Tagged: DDOS
Acunetix Web Vulnerability Scanner
One of my customer suffer from DDOS attack and site goes down.
In logs I found a lot of login requests with unexisting usernames but some of usernames contains exploits like SQL, JavaScript, command line injections.
For example:
admin |
tries to login as admin |
\"+response.write(9016645*9728826)+\" |
javascript injection |
(select convert(int,CHAR(65))) |
sql injection |
waitfor delay \'0:0:4\' |
do we have MSSQL? |
and (sleep(4)+1) limit 1 |
or MySQL? |
cat /etc/passwd;\' |
linux/bsd? tries to get contents of passwords |
^(#$!@#$)(()))* |
perl? (interpreting) |
;print(md5(acunetix_wvs_security_test)); |
checking for vulnerability PEAR XML_RPC 1.3.0 in PHP |
The list of exploits will be here bellow but please don’t open any links since they contains exploits too.
Analysis of exploits shown that this attack was performed by Acunetix Web Vulnerability Scanner.
In short this is just a robot that runs over your site and tests for known security issues.
Even if your site would be vulnerably, the scanner would not try to break anything, but it report the vulnerabilities to the attacker.
Each time when login performed site tries to lookup a user with the username in DB and when not it found return a NoSuchUserException. That’s creates a big load on DB.
So we will add to our login simple validation that username doesn’t contains any special symbols or spaces and return NoSuchUserException even without DB lookup.
That’s will minimize a database load on next attack. Also it would be great to write to logs some security alert.
Another one simple step to prevent this kind of attack is to avoid usernames like «admin», «user», «test» and similar.
List of exploits (please not that they have some random generated part):
!(()&&!|*|*| #{9999517+9999846} $(nslookup XaHYzdt9) ${9999517+9999846} ${@print(md5(acunetix_wvs_security_test))} ${@print(md5(acunetix_wvs_security_test))}\\ \";print(md5(acunetix_wvs_security_test));$a=\" \';print(md5(acunetix_wvs_security_test));$a=\' <!-- &nslookup wqTuHKgH&\'\\\"`0&nslookup wqTuHKgH&`\' (select convert(int,CHAR(65))) ) ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) -1 OR 2+101-101-1=0+0+0+1 -- -1 OR 2+361-361-1=0+0+0+1 -1\" OR 2+167-167-1=0+0+0+1 -- -1\' OR 2+40-40-1=0+0+0+1 -- -1\' OR 2+881-881-1=0+0+0+1 or \'dvO3lt07\'=\' ................windowswin.ini ../../../../../../../../windows/win.ini /.\\\\./.\\\\./.\\\\./.\\\\./.\\\\./.\\\\./windows/win.ini ../../../../../../../../../../windows/win.ini\0.tst \";cat /etc/passwd;\" /../..//../..//../..//../..//../..//etc/passwd\0.tst ./WEB-INF/web.xml ./WEB-INF/web.xml? WEB-INF/web.xml WEB-INF\\web.xml //WEB-INF/web.xml /forward:/WEB-INF/web.xml /static/WEB-INF/web.xml /www.vulnweb.com 1 1 waitfor delay \'0:0:9\' -- 1some_inexistent_file_with_long_name\0.jpg 1\'\" 1\0'" 5rRFX596\');select pg_sleep(3); -- a7C6fcfF\';select pg_sleep(3); -- CdU2ccxR\'));select pg_sleep(6); -- ;print(md5(acunetix_wvs_security_test)); @@Y7Mum admin Array asblyars&n934969=v921785 dxiHJlrn\'); waitfor delay \'0:0:13\' -- e&n903064=v900092 http://hitCNGUlQ53Jk.bxss.me/ http://testasp.vulnweb.com/t/fit.txt ibqxmqjh&n902289=v938342 JyI= response.write(9856682*9648787) set|set&set testasp.vulnweb.com wtqcgrsv&n912204=v936365 YlpOb05tVlA= yoUBQu2S ZPuBQkWY \"+response.write(9016645*9728826)+\" \'\" \'\"() \\ ^(#$!@#$)(()))****** ..À¯ sample%40email.tst and sleep(7.738) acunetix_wvs_invalid_filename
See also:
* https://eventespresso.com/tag/acunetix_wvs_security_test/
* https://www.fail2ban.org/
* https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
* https://www.modsecurity.org/