this is not a blog

I Reckon This Must be the Place, I Reckon

Musings about our Apache log file (from stupid to bizarre - the logs not the musings)

Looking at the Log Files

In order to effectively manage a web server, it is necessary to get feedback about the activity and performance of the server as well as any problems that may be occurring.
Apache, on Log Files

Looking at this website's log file is boring, interesting and exasperating all at the same time. The first thing we noticed, when we first launched, was that oh so many browsers try to load favicon.ico. We do not believe in supporting non-standard IE shit like that, so we stubbornly and stupidly just ignored it — stupidly because Apache would issue a 404 for each request which effects bandwidth and is a waste of Apache's time. So we finally smartened up and created one... of zero length.

Then, as the time online increased we noticed that we could tell humans from bots in that a human visit loads favicon.ico and CSS and most of the time the images as well; bots do not, getting just the HTML. And that those bots that do not identify themselves are the crooks and the spammers.

In this section we are going to be posting about those interesting and exasperating things we encounter.

I hope that by chronicling the odd and interesting things found in our logs certain patterns will emerge which can be used to detect exploiters and spammers.

Notes

1. But since it has been the case for like fifty years now the case can be made that it's a de-facto standard of some sort. sigh
2. We now use a link rel="icon" thingy.
3. They are so obvious, really. Some use a consistent UA, some vary their UA, some use really odd UAs. But they all never load any image or CSS file and always concentrate on a few links at a time.

User-Agent: BOT/0.1 (BOT for JCE)

Hey AmnPardaz Security Research & Penetration Testing Group!

Why don't you mod your Exploit for JCE Joomla Extension code to, like, um, actually test to see if the site is running Joomla first!

sigh

The Other Log File

If one, like me, though I am obsessive about it, likes (or dislikes) to peruse Server log files, there may be one you are missing: the error log file.

The error log file is not directly available for download, nor (assuming cPanel) your Server's File Manager. But it is through (again, assuming cPanel) the Errors link in the Metrics section of you Server dashboard.

Click on it, click in the "Latest web server error log messages" box, then "Select All" and "Copy".

Then you can paste it in to your favourate editor to save it for examination. You might find some interesting stuff.

Who the Fuck is binance.com?

Well, according to them, "the world's largest crypto exchange".

But, who the fuck is doing this:

    31.210.20.88 - - [30/Nov/2021:12:30:09 -0700] "GET /wp-admin/css/ HTTP/1.1" 410 4 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    20.115.4.12 - - [30/Nov/2021:13:49:40 -0700] "GET /wp-admin/css/ HTTP/1.1" 410 4 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    195.133.18.227 - - [30/Nov/2021:22:59:54 -0700] "GET /wp-admin/css/ HTTP/1.1" 410 4 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    45.144.225.104 - - [04/Dec/2021:11:11:57 -0700] "GET /wp-admin/css/ HTTP/1.1" 404 3 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    45.144.225.104 - - [04/Dec/2021:11:12:03 -0700] "GET /.well-known/ HTTP/1.1" 403 2 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    136.144.41.85 - - [12/Dec/2021:01:30:46 -0700] "GET /wp-admin/css/ HTTP/1.1" 404 3 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    136.144.41.85 - - [12/Dec/2021:01:30:57 -0700] "GET /.well-known/ HTTP/1.1" 403 2 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    212.227.12.174 - - [13/Dec/2021:23:23:37 -0700] "GET /wp-admin/css/ HTTP/1.1" 404 3 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    212.227.12.174 - - [13/Dec/2021:23:23:51 -0700] "GET /.well-known/ HTTP/1.1" 403 2 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    212.227.12.174 - - [15/Dec/2021:02:31:27 -0700] "GET /wp-admin/css/ HTTP/1.1" 404 3 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    212.227.12.174 - - [15/Dec/2021:02:31:58 -0700] "GET /.well-known/ HTTP/1.1" 403 2 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    2.56.59.142 - - [15/Dec/2021:23:46:45 -0700] "GET /wp-admin/css/ HTTP/1.1" 404 3 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
    2.56.59.142 - - [15/Dec/2021:23:46:56 -0700] "GET /.well-known/ HTTP/1.1" 403 2 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"

Netscum.

A Discovery of Brothers?

I may have had contact by "White Hats"! The good people at LeakIX.

First, it solves one nagging notion – well, points into a certain direction. This was about the very odd, invalid-looking requests like:

    "\x16\x03\x01" 404 - "-" "-"
    "\x16\x03\x01\x01\xfc\x01" 404 - "-" "-"

(But that turns out to be an Apache SSL configuration issue.)

But then I got a repeating offender from IP Address 143.198.136.88, for it
dropped more identifying strings:

    143.198.136.88 - [29/Nov/2021:11:39:43] "\x16\x03\x01" 404 - "-" "-"
    143.198.136.88 - [29/Nov/2021:11:39:43] "GET / HTTP/1.1" 404 - "-" "-"
    143.198.136.88 - [29/Nov/2021:11:39:43] "GET / HTTP/1.1" 403 2 "-" "l9tcpid/v1.1.0"
    143.198.136.88 - [29/Nov/2021:11:39:43] "CONNECT leakix.net:443 HTTP/1.1" 403 2 "-" "Go-http-client/1.1"

Followed by this:

    143.198.136.88 - [29/Nov/2021:11:39:43] \
    "GET /cgi-bin/../../../../../../../../../etc/hosts HTTP/1.1" 404 - "-" \
    "Lkx-TraversalHttpPlugin/0.0.1 (+https://leakix.net/, +https://twitter.com/HaboubiAnis)"

(The dots were "disguised", URL-decoded, here's a leakix log excerpt. That is an explicit attempt to get my Server's /etc/hosts file! And they signed their work!)

All their shit requests were for known exploits. What they say:

"We intent [sic] to provide a preemptive solution by trusting individual researchers and security companies on the most sensible data we index by delivering a clear report on the incidents, we also help to identify what information has/could be affected and how to resolve the issue. "

What the fuck does that mean? They add:

"There are a few parts involved, but so far the opensource releases are "

1. ip4scout, our random ipv4 space scanner.
2. l9tcpid, our TCP protocol inspector.
3. l9explore, our deep protocol exploration tool.

Thanks for your block strings!

Their hubris borders on the stupidity. They are looking for exploits on my pathetic little shit of a website! Which only slows my site down and increases the size of my Server's log files!

First, people of the "White Hat" variety should ask for permission, no? Or at least – like normal coders – provide a way to opt out, like by robots.txt perhaps? But only one of their requests identified themselves and they do not look like they have any way to opt out...

Idiots.

P.S. Here is my Disclosure Policy.