Detect hack attempts through log analysis

  • Mar. 12, 2002

There is another good reason to view your web server site logs.  Recently, while performing a routine review of a client’s logs, we came across some disturbing errors.  We thought we’d pass on this information, as anyone who owns or hosts websites is vulnerable. 

Within most properly configured log files, you will be able to see “404” or “page not found” errors.  These errors indicate many things, from pages not found, improperly referenced pages, to missing images.  What else we found bothered us enough to forward this on to you.

As you are well aware, viruses are created to exploit vulnerabilities in your computers hardware or software.  Some are minor annoyances while others can be extremely dangerous.  What we found in the logs has the potential to be one of the latter.

A few months ago a virus came out that was referred to as “Code Red.” It came as an email attachment that could be easily removed by most virus removal software.  If it wasn’t removed it “became” part of your computer, letting the creator or the virus know of holes in your computer, allowing the virus owner the ability to exploit the breaches.  In some instances, the virus also became a kind of search tool which would surf the web, from your computer, looking for other computers to take over.

How it would work is it would scan a range of IP addresses, executing common commands to try and find a way into a computer.  When it does, it records the IP of the computer and forwards it to its creator.   This would be similar to someone walking down the street, and trying car doors, looking for one that is unlocked.  The person would then make note of the vehicle and its location, to come back later and steal the vehicle.  This is, in essence, what this virus is doing.

How does this affect you?  If you own a website, or a web server, chances are you have been scanned by this virus, and if a hole has been found, it has already been reported.  What does this mean to you?  If you have a hole, this gives the virus creator a means to get into your computer remotely and take it over.  He can then wipe out the existing web sites, and create his own uses for the computer.  In other words, HE will have control over your computer, not YOU.

These hackers are so malicious, that even if you disconnect your computer from the internet, or shut it down, you will not be able to gain control.  By the time you figure out that you are the victim of such an attack, your passwords have already been changed, effectively locking you out.  In this case, one of the only alternatives is to reformat your hard drive, losing any data which may have survived the hacker, and reinstalling all your software.

How do you protect yourself?  If you view your “Page not found” or “404” errors section of your website, Look for errors starting with /scripts/, /c/, /d/, /msdac/, /_vti_bin/, and /_mem_bin/, and ending in “cmd.exe”.

Here is an excerpt from  a log file analysis report where we first saw this:

/scripts/..%5c../winnt/ system32/cmd.exe?/c+dir
(no referrer)

38

6.54%

/scripts/root.exe?/c+dir
(no referrer)

22

3.78%

/MSADC/root.exe?/c+dir
(no referrer)

21

3.61%

/d/winnt/system32/cmd.exe?/c+ dir
(no referrer)

21

3.61%

/c/winnt/system32/cmd.exe?/c+ dir
(no referrer)

21

3.61%

/msadc/..%5c../..%5c../..%5c/ ..Á../..Á../..Á../winnt/ system32/cmd.exe?/c+dir
(no referrer)

19

3.27%

/_vti_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir
(no referrer)

19

3.27%

/_mem_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir
(no referrer)

19

3.27%

/scripts/..Á../winnt/ system32/cmd.exe?/c+dir
(no referrer)

19

3.27%

/scripts/..À/../winnt/ system32/cmd.exe?/c+dir
(no referrer)

19

3.27%

/scripts/..À¯../winnt/ system32/cmd.exe?/c+dir
(no referrer)

19

3.27%

/scripts/..Áœ../winnt/ system32/cmd.exe?/c+dir
(no referrer)

19

3.27%

/scripts/..%2f../winnt/ system32/cmd.exe?/c+dir
(no referrer)

17

2.92%

All of these errors are the viruses’ attempt at “hacking” its way into the web server.  The first number indicates the total number of attempts.  As you can see, it performs more than a single attempt at any command.

How do you protect yourself?  If you are website owner, there isn’t much you can do, other than ask your web hosting company if they’ve protected themselves against these attacks.  Usually it involves a “patch” to the software.  If they are unwilling or unable to do so, we would recommend you start looking for other service providers.

If you are a web hosting company, you can protect yourself by always keeping your firewall, virus, and web software up to date.  Even if it means having to restart the server from time to time, this would be preferable to losing an expensive machine to someone who wants to trade MP3’s. 

If you are unsure about how to read or analyze your log files, please contact us.  We can arrange for one of our experienced consultants to monitor your log files to ensure you are protected.

 

Rob Sullivan



Tags: