12

It looks like someone is trying to hack my site. The following comes from my IIS log files:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2011-07-03 00:02:39
#Fields: date time s-sitename cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2011-07-03 18:29:05 W3SVC111 GET /V20xRmRRPT0K - 80 - 83.140.8.18 - 302 0 0 458 145 786
2011-07-03 18:29:06 W3SVC111 GET /scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 468 151 617
2011-07-03 18:29:06 W3SVC111 GET /admin/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 480 157 132
2011-07-03 18:29:08 W3SVC111 GET /admin/pma/scripts/setup.php - 80 - 83.140.8.18 - 404 0 0 1457 161 2407
2011-07-03 18:29:08 W3SVC111 GET /admin/phpmyadmin/scripts/setup.php - 80 - 83.140.8.18 - 404 0 0 1457 168 181
2011-07-03 18:29:08 W3SVC111 GET /db/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 474 154 259
2011-07-03 18:29:09 W3SVC111 GET /dbadmin/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 484 159 371
2011-07-03 18:29:09 W3SVC111 GET /myadmin/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 484 159 357
2011-07-03 18:29:09 W3SVC111 GET /mysql/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 480 157 197
2011-07-03 18:29:10 W3SVC111 GET /mysqladmin/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 490 162 310
2011-07-03 18:29:10 W3SVC111 GET /typo3/phpmyadmin/scripts/setup.php - 80 - 83.140.8.18 - 404 0 0 1457 168 103
2011-07-03 18:29:10 W3SVC111 GET /phpadmin/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 486 160 56
2011-07-03 18:29:10 W3SVC111 GET /phpMyAdmin/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 490 162 139
2011-07-03 18:29:10 W3SVC111 GET /phpmyadmin/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 490 162 87
2011-07-03 18:29:10 W3SVC111 GET /phpmyadmin1/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 492 163 51
2011-07-03 18:29:10 W3SVC111 GET /phpmyadmin2/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 492 163 98
2011-07-03 18:29:10 W3SVC111 GET /pma/scripts/setup.php - 80 - 83.140.8.18 - 302 0 0 476 155 55
2011-07-03 18:29:10 W3SVC111 GET /web/phpMyAdmin/scripts/setup.php - 80 - 83.140.8.18 - 404 0 0 1457 166 53
2011-07-03 18:29:10 W3SVC111 GET /xampp/phpmyadmin/scripts/setup.php - 80 - 83.140.8.18 - 404 0 0 1457 168 52

What should I do with this? Should I go to the police with it? Any good advice is welcome.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
Louis Somers
  • 457
  • 4
  • 14
  • 5
    See also [Tools to identify and report hacking attempts originating inside reputable organizations? - IT Security - Stack Exchange](http://security.stackexchange.com/questions/1990/tools-to-identify-and-report-hacking-attempts-originating-inside-reputable-organi) – nealmcb Jul 03 '11 at 21:47

5 Answers5

15

I suggest to just ignore it, it's not worth the trouble. There are way too many infected machines out there.

If you have too much time at hand, you can do a whois query on the ip-address. Then contact the ISP, telling them that they have an infected customer. The email address to contact is usually "abuse@" domain.

In this case whois 83.140.8.18 even returns a comment saying:

In case of abuse, send mail to abuse (at) rixtelecom.se

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • Which whois are you using? Doing a whois lookup was the first thing I did, but I did not see that notice. I looked at http://www.ip-adress.com/whois/83.140.8.18 and it does not mention rixtelecom.se at all? The most I got was Server Location: Rock, Lancashire in United Kingdom, ISP: Phonera Networks AB – Louis Somers Jul 03 '11 at 19:58
  • 5
    I personally use the command line tool. http://www.heise.de/netze/tools/whois-abfrage for examples shows your the real output. ip-address.com obviously tries to do something smart with the whois output and fails miserably. – Hendrik Brummermann Jul 03 '11 at 20:14
  • Thanks, I did mail the ISP, can I expect to see many of these attacks? The site has only been online for a week now. Also what do you mean with "infected machines"? Are there viruses that do this to any site the user visits or something like that? – Louis Somers Jul 03 '11 at 22:34
  • 4
    @louis Unfortunately, you can expect to see a huge variety of attacks, many of which are simply random attacks from the huge percentage of home user machines which have been taken over by a "botnet", against any server out there. – nealmcb Jul 04 '11 at 16:08
  • This site references most of abuse mail adress : http://www.abuse.net/lookup.phtml – Froggiz Nov 19 '15 at 12:46
  • Hi @HendrikBrummermann, I'm facing similar attacks on my IIS site. One thing that i'm not understanding in the logs is how my server is returning a 301 http status code to these requests. GET /proxyheader.php 80 23.89.185.70 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36 301 0 0 140 httpstatus:301 – Yashvit Dec 08 '16 at 08:38
6

I would not bother going to the police with it. This is a common scanning on your IP which happens to most public facing IP's out there.

As Hendrik Brummermann sais it can be worth reporting the IP to the ISP's abuse departement.

You can also block the IP by adding a route to /dev/null from that IP or blocking it in firewall.

Chris Dale
  • 16,119
  • 10
  • 56
  • 97
6

Contact the user ISP as everyone said.

You can also use knowledge of this particular attack to harden your security and tune the firewall rules. Like limiting the number of request to the same page by unique IP or so on. Many example on google should help you determine the best for you.

This should address future attacks and lower the bandwidth used.

M'vy
  • 13,033
  • 3
  • 47
  • 69
  • Thanks, I'm considering to do something with the 404 page, like if there are 10 hits from the same IP within one second, make sure the IP will only get 404's even if a page does exist. It might backfire on me if a searchengine-bot starts getting those. Maybe with some extra rules like if the url contains "admin", "setup" or "install". I'm on shared hosting so I guess (hope) the firewall stuff is ok. – Louis Somers Jul 04 '11 at 18:20
  • 2
    I would consider dropping packets. Don't bother for scripties... – M'vy Jul 04 '11 at 19:26
2

I don't see anything illegal here. If you want to report everyone who queries a non-existing path, you'll be quite busy in the future.

His ISP will laugh at you.

SlowMan
  • 37
  • 1
  • 2
    If you look at the logs it is clear he's trying some standard paths to see if a setup directory has been left behind after installation. If you found someone trying a whole bunch of keys at your front door... maybe that's not illegal, but then, would it make you feel comfertable? – Louis Somers Jul 04 '11 at 14:38
  • 4
    The computer scanning might be infected. The ISP may send their customer an notice about this and help their customer clean up. – Chris Dale Jul 04 '11 at 16:45
  • The magenta coloured ISP in Germany (one of the largest) is known to contact customers about infected machines. – Hendrik Brummermann Jul 05 '11 at 18:24
  • 2
    Legality depends on the location and jurisdiction of the server, the owner of the server, the adversary, the ISP for the server, and the ISP for the adversary. Unless you are an expert in international computing law, I would be careful about making judgments on the legality of actions. – this.josh Aug 03 '11 at 00:59
0

It looks like an automated probe for information on what could be running on your server. Like mentioned, not worth going to the police and report them to their ISP's abuse email.

I felt compelled to answer when the top answer suggested to ignore it. Don't ignore it! Even though it is a blind attack you should still not brush it off and do nothing. Obviously it is still an attack. According to the logs no actual attack is being made but he is collecting intel. You should be sure that none of these scripts are scripts on your server before ignoring the threat. If one of those was a good request they have identified what you are running. If they have identified a what you are running they are likely not curious just for the sake of being curious. They will probe deeper for vulnerabilities. So be on the look out for log entries which might look like follow up probes.

An example of how it could play out.

  • Automated intel search is performed. He will check to see if your server is serving files found in popular web based software like forums, CMSs, portals, etc. Lets say he identified you are running the Wordpress CMS. You will see this step appear in your logs.
  • You will then have another probed perform. This could be done one of two ways. He might check for certain files that help identify which version of WP you could be running. Or he might check for certain files for third party plugins with known vulnerabilities. You will see this step appear in your logs. It could happen the same day or he might wait weeks.
  • Say he identified you are running a version of the CMS or a plugin with a known exploit. He will then attempt to perform those exploits. It could be done automatically or he might manually do this step. You will likely see this in your logs and chances are the query strings will be weird and long as they might contain a SQL injection attempt or code that he would hope your server performs via the vulnerability.

As you can see, if these conditions were meant your choice to ignore it could result in your server and/or site becoming compromised.

Bacon Brad
  • 3,340
  • 19
  • 26
  • The reason to ignore it is that every one of those log entries shows a response of "302" or "404" -- in short, the pages being scanned for don't exist. There's no point in taking active measures against an attack that can't succeed. – Mark Aug 04 '15 at 18:50
  • That is why I included the sentence "You should be sure that none of these scripts are scripts on your server before ignoring the threat." I was unsure if that was his full log or the truncated log. Normally when I see these in my logs the probe is 2-4 times bigger than his log provided. I wanted to encourage him to check before brushing it off. – Bacon Brad Aug 04 '15 at 19:38