111115_TaleofLogs_Blog

welcome to http://www.startdays.com
welcome to http://www.ijachouf.com
welcome to http://www.swtools.biz
welcome to http://www.decoderhd.com

[13]111115_TaleofLogs_Blog

Sometimes just a few lines of access logs can tell a whole story…

Many ongoing attacks against WordPress and Joomla sites use a
collection of known vulnerabilities in many different plugins, themes
and components. This helps hackers maximize the number of sites they
can compromise.

Google Dorks

Do you ever think about how hackers find vulnerable websites? Probably
the most common way to do it is using "[14]Google Dorks" – special
Google queries that use search operators to return sites that use
specific software. For example, this inurl operator will help find
[improperly configured] WordPress sites: [inurl:"wp-content" "index
of"]

Almost every published exploit has its own dork that helps to find
vulnerable sites.

Hackers just need to enter search queries and then parse search
results. Sounds easy? Not really. There are quite a few obstacles.

Obstacles to Automated Searches for Vulnerable Sites

1. Even if your search returned millions of web pages, you can't get
more than the first 1,000 of them from Google.
2. Out of those 1,000, not all sites are vulnerable. Some use a
patched version, some use a website firewall or a different means
of protection that will make the attack fail, or Google has
outdated information about the site that might have already removed
the vulnerable software. All in all, hackers may expect that less
than 20% of the search results will be really vulnerable (It may be
more for new zero-day attacks and less for old and already patched
vulnerabilities).
3. To compile a big enough list of vulnerable sites, hackers either
need to use multiple dork modifications for one exploit, or use
multiple dorks for multiple exploits. Both methods assume a
significant number of requests to Google search engine. However, as
you might know, Google prohibits automated requests. They block IP
addresses that submit many requests in a relatively short time.
Even human visitors see this CAPTCHA from time to time.

[15]google-unusual-traffic-captcha


So how do hackers overcome these obstacles?

Enter Access Logs

A few days ago my colleague [16]Rodrigo Escobar checked access logs of
one compromised site and shared a very short excerpt with me. Here are
the three lines of logs that tell the whole story about how hackers
scan the web for vulnerable sites:

5.157.84.31 - - [01/Oct/2015:13:07:39 -0600] "GET
/includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearc
h%3Fq%3Dwp-content+revslider+site%3Amobi&num=100&start=600 HTTP/1.1"
302 2920 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0)
Gecko/20130401 Firefox/21.0"
5.157.84.31 - - [01/Oct/2015:13:08:33 -0600] "GET
/includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearc
h%3Fq%3Dcom_adsmanager+%2Blogo+site%3Adj&num=100&start=300 HTTP/1.1"
302 2916 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0)
Gecko/20130406 Firefox/23.0"
5.157.84.31 - - [01/Oct/2015:13:08:33 -0600] "GET
/includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearc
h%3Fq%3Dwp-content+%2Brevslider+site%3Amobi&num=100&start=500 HTTP/1.1"
302 2928 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0)
Gecko/20131011 Firefox/23.0"

---------------------------------------------------------------
---------------------------------------------------------------
---------------------------------------------------------------