On Zone-H Defacement Story: Log Analysis at Work

by Anton Chuvakin

Here is a fun account of a [relatively] advanced attack against a high-profile site (a high-profile defacement mirror site, to be exact!)

Not surprisingly, web server logs play an important role in the investigation, in a situation which I highlighted in this tip. Specifically see these two records shown in the paper:

 - - [21/Dec/2006:23:23:15 +0200] "GET 
HTTP/1.0" 404 454 "http://www.zone-h.org/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<!--//..<////..<////..<////..<////images/stories/food/x
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"

as well as

- - [21/Dec/2006:23:23:59 +0200] "GET
HTTP/1.0" 200 3411 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)" - - [21/Dec/2006:23:25:03 +0200] "GET /cache/cacha/020.php
HTTP/1.0" 200 4512 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"

(note the web server response codes in bold)

This is another fun log line from the incident account that has some lessons-learned value as well - it has a 200 code on a script that you (the web server admin) didn't deploy (see bold)...

- - [22/Dec/2006:01:05:15 +0200] "POST
HTTP/1.0" 200 4781 "http://www.zone-h.org/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv: Gecko/20061206

So, what do we learn from this incident log analysis:

1. Look for weird commands (those containing ".<!--//..<" certainly qualify) with 200 HTTP response codes

2. Look for executable files you didn't put on your server with 200 response codes

3. Don't let your defacement mirror to be defaced :-)


Tim O'Brien
2007-01-19 13:53:08
:-) this is great, but my real question is, does the defacement mirror which was defaced maintain a record of its own defacement?