A review of attacks


Since posting my Minecraft in a weekend post I have been running the demo of a flask service on one of my servers. It would be more prudent to run it on something like GitHub pages but I haven’t spent the time to migrate it so using a static flask delivery service is where I am with that.


One benefit of having the service running on flask is that I have access to the logs of people trying to hack my server.

It’s been interesting to see how many attempts there have been. Given my blog rarely attracts a single reader, with the exception of when I post a submission on hacker news, it’s interesting to see 90% of the traffic come from bots trying to gain privileges on the server.


I want in this post to go through some of the attempts on the server and what I believe the attacker was trying to do and where their attack would have worked.


First, it’s interesting to see how many of the attackers check for the existence of a robots.txt before continuing. (There isn’t one so they receive a 404 on that request)


How do you become an admin? Just claim to be one:

This seems to be an attempt to access the system under the belief that it is a database system https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e78db616-689f-4b8a-8a99-525f7a433ee2?redirectedfrom=MSDN

The problem is people open things to the web but doesn’t change the default credentials and so although this won’t allow the attacker into my system, there are systems that will:


You can’t handle the zeros!

A lot of the requests that I presume are coming from nefarious actors use long sequences of Unicode characters I presume in an attempt to find issues with the system where it believes that these sequences mean something.

This particularly common one is just a whole lot of zero. Not the number zero mind you as that’s \x30.

\x00 is the zeroth character of the Unicode list. Its a non-printable character.


What was the password again?

I’m not sure that this attack will work overly well but I really appreciate it. A* for effort.

Thankfully the default settings on flask don’t allow for file access outside of the folder you designate. The flask user is also not running with root privileges so even if it was set up wrong it flask wouldn’t be able to open this file.


So you’re a developer, debug in java?

I don’t know if this one has been thought through, given the link to the server is on my blog, or if they are using this attack on anything they come across.

The attack is trying to access a java debug system. If you run java in some form of debug mode and want to connect to it from a local IDE, one way is to open up this port system. Doing so I presume without further security settings will give an attacker trying this access to your java debugger. That will give them the same privileges as the java program that you are debugging and from there a route to elevating their privileges. There is no java running on this server, at least not anymore (I was running a Minecraft server off here during the hight of the pandemic), so this has no hope of working. It’s also trying to access a java debug system on a port that I’m running a python flask server.


This is a wordpress site right?

This attack is clearly trying to access some elements that might yield a way into a WordPress site. WordPress attacks are good for when you are just throwing mud at the wall and want to find users with security flaws rather than targeting a specific user. This is because such a large fraction of the web is hosted as WordPress sites. Lots of people don’t update their WordPress software and so well known but patched WordPress exploits can continue to be successful for years.


More Zeros!!

If it doesn’t work send more zeros.


Attack of the Unicode cat

It often feels like the server is under attack by a cat walking across a Unicode keyboard.


Getting caught in cobwebs

I’m not sure if the following is an attack that is trying to gain access to the system or a spider trying to crawl for useful API's?

Perhaps it’s the latter but the definition of useful API's it’s using is those that give access to the user's webcam? Maybe security cameras. The stalker portal is this project. I originally thought it might just be looking for a place where stalkers can call home.


Would you let me migrate you?

This is another WordPress attack this time trying to get access through the duplicator, migration extension.


Go on you must have a camera somewhere?

Another attack trying to gain access to cameras, this time with the flu?

I want to log into something! Why won't you let me log into something?

Jokes aside what this series of attacks are trying to do is work out what the nature of the system the website is hosted on is. First does it use asp.net PHP Magento?

You parse XML on this WordPress site right?

Here again, is the assumption the site is WordPress. This time it is looking for an exploit in a version of an XML parser. 


Units!!!

I feel like this one might have been one of my old physics teachers. The syllabus was both very strict about making sure you noted down what the unit was and also strict about using only SI units. I feel the latter makes the former superfluous but the exasperation of the teachers going “9 what?” “9 + a bat?”

I mean it could always have been something else right?


So that’s the highlights. I didn’t expect these to happen, it’s hardly like there are any backlinks to my blog but I thought they were worth sharing. I doubt this post will stop the repeated attempts as I can only imagine them to all be automated.

Please don’t worry about the attacks which seem to have come from a local IP, those are just the ones forwarded through the apache proxy.


Comments

Popular posts from this blog

An exploration in number systems

Structural engineering with cardboard

The twelve fold way