On Zone-H Defacement Story: Log Analysis at Work

by Anton Chuvakin

Here is a fun account of a [relatively] advanced attack against a high-profile site (a high-profile defacement mirror site, to be exact!)

Not surprisingly, web server logs play an important role in the investigation, in a situation which I highlighted in this tip. Specifically see these two records shown in the paper:

 - - [21/Dec/2006:23:23:15 +0200] "GET 
/index2.php?act=img&img=ext_cache_94afbfb2f291e0bf253fcf222e9d238e_87b12a3d14f4b97bc1b3cb0ea59fc67a
HTTP/1.0" 404 454 "http://www.zone-h.org/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<!--//..<////..<////..<////..<////images/stories/food/x
&file=defi1_eng.php.wmv&act=ls&d=/var/www/cache/&sort=0a"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"


as well as


- - [21/Dec/2006:23:23:59 +0200] "GET
/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<!--//..
<////..<////..<////..<////images/stories/food/x&file=defi1_eng.php.wmv
&act=ls&d=/var/www/cache/cacha/&sort=0a
HTTP/1.0" 200 3411 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
212.138.64.176 - - [21/Dec/2006:23:25:03 +0200] "GET /cache/cacha/020.php
HTTP/1.0" 200 4512 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"


(note the web server response codes in bold)

This is another fun log line from the incident account that has some lessons-learned value as well - it has a 200 code on a script that you (the web server admin) didn't deploy (see bold)...


- - [22/Dec/2006:01:05:15 +0200] "POST
/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F
HTTP/1.0" 200 4781 "http://www.zone-h.org/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv:1.8.0.9) Gecko/20061206
Firefox/1.5.0.9"


So, what do we learn from this incident log analysis:

1. Look for weird commands (those containing ".<!--//..<" certainly qualify) with 200 HTTP response codes

2. Look for executable files you didn't put on your server with 200 response codes

3. Don't let your defacement mirror to be defaced :-)

1 Comments

Tim O'Brien
2007-01-19 13:53:08
:-) this is great, but my real question is, does the defacement mirror which was defaced maintain a record of its own defacement?