Copyright: Attribution, allow others to create paper-based, and must distribute paper (based on the original license agreement with the same license Creative Commons )
Martial arts world, often referred to "talking corpse," while in the offensive and defensive network world, the log is the most important means of tracking. Today's story is to say to restore the entire process and hacker attacks common methods of attack by just a few lines of access requests.
Every day a large number of attackers in various exploits have been broke corresponding widget to attack WordPress and Joomla site.
The following mainly describes the use of Google Dork methods of attack.
Google Hacking hackers is to find targets the most commonly used methods of attack, use Google to find website may contain vulnerabilities.
For example, using the inurl operator has to find misconfigured wordpress site, [inurl: "wp-content" "index of"], almost in the web world, each vulnerability is public, you can use Google hacking to find the target . An attacker using Google Hacking technology, just enter search terms in the search elements box, and then deal with the results of search elements so simple? Obviously not. Let us look together a wide range of bulk retrieval obstacles and problems encountered.
Difficulty 1: Because Google's restrictions, instant retrieval can return one million every level of site information, but you can get up to no more than 1000 site information.
Difficulty 2: 1000 and, in this site, not all sites are contained loopholes, loopholes in the proportion of the general expectations are below 20% (of course, this is not static, announced the trial date may be vulnerable).
Difficulty 3: Google for extremely frequent request will pop up a verification code, organization of automated Google Hacking.
So attackers, how to overcome those obstacles mentioned above it?
Here's formal entry into our subject, by several logs, take a look at these clever attacks are a common practice now.
5.157.84.31 - - [01/Oct/2015:13:07:39 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwp-content+revslider+site%3Amobi&num=100&start=600 HTTP/1.1" 302 2920 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401 Firefox/21.0"
5.157.84.31 - - [01/Oct/2015:13:08:33 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dcom_adsmanager+%2Blogo+site%3Adj&num=100&start=300 HTTP/1.1" 302 2916 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130406 Firefox/23.0"
5.157.84.31 - - [01/Oct/2015:13:08:33 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwp-content+%2Brevslider+site%3Amobi&num=100&start=500 HTTP/1.1" 302 2928 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0”
PHP Proxy
All of the above three requests, in request "includes / freesans.fr.php" the php file. After retrieving find that it is an open source web agent, the use of the agent, you can not leave your real IP address, which broke through the IP restrictions, initiates a request to Google.
Visible attacker to Google Hacking from the top of the log by the agent:
Docks
From the above request can be extracted Dock statement is:
- [wp-content revslider site:mobi]
- [Com_adsmanager logo + website: dj]
- [wp-content +revslider site:mobi]
From the first and third requests can be seen, the attacker was looking to use Slider Revolution wordpress plugin site. (Slider Revolution broke last year loophole, up to now there are hackers looking for sites containing the vulnerability)
The second request seems to find use in a Joomla site AdsManager plugin, because there are some versions of the above documents loophole.
So far, we summarize the attacker google dock trick commonly used methods:
Use site + 1000 Ge return to top-level domains to bypass restrictions results previously mentioned. For site: mobi or site: com, site: org site : net and so on to google hacking, you can get
a suspicious site url 1000 mobi domain name suffix suspicious site url, 1000 com domain name suffix, the 1000 org domain name suffix suspicious site url suspicious site url, 1000 Ge net domain name suffix. When we use a different site + top-level domains, you'll get far more than 1000 Vulnerable
url.Breakthrough IP restrictions. Where an attacker to trick the following restrictions bypas IP
using & num = 100 to increase the number of page response, thereby reducing the number of requests.
Distributed agents, the use of multiple turns chicken to initiate a request.
This also explains why the attacker did not care what they have to attack the site is, as long as you can take advantage of the CPU and computing resources, they want to occupy.Fake fake UA UA, the request looks like a lot different from a real user ISP behind. As shown below, each UA looks the same, but there are small differences.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130406Firefox/23.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011Firefox/23.0
By analysis of these three statements, we understand the attacker's behavior as follows:
- Why attackers were not focused on a single vulnerability, but concerned about so many different vulnerabilities. (For the greater of discovery may be compromised site)
- For each site, why it is so important and timely software updates and patches. (Otherwise, your site is likely to become the target of hacker attacks batch)
- How attackers found a large number of vulnerabilities site in a short time. (Using google Dock technology)
- How they use the host has been captured in the attack to continue to expand the results. (Installed on the compromised host web agent to continue google hacking through agents)
- Why your IP address for an attacker is also a very important resource. (Can implement distributed and anonymous attacks)