[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Is this a practical vulnerability?



On 19/10/2012 13:40, Andreas Krey wrote:
On Fri, 19 Oct 2012 11:25:34 +0000, Anon Mus wrote:
...
Within 24hrs of making that Tor hidden service live I could see, in my
firewall logs, hundreds of repeated attempts trying to hack my server,
directly from the internet, not via my hidden Tot service.
Welcome to the internet. Have an open web server, and it will get
accessed by scum that tries known vulnerabilities: /memberlist.php,
/index.php, /user/soapCaller.bs, thats normal.
?

I had been creating/running corporate web sites since the mid 1990's, I hardly think that qualified me as a newbie. Not sure what was the purpose of this remark was.


The web server itself was supposed to be fire walled from the open web (with only Tor access) but a "hole" bug in the firewall's code meant that a "stop access" mode only caused "logging" mode to be initially turned on.

All were
attempting to access various types of services/permissions which were
mainly focused on attempting to gain control of a "web page server".
How can you tell that from firewall logs? If it just blocks the access
you will only see the source address, but not the actual HTTP request.


Well with you being such an "experienced" and "savvy" web person I am sure you will know that there's are things called software "firewalls" out there which give indications of "attacks" and fully log unusual traffic. The one I used included a real-time "allow"/"block" traffic mode with live log and I used that to track and block / delay some accesses. Again I am perplexed, bearing i mind your huge experience that you should even ask this question.

Of course, once again your vast experience will lead you to the conclusion that once alerted to the attacks I used other tools (such as my web server log & a packet sniffer) to see the details of the traffic.

...
attack strategy over a 12 hour period. Hundreds of commands were sent,
many in quick succession as if they were in some sort of script file,
Can you be any more detailed about those attacks? What commands, on
what service, and why do you even get to know the commands if there
is no such service on your computer?

Andreas


There were many attacks which I am sure you can research on the net yourself. They were mainly aimed at accessing parts of the server such as files and various rpc O/S components.

They did focus on trying to identify what web server I was using, I believe there were about 4 or 5 different

Of course my web server did log the traffic that did get through, these logs are now gone but here's a section from one which I queried someone as to what it was..

#Fields:
time c-ip cs-method cs-uri-stem sc-status
13:05:35 xxx.xxx.xxx.xxx GET /{Tor hidden service ID}/nonexistentfile.php 404
13:05:35 xxx.xxx.xxx.xxx GET /adxmlrpc.php 404
13:05:35 xxx.xxx.xxx.xxx GET /adserver/adxmlrpc.php 404
13:05:36 xxx.xxx.xxx.xxx GET /phpAdsNew/adxmlrpc.php 404
13:05:36 xxx.xxx.xxx.xxx GET /phpadsnew/adxmlrpc.php 404
13:05:36 xxx.xxx.xxx.xxx GET /phpads/adxmlrpc.php 404
13:05:37 xxx.xxx.xxx.xxx GET /Ads/adxmlrpc.php 404
13:05:37 xxx.xxx.xxx.xxx GET /ads/adxmlrpc.php 404
13:05:37 xxx.xxx.xxx.xxx GET /xmlrpc.php 404
13:05:38 xxx.xxx.xxx.xxx GET /xmlrpc/xmlrpc.php 404
13:05:38 xxx.xxx.xxx.xxx GET /xmlsrv/xmlrpc.php 404
13:05:38 xxx.xxx.xxx.xxx GET /blog/xmlrpc.php 404
13:05:39 xxx.xxx.xxx.xxx GET /drupal/xmlrpc.php 404
13:05:39 xxx.xxx.xxx.xxx GET /community/xmlrpc.php 404


I was told the above were attempts to gain access to a web servers management system.

The attacks all fell on stoney ground because none actually guessed the web server I was using before I closed the loophole.

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk