AppSec Blog

Weathering the Storm: A Day of Weblogs at the Internet Storm Center

I figured it may be nice to look at a days worth of logs from the Internet Storm Center, and to attempt an analysis to see what kind of attacks we are seeing. In order to do this, I am using my usual shell script tricks to get a handle on what is happening.

We don't do a lot of filtering for our site. In part because we talk a lot about exploits, and would like people to send us information about them. Using standard filters doesn't work well in this scenario.

I will publish a couple blog entries based on the file. There is just too much to talk about

In this "Part 1", lets look at the unique HTTP methods used:

cut -f2 -d'"' access_log.1 | cut -f1 -d' ' | sort | uniq -c | sort -nr

"GET", "POST" and "OPTIONS" are of course by far the favorite once, but there are a few odd methods as well:

27 Accept:
9 Get
1 \x81

I will write about the GGET some other time. Kind off odd/interesting what I found here, but I need to investigate further. Lets just look at something more normal, the 2 CONNECT hits. Both came from the same IP address (obfuscated below):

58.49.x.y - - [20/Jan/2010:00:09:48 +0000] "CONNECT HTTP/1.0" 302 228 "-" "-" "-"
58.49.x.y - - [20/Jan/2010:00:09:49 +0000] "CONNECT HTTP/1.0" 302 228 "-" "-" "-"

Quite simple: Trying to use my web server as a SMTP proxy. The '302' response may be surprising to some, but in this case it is just an odd server configuration redirection "crap" to this blog.

The "\x81" hit was next on my list:

142.106.x.y - - [19/Jan/2010:16:07:14 +0000] "\x81" 302 228 "-" "-" "-"

Not sure what the idea was. Looks like a typo maybe? There are a number of normal hits from the same IP at the same time, so this may just be a bad connection.

Lets move on to the PUT access. Two hits only, from different IPs:

78.183.x.y - - [19/Jan/2010:19:51:12 +0000] "PUT /askerlikx.txt HTTP/1.0" 405 6601 "-"
"Microsoft Data Access Internet Publishing Provider DAV 1.1" "-"
85.105.x.y - - [19/Jan/2010:23:18:05 +0000] "PUT /jacko.htm HTTP/1.0" 405 6611 "-"
"Microsoft Data Access Internet Publishing Provider DAV 1.1" "-"

Interestingly, but use the same user agent string (same tool?). But of course the access log doesn't tell me what they tried to upload. Neither IP did anything else. Probably some one-sploit-kiddies.

LOCK Method: 3 hits, all from the same IP address. The lock method is used as part of WebDav, and could be an attempt to verify if we support it (no... we don't).

Get Method (note the non standard capitalization): A custom script someone wrote to download our block list. Not malicious, just not the best code ?

Accept: Method: Looks like a broken tool to me. These hits all came from the same IP address:

94.23.x.y - - [19/Jan/2010:22:41:52 +0000] "Accept: */*" 302 - "-" "-"

There are some other hits from the same IP address. Looks like a spider to me (it did access robots.txt)

Finally: PROPFIND... yet another WebDav method. Sometimes, All from the same IP address, against the same files for which we saw the "LOCK" method earlier (also same IP address).

Post a Comment


* Indicates a required field.