

As you can see, here is a very useful post 

(by SpiderLabs) about this vulnerability.

Of course you can now get 'tools' from this kind of POST (http://attackers-host/histool)
and read it. Often you will find bash script, trying to download pscan or some exploit to get-root on your machine. 

Kind of fun ;)

But probably nothing new...

Anyway, in a last few days I found interesting line in logs:
---<code>--- - - [25/Apr/2014:22:38:05 +0200] "GET /toplel.action?class[%27classLoader%27][%27resources%27][%27dirContext%27][%27docBase%27]=// HTTP/1.0" 403 466 "-" "-"

I was a little surprised, because this was the first time I saw it in my logs. So I tried to find some information at google, and that's how I found a very nice post at SpamBotSecurity Forum
that this is a bug in Apache Struts but also please check this.

(Also 'toplel' seems to be a malware)

Probably in the future I will post here something new about it,
but now if you want, you can check my simple log reader to verify

if in your logs you will find something interesting.

Of course you can use another simple script to block
this kind of requests. Check this out:
# cat

# script to simple block all IP's from mod_security.log

#uniq IP addresses to block
echo ""
echo "In the last mod_security log, found : [`grep 200 $MODSLOG |grep 2014 | cut -d' ' -f 4|sort | uniq | wc -l`]"
echo ""
grep 200 $MODSLOG |grep 2014 | cut -d' ' -f 4|sort | uniq > 2ban.log

for line in `cat 2ban.log`; do
        iptables -A INPUT -s $line -j DROP
        echo "[+] $line - banned"
date >> 2ban.log
echo "-------------------------------------------" >> 2ban.log
echo "[+] Done."


If you have any ideas how can we build more secure servers
feel free to write a comment here.

Enjoy ;)


  1. The ban script code is a bit buggy - attacker is able to put this kind of header in request:

    X-Pwnd: 200 2014 pozdro Kuba

    ...and block all IPv4 addresses ;-)

    It would be better to use some kind of regular expression to get the real source IP address, or corelate it with normal Apache access_log.

  2. Hi Jakub,

    first of all - thanks for watching ;)

    Second: good finding! It is true that you can block 'all addresses'.
    I decide to not put this script at cron (to manually check logs first).
    If you have some ideas how to fix this little code, feel free to write it here.
    Maybe this will help someone else too ;)

    Anyway, again thanks for watching ;)



What do You think...?