
Image via Wikipedia
Now that my two cloud servers have been up and running long enough for scanners, hackers and other folks to find them. What is interesting is seeing what kind of hacker activity the two cloud servers are seeing, and how they are standing up to being exposed on the internet.
A bit about the servers, they are default AWS (Amazon Web Services) servers, using LAMP and on Linux. They have their own static IP’s and are in a subdomain off the primary domain that we are using. They provide LMS (Learning Management Systems), podcasting, and blogging platforms for people to use and share information. Some of that sharing is also free so we are doing an open training campus for folks to help them keep up with what is changing in the world of technology.
The first site in the system is our LMS system. This gets some scanning, but no real dedicated attempts at hacking the system. Most of the scanning is drive by and looking for specific directories that might contain vulnerable programs or systems. The scanning primarily consists of hackers looking for PHP My Admin or shopping carts, and in some cases looking for wordpress installations or other software packages like Drupal.
[Tue May 12 12:39:52 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/roundcube
[Tue May 12 12:39:53 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/rc
[Tue May 12 12:39:54 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/mss2
[Tue May 12 12:39:54 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/mail
[Tue May 12 12:39:55 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/mail2
[Tue May 12 12:39:56 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/roundcubemail
[Tue May 12 12:39:57 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/rms
[Tue May 12 12:39:57 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/webmail2
[Tue May 12 12:39:58 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/webmail
[Tue May 12 12:39:59 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/wm
[Tue May 12 12:40:00 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/bin
[Tue May 12 12:40:01 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/roundcubemail-0.1
[Tue May 12 12:40:01 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/roundcubemail-0.2
[Tue May 12 12:40:02 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/roundcube-0.1
[Tue May 12 12:40:03 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/roundcube-0.2
[Tue May 12 12:40:04 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/round
[Tue May 12 12:40:05 2009] [error] [client 202.140.59.118] File does not exist: /home/webuser/helloworld/htdocs/cube
[Tue May 12 12:40:05 2009] [error] [client 202.140.59.118] Invalid URI in request GET HTTP/1.1
The scanning activity throughout the time of existence primarily looks for information like the above example (and there are hundreds of these over the 90 days that they have been running). What is interesting is that they all seem to bounce off after about 15 to 20 quick scans with the Invalid URI error. Another interesting scan to show up was this one:
[client 66.98.218.74] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
W00t is an older scanner from 2005 that the ISC at SANS no longer has an affiliation with. What is interesting is that such an old scanner would still be used. This was more of an annoyance scan showing up three or four times a day. Another were the standard XMLRPC scan attacks like the one below.
[client 87.230.13.210] script/home/webuser/helloworld/htdocs/blog/xmlrpc.php’
The XMLRPC attacks showed up much more often, 8 or 9 times a day looking for XSS style attacks that could be used against the site. These are much more dangerous because users could be easily sent to a dangerous site if we were not filtering script and html codes out of all data inputs.
The blogging web server though was seeing a lot more activity and more dangerous activity in the longer run and obviously presented a bigger better target to hackers. Hackers really went after the WordPress installation not realizing that the system was set up to run very securely. Standard attacks took a more direct approach trying to initialize or run scripts that did not exist like below.
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/var/www/cgi-bin/entete.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 75.165.66.87] script ‘/home/webuser/helloworld/htdocs/wp-includes/images/crystal/admin.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-includes/images/wlw/buglist.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-content/themes/tribune/popularity-contest/member.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-admin/css/install.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] File does not exist: /home/webuser/helloworld/htdocs/wp-content/themes/tribune/modules
[Thu Jul 16 02:54:51 2009] [error] [client 75.165.66.87] script ‘/home/webuser/helloworld/htdocs/wp-includes/js/pafiledb.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 75.165.66.87] File does not exist: /home/webuser/helloworld/htdocs/wp-content/themes/phpMyAdmin
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-includes/js/buglist.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-content/plugins/member.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 75.165.66.87] script not found or unable to stat: /var/www/cgi-bin/modules
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-admin/includes/install.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] File does not exist: /home/webuser/helloworld/htdocs/wp-content/themes/tribune/popularity-contest/modules
[Thu Jul 16 02:54:51 2009] [error] [client 75.165.66.87] script ‘/home/webuser/helloworld/htdocs/wp-includes/images/smilies/admin.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 75.165.66.87] script ‘/home/webuser/helloworld/htdocs/wp-content/additional_images.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-content/buglist.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-admin/member.php’ not found or unable to stat
[Thu Jul 16 02:54:51 2009] [error] [client 24.17.81.126] script ‘/home/webuser/helloworld/htdocs/wp-admin/import/install.php’ not found or unable to stat
Obviously the nature of the system, and the number of hacks available were more interesting to hackers and how they would go about latching onto systems and trying to use them for whatever purpose a hacker would use them for. There are gigabytes of data in the error log file from the cloud blogging service, where the LMS system was generally overlooked or bypassed because there are not many hacks available for it.
Cloud computing depending on what the person is running is not a sign that hackers will bypass it, more that hackers will try to latch onto the applications being exposed to do their work rather than the operating system underneath the web application. This is not a change in tactics; rather there is a point where hackers are more interested in the vulnerabilities of the application than they are in the actual server itself. Cloud computing does not reduce the risk of the web applications exposed, nor should anyone in cloud computing expect those risks to be any different. The log files speak for themselves, hacekrs have been all over one system looking for anything they could to latch into the system and do their thing. It did not matter that it was on the cloud, if anything the hackers could have cared less.
Related articles by Zemanta
- Don’t Forget: You Can Use Amazon SimpleDB For Free! (aws.typepad.com)
- Amazon EC2 Adding 50,000 Instances A Day (datacenterknowledge.com)
- Simple Cloud API project offers portability hopes (infoworld.com)
- Wasc Honeypot Update App Sec2007 (slideshare.net)
(Cross-posted @ TechWag)
Does this mean that cloud computing is no more vulnerable to hackers than other servers?