null 💻 notes

What do malicious log entries look like?

A good server admin will be scrubbing her logs constantly. Whether you do this automatically or by hand, there is one thing that is a sure sign of malicious behavior: the ol' "they forgot to delete that file" trick.

When you setup things like phpMyAdmin or anything else that has a setup or install script, the locations of these scripts reside in a very predictable place. What some people try to do is exploit the fact that, after setup, some people forget to delete these scripts or change their permissions.

Going through my logs this morning, I found this:

82.199.102.154 - - [25/Jan/2014:09:41:29 -0800] "GET /pma/scripts/setup.php HTTP/1.1" 301 178 "-" "-"
82.199.102.154 - - [25/Jan/2014:09:41:29 -0800] "GET /myadmin/scripts/setup.php HTTP/1.1" 301 178 "-" "-"
171.96.9.10 - - [25/Jan/2014:10:07:39 -0800] "GET /phpTest/zologize/axa.php HTTP/1.1" 301 178 "-" "-"
171.96.9.10 - - [25/Jan/2014:10:07:41 -0800] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 178 "-" "-"
171.96.9.10 - - [25/Jan/2014:10:07:41 -0800] "GET /pma/scripts/setup.php HTTP/1.1" 301 178 "-" "-"
171.96.9.10 - - [25/Jan/2014:10:07:43 -0800] "GET /myadmin/scripts/setup.php HTTP/1.1" 301 178 "-" "-"
95.211.225.240 - - [25/Jan/2014:12:52:48 -0800] "GET /phpTest/zologize/axa.php HTTP/1.1" 301 178 "-" "-"
95.211.225.240 - - [25/Jan/2014:12:52:48 -0800] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 178 "-" "-"
95.211.225.240 - - [25/Jan/2014:12:52:48 -0800] "GET /pma/scripts/setup.php HTTP/1.1" 301 178 "-" "-"
95.211.225.240 - - [25/Jan/2014:12:52:49 -0800] "GET /myadmin/scripts/setup.php HTTP/1.1" 301 178 "-" "-"

See what they're trying to do there? They've got some pre-loaded urls that they're trying to reach, all of which are predetermined locations for things like phpMyAdmin. This series of "hackers" tried to exploit a vulnerability that just isn't there, and they ran into my blackhole which now blocks them entirely from the network.

Be sure to look for patterns like this when you're scrubbing your logs. If the same IP is trying to access something that you know isn't there, and they keep trying to change the way to get in or even just keep hitting it over and over again, chances are they've got some bad intentions.