Fun with logs - Hackers!

Reading of the "User Agents" in the log was repetitive but instructive. It also allowed me to observe more interesting traces.





For example, this connection:
X.X.X.X 88.166.82.62 - [30/Dec/2012:06:52:36 +0000] "GET /user/soapCaller.bs HTTP/1.1" 404 345 "-" "Morfeus Fucking Scanner"


This connection is unusual for several reasons:

• It tries to connect to a page that does not exist on my server. The page /user/soapCaller.bs is an admin page of the Drupal CMS.
• It connects directly to the IP address of my server instead of the DNS name. This is probably a robot that scans entire address ranges rather than targeted attacks
• The user agent "Morfeus Fucking Scanner" is a vulnerability scanner

Other connections try to access to administration pages of PhpMyAdmin and other tools:
X.X.X.X 88.166.82.62 - [05/Feb/2013:02:56:13 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 345 "-" "ZmEu"
X.X.X.X 88.166.82.62 - [05/Feb/2013:02:56:13 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 345 "-" "ZmEu"
X.X.X.X 88.166.82.62 - [05/Feb/2013:02:56:14 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 345 "-" "ZmEu"
Here the user agent used is "Zmeu" which is also the name of a monster romanian mythology. The first connection seems to leave a signature "w00tw00t.at.blackhats.romanian.anti-sec".

I also found traces of a port scanner called "DFind":

X.X.X.X - - [05/Feb/2013:09:24:57 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"


Another scanner with the signature "muieblackcat" comes several times. It searches for a large number of php pages.

X.X.X.X 88.166.82.62 - [11/Feb/2013:02:16:43 +0000] "GET /muieblackcat HTTP/1.1" 404 345 "-" "-"

X.X.X.X 88.166.82.62 - [11/Feb/2013:02:16:43 +0000] "GET //index.php HTTP/1.1" 418 1370 "-" "-"

X.X.X.X 88.166.82.62 - [11/Feb/2013:02:16:54 +0000] "GET //admin/index.php HTTP/1.1" 404 345 "-" "-"

X.X.X.X 88.166.82.62 - [11/Feb/2013:02:16:54 +0000] "GET //admin/pma/index.php HTTP/1.1" 404 345 "-" "-"

Other unfair connection without User-Agent, neither signature:

X.X.X.X 88.166.82.62 - [29/Jan/2013:01:20:59 +0000] "GET / HTTP/1.1" 200 1371 "-" "-"

X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:00 +0000] "GET /phpldapadmin/ HTTP/1.1" 404 345 "-" "-"

X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:00 +0000] "GET /phpldapadmin/htdocs/ HTTP/1.1" 404 345 "-" "-"

X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:01 +0000] "GET /phpldap/ HTTP/1.1" 404 345 "-" "-"

X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:02 +0000] "GET /phpldap/htdocs/ HTTP/1.1" 404 345 "-" "-"

X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:02 +0000] "GET /admin/ HTTP/1.1" 404 345 "-" "-"

And also some connections using the DNS:
X.X.X.X www.htcpcp.net - [21/Jan/2013:17:55:53 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 345 "http://HTCPCP.NET/phpmyadmin/scripts/setup.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

X.X.X.X www.htcpcp.net - [21/Jan/2013:17:55:53 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 345 "http://HTCPCP.NET/phpmyadmin/scripts/setup.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

As a conclusion I find many connections from curious or malicious people. We can't really talk about hackers, but rather script kiddies. In any case, I'll need to look at the safety of my teapot. Maybe strengthen my iptables rules, implement Fail2ban or install an complete IDS such as Snort. Especially in this log, I see only connections on port 80. I'm sure that the traffic on port 22 (SSH) would also be interesting to study.

Image credit: Oren neu dag (Own work) [CC-BY-SA-3.0], via Wikimedia Commons)