J’ai donc les logs d’apache du 14/03/2008 à aujourd’hui et j’ai installé Wordfence le 7/12/2016. Je veux voir si les attaques par injection SQL en mode GET sont nouvelles ou pas. Et je veux voir si cela correspond à la date d’installation de Wordfence.
Quelques commandes de base pour rappel :
- Décompression de tous les fichiers :
- gunzip access.log.*.gz
- On compte le nombre de fichier :
- ls -l LogsWeb/access.log.* | wc -l
3149
- ls -l LogsWeb/access.log.* | wc -l
- On regarde l’espace disque :
- du -sh LogsWeb
6,9G LogsWeb
- du -sh LogsWeb
- On compte le nombre de ligne :
- wc -l LogsWeb/access.log.* | awk ‘{total += $1} END {print « Total » total}’
Total 53549284
- wc -l LogsWeb/access.log.* | awk ‘{total += $1} END {print « Total » total}’
- On recherche le mot « Union » sens faire attention à la casse.Attention on ne regarde que les requêtes de type GET et non celle de type POST.
- time grep -w « UNION » LogsWeb/* > union.txt
real 3m21.170s
user 0m44.107s
sys 0m5.489s - wc -l union.txt
159 union.txt - time grep -i « UNION » LogsWeb/* > union.txt
real 6m46.629s
user 3m27.873s
sys 0m5.425s - wc -l union.txt
66644 union.txt - grep -i « select » union.txt > select.txt
- wc -l select.txt
16008 select.txt
- time grep -w « UNION » LogsWeb/* > union.txt
J’ai donc fait une révision de « du », « awk », « ls », « gunzip », « grep » (avec ‘-w’ et sans casse ‘-i’) , « time » 😉 .
J’ai donc eu 16008 tentatives d’injections par injection avec la méthode GET. Maintenant on va chercher les IPs afin de pouvoir les filtrer.
cat select.txt | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq -c | sort -n
1 113.252.230.71
1 148.251.135.107
1 148.251.138.92
1 178.137.164.233
1 178.159.253.100
1 178.162.198.109
1 178.211.187.178
1 178.63.42.237
1 178.75.64.78
1 185.84.108.230
1 187.131.44.199
1 188.143.232.29
1 194.28.88.54
1 194.63.140.48
1 195.248.234.190
1 195.54.163.119
1 2.9.190.125
1 212.224.118.66
1 213.135.150.145
1 213.183.62.189
1 31.41.255.10
1 37.140.192.13
1 37.140.192.63
1 46.118.159.220
1 46.235.82.178
1 5.206.77.93
1 5.206.82.16
1 5.206.98.179
1 5.254.97.75
1 5.45.124.66
1 5.45.65.187
1 5.61.37.126
1 5.61.39.55
1 5.9.44.211
1 50.62.176.175
1 62.109.6.103
1 62.113.208.198
1 62.39.79.146
1 69.195.124.168
1 77.120.125.35
1 77.221.130.139
1 77.221.130.145
1 77.222.56.219
1 78.132.147.199
1 78.46.48.131
1 79.141.166.13
1 81.177.139.161
1 81.177.6.121
1 81.177.6.72
1 81.7.10.54
1 82.197.124.81
1 86.110.75.93
1 87.242.64.203
1 90.189.192.100
1 91.201.215.149
1 91.218.228.154
1 91.219.194.22
1 91.219.194.31
1 91.230.211.225
1 92.63.88.42
1 93.125.99.11
1 93.190.40.24
1 94.153.139.45
1 94.199.180.70
1 94.250.254.43
1 95.181.178.59
1 95.71.17.208
2 107.150.33.138
2 193.105.114.5
2 217.37.66.51
2 46.165.208.108
2 46.249.52.231
2 5.206.71.162
2 5.206.89.154
2 62.232.8.82
2 88.198.219.50
3 108.168.219.174
3 109.200.0.202
3 13.92.118.60
3 177.185.194.138
3 177.185.194.47
3 177.98.11.154
3 195.234.228.90
3 203.171.33.38
3 209.15.196.170
3 216.185.43.135
3 23.91.70.121
3 5.178.68.242
3 5.206.71.235
3 5.22.159.130
3 64.87.23.55
3 66.76.174.2
3 67.216.79.204
3 82.208.76.150
3 87.106.179.116
3 89.38.209.57
3 94.125.54.76
4 176.9.91.186
4 177.12.174.145
4 178.63.18.196
4 188.165.246.177
4 193.200.80.26
4 194.6.233.29
4 197.242.159.42
4 198.143.164.221
4 216.249.107.200
4 23.91.70.77
4 24.222.4.86
4 31.178.117.94
4 31.186.8.61
4 37.205.0.65
4 41.185.31.40
4 62.149.132.252
4 64.251.25.176
4 73.205.105.33
4 74.63.228.226
4 81.88.48.113
4 82.165.24.123
4 93.63.188.181
5 104.209.39.137
5 173.201.216.68
5 177.185.194.92
5 188.143.235.81
5 204.8.156.142
5 209.151.168.83
5 213.246.49.97
5 216.139.249.105
5 216.201.148.210
5 23.91.70.95
5 23.96.97.203
5 37.9.53.67
5 72.34.232.5
5 83.5.229.144
5 83.64.189.179
5 94.73.145.50
5 98.19.222.133
6 103.21.58.191
6 173.0.139.89
6 177.185.192.77
6 178.238.229.54
6 184.168.192.31
6 188.143.234.246
6 188.143.235.121
6 195.154.199.237
6 195.74.38.14
6 202.124.241.203
6 204.93.196.218
6 216.119.112.144
6 216.46.178.254
6 217.37.125.121
6 50.63.197.7
6 62.210.152.84
6 62.210.152.90
6 66.29.216.40
6 87.242.112.35
7 128.117.43.92
7 148.247.67.22
7 23.91.70.63
7 37.59.255.19
7 91.200.12.65
8 177.185.194.45
8 213.247.63.11
8 37.205.0.60
8 46.4.154.173
8 66.96.128.60
8 96.47.2.10
9 167.114.42.94
9 72.52.91.19
9 91.224.160.60
10 103.3.173.97
10 95.211.70.193
11 158.58.168.211
11 173.0.129.149
11 180.248.17.248
12 195.140.210.83
12 208.52.175.27
13 195.154.199.152
13 84.245.33.104
14 128.6.224.107
14 188.82.12.253
14 213.152.176.93
14 94.228.220.68
15 173.254.216.67
16 68.48.156.101
17 213.142.132.18
17 64.31.44.6
19 64.113.32.29
20 128.52.128.105
20 189.38.80.71
24 173.242.121.199
30 194.6.233.33
32 41.108.52.93
33 129.123.7.6
34 158.85.253.245
36 213.174.1.62
37 93.157.174.74
39 128.2.142.104
53 94.180.47.215
55 46.147.172.223
57 92.53.117.140
61 74.84.136.105
63 200.50.71.125
63 81.169.144.135
63 93.93.71.190
64 185.6.18.76
64 83.143.133.13
65 18.187.1.68
65 94.25.126.74
66 173.254.28.53
66 185.26.122.13
67 173.214.189.206
67 185.33.60.52
67 92.53.96.93
68 185.7.214.138
68 213.5.68.26
70 5.101.156.98
71 192.185.2.204
71 195.128.174.121
72 195.3.105.73
72 213.128.67.21
72 82.200.207.18
73 89.161.234.187
75 188.165.211.180
76 92.61.157.140
85 192.185.176.153
87 49.88.12.82
91 213.251.182.106
95 196.4.225.19
97 5.101.157.64
97 77.109.141.138
100 213.251.182.10
100 91.222.8.126
103 193.110.73.2
109 62.162.182.156
112 217.67.30.32
115 185.5.53.22 (Les lituaniens vu par Wordfence, pas très bon au classement ;) )
116 192.185.2.191
117 207.210.200.106
117 92.53.123.104
118 108.167.189.22
120 221.186.73.196
124 82.146.38.108
129 81.177.135.201
130 104.131.115.173
131 188.128.142.131
131 77.92.102.133
132 195.46.43.238
132 212.193.234.176
132 23.229.4.214
133 185.26.122.55
140 178.208.83.17
141 77.93.218.17
143 162.243.49.74
143 78.110.50.115
146 104.193.143.55
146 198.57.247.177
147 69.89.22.120
167 62.141.41.180
167 80.66.68.49
167 85.17.60.183
168 72.29.73.71
170 194.228.3.42
170 213.228.185.13
170 37.8.121.245
170 62.189.126.85
170 75.125.220.170
195 197.15.248.136 (ATI - Agence Tunisienne Internet - Tunis)
205 66.117.3.211 (UNITED STATES)
207 216.239.0.120 (UNITED STATES)
207 62.193.199.184 (AMEN - Agence des Médias Numériques - 12/14, Rond-point des champs elysees 75008 Paris, France ) Cocorico ... on est présent ;) ... attaque du type "jatest7.php outifle".
209 210.58.101.147 (Taipei City, Taiwan, R.O.C.)
210 211.115.125.46 (135 Jungdae-ro Songpa-gu Seoul)
220 31.43.19.174 (Ukraine)
328 69.61.23.170 (UNITED STATES)
361 195.70.35.54 (Budapest, Hongrie)
404 211.110.18.248 (135 Jungdae-ro Songpa-gu Seoul)
404 69.16.206.5 (UNITED STATES)
411 64.59.86.2 (UNITED STATES)
414 120.118.219.8 (12F, No 106, Sec. 2, Heping E. Rd., Taipei)
648 178.137.168.166 (Kyivstar GSM, Kiev, Ukraine)
843 104.207.146.56 (UNITED STATES)
864 108.61.197.166 (UNITED KINGDOM)
1513 104.207.150.44 (UNITED STATES)
Le gagnant est le 104.207.150.44 (UNITED STATES) ! Bravo pour ses 1513 tentatives d’injection. Ah le pays des libertés …. bon palmarès.
Je retrouve l’infection de Wordfence des Lituaniens :
LogsWeb/access.log.20161214:185.5.53.22 - - [14/Dec/2016:20:22:03 +0100] "GET /?lang=en99999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x HTTP/1.1" 403 226 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; dial; SV1; .NET CLR 1.0.3705)" "www.cyber-neurones.org"
LogsWeb/access.log.20161116:204.93.196.218 - - [16/Nov/2016:05:58:54 +0100] "GET /2015/02/oopad-non-merci/?lang=es';declare%20@b%20cursor;declare%20@s%20varchar(8000);declare%20@w%20varchar(99);set%20@b=cursor%20for%20select%20DB_NAME()%20union%20select%20name%20from%20sys.databases%20where%20(has_dbaccess(name)!=0)%20and%20name%20not%20in%20('master','tempdb','model','msdb',DB_NAME());open%20@b;fetch%20next%20from%20@b%20into%20@w;while%20@@FETCH_STATUS=0%20begin%20set%20@s='begin%20try%20use%20%5B'%2B@w%2B'%5D;declare%20@c%20cursor;declare%20@d%20varchar(4000);set%20@c=cursor%20for%20select%20''update%20%5B''%2BTABLE_NAME%2B''%5D%20set%20%5B''%2BCOLUMN_NAME%2B''%5D=%5B''%2BCOLUMN_NAME%2B''%5D%2Bcase%20ABS(CHECKSUM(NewId()))%259%20when%200%20then%20''''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''low%20dose%20naltrexone%20buy%20uk%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2B''naltrexonealcoholismmedication.com''%2Bchar(47)%2B''%22''%2Bchar(62)%2B''''''%
Je laisse quelques exemples en novembre, de tentative d’injection. Maintenant un peu de statistique pour voir le nombre d’attaque en fonction de l’année :
cat select.txt | awk '{print $4}' | sed 's/\// /g' | sed 's/:/ /g' | awk '{print $3}' | sort -n | uniq -c
2733 2008
1595 2009
14 2010
23 2011
686 2012
660 2013
2593 2014
3341 2015
4363 2016
Record pour l’année 2016 avec 4363 tentatives d’injection !
Et sur l’année 2016 :
cat select.txt | awk '{print $4}' | grep "2016" | sed 's/\// /g' | sed 's/:/ /g' | awk '{print $2 " " $3}' | sort -n | uniq -c
459 Apr 2016
94 Aug 2016
224 Dec 2016
1685 Feb 2016
13 Jan 2016
513 Jul 2016
158 Jun 2016
111 Mar 2016
97 May 2016
16 Nov 2016
492 Oct 2016
501 Sep 2016
Je dirai que le mois de Novembre est léger par rapport à Févier, mais effectivement en Décembre on recommence.
Et je fini pas la liste des variables les plus attaqués par l’injection :
cat union.txt | awk -F "?" '{print $2}' | awk -F "=" '{print $1}' | sort -n | uniq -c | sort -n
...
24 fbconnect_action
53 edit
56 sa
57 feed
60 cid
71 id_ville
103 13-zoo&lang
114 format
117 mt
162 imgurl
279 page
284 option
295 replytocom
332 post
337 main_page
343 url
682 fb_action_ids
949 shared
983 page_id
1257 action
5949 share
8737 lang
8927 pg
13307 ver
L’idéal c’est de mettre les noms des variables en espéranto 😉 On retrouve des célèbre faille sur WordPress :
https://lwthacking.blogspot.com/2012/09/hacking-wordpress-websites-with-sql.html : fbconnect_action