0

Yesterday at 3AM our Fail2ban blocked an IP, not tremendously uncommon, however it appears to relate back to a Microsoft address. This could perhaps be an Azure server being used for the abuse.

My main concern is exactly what it was attempting to do and if I should be concerned. Please see the below excerpts:

13.67.210.80 - - [08/Jun/2016:03:03:25 +0100] "GET /event/-1;select%20pg_sleep(6);%20--%20/admin/profile/ href= HTTP/1.1" 200 139
13.67.210.80 - - [08/Jun/2016:03:03:27 +0100] "GET /-1'%20OR%202%2b395-395-1%3d0%2b0%2b0%2b1%20--%20/edit HTTP/1.1" 200 139 "
13.67.210.80 - - [08/Jun/2016:03:03:23 +0100] "GET /(select(0)from(select(sleep(6)))v)/*'%2b(select(0)from(select(sleep(6)))v)%2b'%22%2b(select(0)from(select(sleep(6)))v)%2b%22*//
13.67.210.80 - - [08/Jun/2016:03:03:27 +0100] "GET /if(now()%3dsysdate()%2csleep(12)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(12)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(12)%2c0))OR%22*//

There are of course, many many other requests, most of which are 'normal' i.e not trying to inject any type of code, just attempting to edit sections of the site (with no results)

I have noticed several references to the web vulnerability company Acunetix, such as requests for:

 /acunetix-wvs-test-for-some-inexistent-file

So I can only assume, somebody is using their services to try and poke holes in our system.

My question is, what were they trying to do?, what can I do about this and should I even care?

Should I contact one of the above companies, or is this common occurrences?

Aphire
  • 119
  • 6
  • 3
    Script kiddies and port scanners are a fact of life on the internet. Cloud services have only made their life easier by giving them somewhere to "hide". You could try reporing it to the cloud provider, but in my experience, just like reporting spam, you normally get an automated reply and not much else happens. Just make sure your fail2ban is working correctly and relax (and keep an eye on your logs). – Little Code Jun 09 '16 at 11:49
  • Yeah fair enough, I thought as much. I think I will still send over a quick message to abuse@microsoft, just incase ;) Thanks for the reply – Aphire Jun 09 '16 at 12:57

1 Answers1

1

Let it be banned. Unless you're a large company that has to worry about things like google e-mail servers IPs getting through, there's not much for you to worry about. abuse happens everywhere, including MS and Google. They should deal with it.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • If you can shed some light on exactly what they were tying to do, i'd be very interested to know. Cheers! – Aphire Jan 31 '17 at 12:06
  • Looks like they were trying to get some info on the 'admin' user profile on the destination system. Various info gathered this way can be pretty useful for an attacker. Good thing it was a quick ban. – Overmind Jan 31 '17 at 12:10