Fingerprinting Port 80 Attacks: Part 2 [2/2]


* http://host/lame.asp?asp=%u0061.txt

    This request does the same thing using "%u" Microsoft encoding. While this may still draw attention
when you view the logs manually, an IDS product may miss this request, and allow the attacker to continue
his fun unnoticed. This type of encoding can also be used in conjunction with normal ASCII characters, and
because of this alone, some IDS products will not detect such a request.


Visit the link below for further information on this encoding method.
http://www.eeye.com/html/Research/Advisories/AD20010705.html



VII. Web server Codes and Logging:

    Often times when an attacker is trying to exploit your web application it will
cause your software to produce error messages both seen, and unseen by the attacker.
This section will cover the types of error messages that will show up in your logs,
and what they may mean. This section covers basic logging and is meant more for
newbie's. Skip ahead if you already have a good grasp on logging to the next chapter.


403 Denied Errors

  This particular error happens when you have a file that is not marked world readable. Sometimes
the webmaster can make a mistake and accidentally forget to chmod a file readable. A lot of
the time when a file is marked not world readable (Example a password file), and someone requests
it through your website this is an alarm to either move the file, and examine your logs further.


[Wed Feb 20 10:23:33 2002] [error] [client 192.168.1.1] (13)Permission denied: file permissions deny server ac
cess:
 /some/path/htdocs/secret/apache-unreleased-overflow.c
(Message as it would appear in your error_log)

                                                                                                 |-- 403 Code
192.168.1.1 - - [20/Feb/2002:10:23:33 -0500] "GET /secret/apache-unreleased-overflow.c HTTP/1.0" 403 206
(Message as it would appear in your access_log)


404 Not Found errors

  When running a large website or even a medium sized one, people may start linking to material
on your website directly from another site. As time goes by sometimes things get moved around
a bit and these old references to files are no longer valid. You may see such a reference in your
access_log or easier to see error_log file. Sometimes these requests for invalid, or obsolete
files can let you know if you've renamed a file to the incorrect name, or that someone is poking
around. IDS systems would not pick up the majority of 404 error because they aren't considered
an immediate threat.  Picking up on 404 codes would be a nightmare because 404 codes are a normal
issue websites deal with and are 99.99 percent of the time not attacks/probes at all.  Instead
IDS software tends to match signatures of filenames, some of which I will mention below.


  This below log entry is from a person scanning my site looking for the popular formail cgi script.
Formail is known to have multiple security issues, and just recently it has been found to be widely
used by spammers to send people unwanted email.


[Wed Feb 20 10:30:42 2002] [error] [client 192.168.2.2] script not found or unable to stat: /usr/local/apache/
cgi-bin/formail.pl
(Message as it would appear in your error_log.)

                                                                                |-- 404 Code
192.168.2.2 - - [20/Feb/2002:10:30:42 -0500] "GET /cgi-bin/formail.pl HTTP/1.0" 404 3683 "-" "Mozilla/4.78 [en
] (Win98; U)"
"Mozilla/4.78 [en] (Win98; U)"
(Message as it would appear in your access_log)


    This can be an alert that someone is scanning your machine, or subnet for holes. Obviously just
because a 404 is triggered in your logs this doesn't mean your under attack. Carefully study
your logs for common files that may be mislinked, and also check for anything out of the ordinary.


Below is another example this time requesting a backdoor left by the Nimda, and well known
Code red worm.

[Tue Dec 18 05:11:04 2001] [error] [client 192.168.3.3] File does not exist: /usr/local/apache/htdocs/MSADC/ro
ot.exe
(Message as it would appear in your error_log)

                                                                                   |--- 404 code

192.168.3.3 - - [18/Dec/2001:05:11:04 +0000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3147
(Message as it would appear in your access_log)


    Often times people scan for these files hoping to get an easily backdoored machine. From here
they would have complete control of your IIS machine.


500 Server Error


  Sometimes when an attacker is testing out software for command execution, or remote file read abilities
they will insert characters (Like mentioned above) to help achieve this goal. Sometimes scripts will
not handle this additional data insertion well and instead terminate abnormally. This will show up
in your logs as a server error (500 code). Not all 500 codes mean an attacker is scanning you. Often
times users who upload scripts, which are not configured correctly for this particular system , can
give this error.

EDIT
Below is an example

                                                                                |--- 500 Code
192.168.4.4 - - [18/Dec/2001:05:11:04 +0000] "GET /cgi-bin/port80.cgi HTTP/1.0" 500 529 "-"
"Mozilla/4.78 [en] (Win98; U)"
(access_log)

[Thu Dec 13 15:30:23 2001] [error] [client 192.168.4.4] Premature end of script headers:
/usr/local/apache/cgi-bin/port80.cgi
(error_log)

Depending on what exactly the attacker is attempting to do, will determine exactly what
the reason will be in your error_log.
EDIT


Htaccess error codes


  Not all error messages are attacks against your system. Often times it could
be as simple as a user using the wrong username, or password. Sometimes on the
otherhand attackers will run a program like "WWWhack" to brute force your password
to gain entry to protected area's. Below is an example


192.168.5.5 - miked [30/Jan/2002:13:37:26 -0500] "GET /secret HTTP/1.0" 401 397 "-" "Mozilla/4.78 [en]C-CCK-MC
D sn
apN45b1  (Win98; U)"
(Message as it would appear in your access_log)

[Wed Jan 30 13:37:26 2002] [error] [client 192.168.5.5] user miked: authentication failure for "/secret": pass
word mismatch
(Message as it would appear in your error_log)

  This shows a failed login attempt by 192.158.5.5 trying the username of miked.  If for
any reason you see a lot of failed requested from the same ip address, then there is a good
chance someone is trying to brute force your password protection.  Between 1-40 may be just
a user who forgot his password. Another hint that someone is attempting is breaking is if
1 ip address is trying to attempt to login with non existent accounts, or trying to use
multiple usernames.

A complete list of error codes can be found at the link below.
http://www.w3.org/Protocols/HTTP/HTRESP.html


Extended logging options with apache

  Apache has a module that is used for logging called "mod_log_config". This module allows
an administrator the ability to choose which format his data is logged in. It also
allows the administrator to choose which headers are logged. Sometimes new types
of attacks get published that use extended HTTP headers. (Examples: Content-Encoding,
Host, Etag, Content-MD5, Warning, WWW-Authenticate, etc...) By default apache does not
log these fields. The "LogFormat" Directive gives the administrator the ability to choose
what is logged and what isn't. This can be particularly useful when troubleshooting
breaches, or application problems.



Mod Log Config:
http://httpd.apache.org/docs/mod/mod_log_config.html

LogFormat Directive:
http://httpd.apache.org/docs/mod/mod_log_config.html#logformat


Further information on HTTP headers can be found below:

RFC 1945: Hypertext Transfer Protocol -- HTTP/1.0
http://www.ietf.org/rfc/rfc1945.txt

RFC 2068: Hypertext Transfer Protocol -- HTTP/1.1
http://www.ietf.org/rfc/rfc2068.txt



VIII. Conclusion:


    Once again, this paper doesn't cover every port 80 exploit but it covers the most common
types of attacks. It tells you what to check for in your logs, look for when programming
an application, and when writing your IDS rules.


    I wrote the second piece of this paper due to the large interest in the first one. I also
would like to promote more awareness of these issues in an easy to understand paper.
If you have any comments or suggestions email me at admin@cgisecurity.com.



IX. References and links mentioned within


Apache Related:

Mod Log Config:
http://httpd.apache.org/docs/mod/mod_log_config.html

LogFormat Directive:
http://httpd.apache.org/docs/mod/mod_log_config.html#logformat


IIS %u Encoding:
http://www.eeye.com/html/Research/Advisories/AD20010705.html


HTTP Related:

Status Codes
http://www.w3.org/Protocols/HTTP/HTRESP.html

RFC 1945: Hypertext Transfer Protocol -- HTTP/1.0
http://www.ietf.org/rfc/rfc1945.txt

RFC 2068: Hypertext Transfer Protocol -- HTTP/1.1
http://www.ietf.org/rfc/rfc2068.txt


Misc:
http://www.w3.org


SQL Injection:
http://www.spidynamics.com/
"SQL Injection Are Your Web Applications Vulnerable?" Kevin Spett, 2002

http://www.ngssoftware.com
"Advanced SQL Injection In SQL Server Applications" Chris Anley, 2002


Unicode:
http://www.w3.org/TR/REC-html40/charset.html


Special Thanks:

OWASP (Open Web Application Security Project - www.owasp.org)
Mark Curphey
Dennis Groves
Joel Gridley (a.k.a. Jarmaug)
Mike D. For the failed login attempts :)
PhantasmP
zenomorph for providing you with this hopefully useful paper


Published to the Public March 2002
Copyright December 2002 Cgisecurity.com


--
Regard: Joh@nnes�
1216771 Ont.Inc.
"Nothing is more damaging to a new truth than an old error"
0
Johannes
3/8/2002 2:57:00 PM
grc.security 16608 articles. 3 followers. Follow

1 Replies
956 Views

Similar Articles

[PageSpeed] 8

Johannes Niebach wrote...

<...>
> Copyright December 2002 Cgisecurity.com


Oh no!  It's a time distortium.  Did anyone catch the
lottery numbers for March or April?
0
reader
3/8/2002 6:10:00 PM
Reply:

Similar Artilces:

Fingerprinting Port 80 Attacks
because of this alone, some IDS products will not detect such a request. Visit the link below for further information on this encoding method. http://www.eeye.com/html/Research/Advisories/AD20010705.html VII. Web server Codes and Logging: Often times when an attacker is trying to exploit your web application it will cause your software to produce error messages both seen, and unseen by the attacker. This section will cover the types of error messages that will show up in your logs, and what they may mean. This section covers basic logging and is meant more for newbie's....

Fingerprinting Port 80 Attacks: Part 2 [1/2]
http://www.cgisecurity.net/papers/fingerprinting-2.txt Author: Zenomorph admin@cgisecurity.com "Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two." I. Introduction II. More Common Fingerprints III. More Advanced Fingerprints IV. Cross Site Scripting examples V. Modified Headers VI. More Encoding VII. Web Server Codes and Logging VIII. Conclusion IX. References...

Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers six security issues that have recently been fixed in the Bugzilla code: + Sometimes the information put into the <h1> and <h2> tags in Bugzilla was not properly escaped, leading to a possible XSS vulnerability. + Bugzilla administrators were allowed to put raw, unfiltered HTML into many fields in Bugzilla, leading to a possible XSS vulnerability. Now, the HTML allowed in those fields is limited. + attachment.cgi could leak the n...

SeaMonkey 2.2 #2
I have just re-installed 2.0.14 and it works a treat. Don't mess with wot ain't broke. D. ...

4.2.2.2
Occasionally I will get an alert from ZAF announcing "The firewall has blocked local network access to 4.2.2.2 (DNS) from your computer." The explanation says that ZA has blocked access to Port 53 on a DNS server. Why would ZA block this? As far as I know, it has never requested permission to access this server and I have never denied such permission. I use a Netgear router, and in order to make it work with my system, I was instructed to configure the DNS Configuration of the TCP/IP Properties of my network card and add 4.2.2.2 as one of my DNS Servers. Thanks for you...

2 #2
Name: Argenis Email: mechanical_rockstar_at_hotmail.com Product: Firefox 2 Beta 2 Summary: 2 Comments: i'm mexican Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1b2) Gecko/20060821 Firefox/2.0b2 ...

Fingerprinting Port 80 Attacks
Fingerprinting Port 80 Attacks - Part II. @ Articles -> Security Mar 21 2002 - 16:34 EST cube writes: with permission of Zenomorph - cgisecurity.net Port 80 is the standard port for websites, and it can have a lot of different security issues. These holes can allow an attacker to gain either administrative access to the website, or even the web server itself. This second paper was written to help the average administrator and developer to have a better understanding of the types of threats that exist, along with how to detect them. I. Introduction II. More Common Fingerpr...

2 #2
Name: woooooooooolf Product: Firefox Summary: 2 Comments: ПЕЗДАТЫЙ БРАУЗЕР , СУККА! И ПОЧТОВОЙ КЛИЕНТ ПЕЗДАТЫЙ! В томже духе ебаште и мы парабатим ээтот мир , када все будут юзать , мы пашлём им тройан ЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫЫ Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 ...

2 #2
Name: heldernda silva Email: shelder67atyahoodotcodotuk Product: Shiretoko Summary: 2 Comments: 3 Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

2-2
Name: pepe_writer@hotmail.com Email: pepe_writerathotmaildotcom Product: Firefox Summary: 2-2 Comments: 22 Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.173.1 Safari/530.5 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

upgrading from 2.16.2 to 2.20.2
Hi, I have Bugzilla 2.16.2 installed on RedHat 9, which is working fine. I want to upgrade to 2.20.2. I am using the tarball method mentioned in the bugzilla upgrade guide. bash$ tar xvf bugzilla-STABLE.tar bash$ cd bugzilla-2.20 bash$ cp ../bugzilla/localconfig* . bash$ cp -r ../bugzilla/data . bash$ cd .. bash$ mv bugzilla bugzilla.old bash$ mv bugzilla-2.20 bugzilla after this I tryed to run ./checksetup.pl. at last it gives the following error ---------------------------------- If you want to see pretty HTML views of patches, you sho...

Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security bugs that have recently been discovered and fixed in the Bugzilla code: + In all versions of Bugzilla since at least 2.16, it is possible to guess the name of a hidden product and have Bugzilla confirm that you were correct. + In Bugzilla 2.18 and above, a user's username and password are sometimes exposed in the URL after generating a Report. All Bugzilla installations are advised to upgrade to the latest stable version of Bu...

Has anyone gone from 2.16.2 to 2.18.2 and then 2.22?
We have been able to go from 2.16.2 to 2.18.2 but now we need to get on 2.22. Does anyone have any tips we should keep in mind as we do this. BTW our MySQL is 4.1 Thanks, David Go for it. As long as you haven't customized Bugzilla, there shouldn't be any issues. Keep in mind, however, that as a general rule, I am a pessimist about software changes, no matter who wrote the software, especially if it's M$: "Blessed is the pessimist for he'th made backups." :) --- Kevin Benton Perl/Bugzilla Developer/Administrator, Perforce SCM Administrator ...

iManager 1.2.2 to 2.0.2 Upgrade
I've been running GW 6.5 WebAccess on the following system configuration: Netware 6.0 SP4 eDirectory 8.7.3 SP2 IR JVM 1.4.1 SP6 Novell Enterprise Web Server Tomcat 3.3 Apache 1.03 iManager 1.2.2 Yesterday I made the following change: Upgraded iManager to v2.0.2 and Tomcat to v4.0. This change broke GW WebAccess. I'm getting the following error when I try to get into GW WebAccess. It appears to pop up as it tries to bring up the login page. Server Error This server has encountered an internal error which prevents it from fulfilling you...

Web resources about - Fingerprinting Port 80 Attacks: Part 2 [2/2] - grc.security

Ballistic fingerprinting - Wikipedia, the free encyclopedia
Rifling , which first made an appearance in the 15th century, is the process of making grooves in gun barrels that imparts a spin to the projectile ...

'Canvas fingerprinting' tracking is sneaky but easy to halt
A method for tracking users across the Internet called "canvas fingerprinting" is simple to stop, but average Internet users may not know how ...

Westpac launches fingerprinting access for online banking on iOs and Android devices
Westpac will offer customers with smartphones fingerprint access to online banking from January.

'Fingerprinting' points to dusty Australia
Australia is a more important source of dust circulating in the Southern Hemisphere than previously thought, says an Australian scientist. The ...

Law Firm Institutes New Fingerprinting Policy, Support Staff Give Attorneys the Finger
... their finger through a machine. Continue reading » Follow Above the Law on Twitter or become a fan on Facebook . Tags: Canada , Fingerprinting ...

IRS Delays Tax Preparer Fingerprinting Requirement
The Internal Revenue Service is temporarily shelving its controversial plan to fingerprint tax preparers, IRS Commissioner Doug Shulman said ...

Twitter's TV Ad Targeting Uses 'Video Fingerprinting'
... today announced a new program designed to help brands sync up television ads and Promoted Tweets through the use of a cutting-edge "video fingerprinting" ...

Fingerprinting causes departure delay
... a leading source of commentaries and news on Saudi Arabia, sports, business, Islam, lifestyle and more. The Passport Department has been fingerprinting ...

Google’s video fingerprinting tech used to fight child porn
After 18 months of working with the National Center for Missing and Exploited …

Venezuela's Maduro: Fingerprinting at shops is voluntary
Venezuela's recently announced fingerprinting system, aimed at combating food shortages, is to be voluntary, the president says.

resources last updated: 11/20/2015 3:40:51 PM