Common Web Attacks. A quick 404 project update
We are now collecting for about a week now, and I think it is time to give everybody a quick update on the project. Thanks to all the submissions so far. We do have some initial results, just not enough to automate the reports quite yet. But there are now clients for perl, python and ASP! (thanks to the contributors)
Some of the most common scans target:
- Word Press. We do have a good number of reports joing for wp-login.php.
- PHPMyAdmin (/phpmyadmin/scripts/setup.php )
- MediaWiki/Wiki (but these hits only come from a few submitters, may not be statistically significant yet)
And some frequently requested files that are likely not an attack:
- robots.txt - search engines will look for it. You should have the file to control well behaved search engines. Just don't use it to list secret / restricted pages ;-)
- apple-touch-icon files (there are a number of different once for different resolutions). This is just like a "favicon", but used by Apple's IOs devices. With them being more and more popular, you may want to set one up.
- crossdomain.xml - this file is used by flash and Silverlight to communicate your cross domain policies. We have talked about the file before. It is a good idea to have an empty one that restricts access (this is the default for up to date flash players)
Please keep the reports coming and please install the "client code" on your error page if you haven't yet. Once you installed it, you can verify if your submissions are working after logging in and projecting to the 404 report page.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Keywords: 404 project
5 comment(s)
My next class:
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
×
Diary Archives
Comments
Al of Your Data Center
Aug 5th 2011
1 decade ago
Peter
Aug 5th 2011
1 decade ago
fe. I have setup my webserver to be accessible though use of a "Vittualhost name" only and log all access to the default unnamed host.
And lately i see a lot of weird accesses like these:
[Fri Aug 05 03:20:24 2011] [error] [client 188.54.65.180] Invalid URI in request \xba\v:`aX\x06\xd8J8\x99\xff\x1b\xf5\x81
[Fri Aug 05 04:31:29 2011] [error] [client 98.228.48.241] Invalid URI in request \xc2BrD\x1d}5\x10\xd6\xbf?\xec)\xf2D\x9b\xae\x80\x17@\xe8pt\x1bp]F\xbd\xfc\xcd\x97\xba\x14b\xe4\r\xd8\x86B\xf9\xaa\x93\x9a\xcbos\xcb\x16M\xe9
[Fri Aug 05 12:17:01 2011] [error] [client 80.61.152.143] Invalid URI in request \x16\xc6B\xf1\x80\xac\xd85\xc6\x8f\xb7!\xb4?\xd7\xc1T\xb8\x9c\r\xef\xc8\xb2\x03
©TriMoon™
Aug 5th 2011
1 decade ago
ashcrow
Aug 6th 2011
1 decade ago
Im already using the provided php script to submit 404's, i just wanted to know about the other error codes because of those accesses i posted, those didnt showup until recently.
They showed up some time before i installed the php script thouhg, but they are new in my eyes :)
©TriMoon™
Aug 7th 2011
1 decade ago