(possible) webserver attack
883 views
Skip to first unread message
theresa mic-snare
Oct 5, 2015, 7:25:18 AM10/5/15
to ossec-list
Hi all,
it's my weekly ossec question post ;)
maybe you can help shed some light onto this one, as I'm not really good with HTTP/Apache return codes.
I have tons of these types of requests in my current Apache webserver log
what are these doing except trying to call a youtube video?
I was once told that the GET requests are not as harmful as the POST requests...
I suppose it's just some script kiddie running a webserver attack script.
should I worry?
how to block these?
I have a couple of other request types as well, but they all follow the same pattern.
best,
theresa
it's my weekly ossec question post ;)
maybe you can help shed some light onto this one, as I'm not really good with HTTP/Apache return codes.
I have tons of these types of requests in my current Apache webserver log
125.122.211.198 - - [15/Sep/2015:00:50:58 +0200] "GET /admin.cgi
HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() {
goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
7`"
125.122.211.198 - - [15/Sep/2015:00:50:50 +0200] "GET
/catalog/index.cgi HTTP/1.0" 403 5
"https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
- - [15/Sep/2015:00:50:49 +0200] "GET /cart.cgi HTTP/1.0" 403 5
"https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
- - [15/Sep/2015:00:50:49 +0200] "GET /cartcart.cgi HTTP/1.0" 403 5
"https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
- - [15/Sep/2015:00:50:48 +0200] "GET /bigconf.cgi HTTP/1.0" 403 5
"https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
- - [15/Sep/2015:00:50:47 +0200] "GET /bandwidth/index.cgi HTTP/1.0"
403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
- - [15/Sep/2015:00:50:47 +0200] "GET /b2-include/b2edit.showposts.php
HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() {
goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
7`"
125.122.211.198 - - [15/Sep/2015:00:50:46 +0200] "GET
/axis-cgi/buffer/command.cgi HTTP/1.0" 403 5
"https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
- - [15/Sep/2015:00:50:45 +0200] "GET /apps/web/vs_diag.cgi HTTP/1.0"
403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
- - [15/Sep/2015:00:50:45 +0200] "GET /analyse.cgi HTTP/1.0" 403 2790
"https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
- - [15/Sep/2015:00:50:44 +0200] "GET /aktivate/cgi-bin/catgy.cgi
HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() {
goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
7`"
125.122.211.198 - - [15/Sep/2015:00:50:43 +0200] "GET /agora.cgi
HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() {
goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
7`"what are these doing except trying to call a youtube video?
I was once told that the GET requests are not as harmful as the POST requests...
I suppose it's just some script kiddie running a webserver attack script.
should I worry?
how to block these?
I have a couple of other request types as well, but they all follow the same pattern.
best,
theresa
Brent Morris
Oct 5, 2015, 12:55:16 PM10/5/15
to ossec-list
I'm not familiar with apache logs... but it looks like you are being scanned with a web vulnerability scanner from an attacker in China. The youtube string you see, I believe, is the user-agent string supplied by the scanning host.
Compile all the URL requests and setup a cdb list in OSSEC. Then setup an active response based on the URL requested to block the offending IP address. The rule will look something like the following.
<rule id="184780" level="12">
<if_sid>31100</if_sid>
<list field="url">lists/urlblacklist</list>
<description>Web Vulnerability Scanner Detected</description>
</rule>
and active response... assumes firewall-drop command will actually block the attacker at your perimeter.
<command>firewall-drop</command>
<location>server</location>
<rules_id>184780</rules_id>
<timeout>300</timeout>
<repeated_offenders>2,10,60,120,1440</repeated_offenders>
</active-response>
Now all you need is the list and testing :)
theresa mic-snare
Oct 5, 2015, 1:36:35 PM10/5/15
to ossec-list
Hi Brent,
thank you very much for your help and your explanations.
I'm just getting started with OSSEC, most of this is all new to me, but I'm learning quickly ;)
what does CDB stand for? I looked it up in the OSSEC docs and also googled it? does it stand for common database?
according to the Docs I need to complile the CDB list with ossec-makelists , right?
I want to understand this properly, and thus I want to document it for my thesis project -- so please correct me if I misunderstood you:
thank you very much for your help and your explanations.
I'm just getting started with OSSEC, most of this is all new to me, but I'm learning quickly ;)
what does CDB stand for? I looked it up in the OSSEC docs and also googled it? does it stand for common database?
according to the Docs I need to complile the CDB list with ossec-makelists , right?
I want to understand this properly, and thus I want to document it for my thesis project -- so please correct me if I misunderstood you:
- i will create a list with the HTTP request strings, e.g: GET /pub/english.cgi HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7` and put it into a list/txt file. i.e urlblacklist.txt
- then I will run ossec-makelists on this
- then I will setup a rule to block those requests .... where does this go?! Is it a rule inside the rules directory??!
<rule id="184780" level="12">
<if_sid>31151</if_sid>
<list field="url">lists/urlblacklist</list>
<description>Web Vulnerability Scanner Detected</description>
- finally I will create a AR in my ossec.conf
<command>firewall-drop</command>
<location>server</location>
<rules_id>184780</rules_id>
<timeout>300</timeout>
<repeated_offenders>2,10,60,120,1440</repeated_offenders>
</active-response>
Hopefully I'm not too far off....
thanks,
theresa
thanks,
theresa
Brent Morris
Oct 5, 2015, 2:02:29 PM10/5/15
to ossec-list
Yeah, you're in the neighborhood.
First - can you post some content from your archives.log with those Apache logs? I can help better if I can see what you're seeing.
You need to see exactly what you're passing to the URL field using ossec-logtest in order to make your cdb list correctly. Sometimes the decoder puts extra characters in the URL field, such as a space and a hyphen. At least that was my case.
Here's a blurb from my cdb list.... nexpose makes the following requests during a web audit.
/spiffymcgee.cfm -:16
/spiffymcgee.jsp -:16
/jbossmq-httpil/ -:16
/spiffymcgee.nsf -:16
/spiffymcgee.jsp -:16
/spiffymcgee.nsf -:16
The important bits are on the left side of the colon. I think I used excel to autonumber and populate the right side of the colon. But you're basically going to compare whatever is being passed to the URL field with exactly the content on the left side of the colon. So you can see you'll need to be creative in your ability to separate out the URLs from the rest of the junk in your logs along with checking and removing valid URLs that might be in the list. In your example #1 example, I would only use "/pub/english.cgi -:16" ..... there is a space and a hypen in my case when running the logs against ossec-logtest. I can't emphasis enough that it needs to be EXACT. Partial matches will not trigger the rule.
The list will reside in /var/ossec/lists/urlblacklist
then run ./ossec-makelists
In your ossec.conf - add <list>lists/urlblacklist</list> inside <ossec_config><rules>
Add the rule to local_rules.xml
Use ossec-logtest to verify new rule is working properly.
Add the active response to ossec.conf
restart ossec and test with a real request to a URL in the list. Verify active response has done its deed.
HTH!
-Brent
theresa mic-snare
Oct 6, 2015, 6:10:12 AM10/6/15
to ossec-list
Hi Brent,
thanks for the perfect explanations.
I just checked, my archives.log is 0 bytes, seems like it was log-rotated during the night.
and in the monthly folder, e.g Oct or Sep are only checksum logs, e.g ossec-archive-01.log.sum
But I've seen multiple requests from 1 IP address and put those requests into a txt file (I've attached it to this post)
no idea why my archives.log is empty :(
regards,
theresa
thanks for the perfect explanations.
I just checked, my archives.log is 0 bytes, seems like it was log-rotated during the night.
and in the monthly folder, e.g Oct or Sep are only checksum logs, e.g ossec-archive-01.log.sum
But I've seen multiple requests from 1 IP address and put those requests into a txt file (I've attached it to this post)
no idea why my archives.log is empty :(
regards,
theresa
Brent Morris
Oct 6, 2015, 7:42:16 PM10/6/15
to ossec-list
Well, an empty log is an unhappy one. do you have the "log all" option in your ossec.conf
For testing purposes, take one of the requests from your log and browse to your apache server with that request.
for instance - http://1.2.3.4/admin.cgi
Then check the archives.log for the log entry. Run it through ossec-logtest...
-Brent
Reply all
Reply to author
Forward
0 new messages