My last article was full of nostalgia for the lifetime of hacks that have shaped my life and career. I touched on the real bad guys too, but basking in the warm glow of a CRT it’s easy to forget how relentless the ugly side can be. They are always, always “on” — and they only have to beat the good guys once to do a ton of damage.
We talk about network security using physical analogs — doors and keys and alarms and such. And that’s fine as far as it goes, but it completely underplays the insane scale of attacks happening on the Internet all day, every day. A more accurate picture is the zombie horde surrounding the mall in Dawn of the Dead, probing 24×7 for any vulnerability.
A quick illustration. I keep a server in the Azure cloud that I use to test early versions of an app I’ve been working on the past few months. I keep this machine turned off 95% of the time, spinning it up only when I want to preview a new feature or do a demo.
Last night I flipped the server on for about six hours. Before shutting it down, I took a quick look at the request log and despite myself I was again struck by the sheer volume of attacks. Somehow within ten minutes of powering up, the script kiddies found my server and started rattling the doors and windows. A small sampling taken from hundreds of attempts:
1. Secrets left in the open
/.env
/…/.env
/.git/config
/actuator/gateway/routes
/connector.sds
/_profiler/phpinfo
These are basically the equivalent of checking for a key under the welcome mat, flower pots, above the door jamb, or inside fake garden rocks. They’re files that may contain sensitive information like passwords, and are commonly hosted “accidentally.” Either they shouldn’t be on a production server at all, or the hosting web server is mis-configured to allow access. There’s a massive list of these — it’s really easy to slip up when deploying a large project.
2. Remote Code Execution
/autodiscover/autodiscover.json?@zdi/Powershell
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
/?XDEBUG_SESSION_START=phpstorm
These are all attempts to coerce my server into running code provided by the hacker. Sometimes the problem is debugging code deployed to production accidentally, kind of like the open secrets issue. More often these hacks exploit SQL injection or buffer overruns; the web server receives data from the user and accidentally executes it as code. Of course, if I can convince you to run arbitrary code on your server, you’re hosed.
3. Beacons and secondary attacks
/aaa9
/aab9
/alive.php
/t4
/teorema505?t=1
Once a hacker breaks into a machine, they’ll typically install backdoors or other software that makes it easier for them to keep control. One of the most popular apps for coordinating this is Cobalt Strike, which ironically was created as an “ethical” hacking tool to help good guys find vulnerabilities.
The first two URLs are “probes” checking to see if my server is running Cobalt Strike. If so, it’s probably in control of other hacked servers — basically bad guys trying to take advantage of other bad guys, or possibly good guys being sloppy with their tools.
Diversity helps!
Each of these attack types is interesting in its own right. But the really scary thing is that they represent just a fraction of the bad dudes hitting my server over only a few hours. It’s relentless — I’ve seen estimates that suggest that around 25% of all Internet traffic is hacking scripts (which doesn’t quite top porn’s 30% but is still pretty terrifying, go humans).
The one positive thing that sticks out is that — just like in culture, public health and farming — diversity helps. The hacks I catalogued were targeted at specific products: Microsoft Exchange, PHP, Git, Apache, Cobalt Strike, Cisco, Fortinet and more. Because I’m not running these, the attacks are impotent.
Of course, diversity isn’t the most efficient model of the world — many folks think I’m a little weird for running my own embedded web server. But it’s amazingly protective. So there’s my plug for robust anti-trust action in the tech industry.
In any case, just a glimpse. Keep your systems updated and please, for the love of God, don’t click that email link.