It's probably better that you didn't hack my blog

This is a quick post, since I'm making a big effort to keep the fresh content flowing in my blog.

TL;DR

Random person vulnerability scans my blog, I try to turn it into a learning opportunity on investigation, attribution, and proactive defense.

Summary

In this blog post, I'm going to demonstrate some ways to extrapolate as much data as possible about an attack before it happens using my own blog being targeted as an example. I'm no expert on incident response and it's not my intention to claim to be, but the point I'm trying to drive home is that defense starts before a compromise ever occurs, not after.

I regularly audit my logs for strange activity. A few days ago I noticed that someone was scanning my blog for vulnerabilities. In this post, I'm going to work backwards and discuss a few takeaways I've had from observing the would-be attacker.

Side note

For what it's worth, I don't care at all that someone vulnerability scanned my blog. My blog holds no intelligence value whatsoever. The only asset at stake here is my reputation as a blogger (and who really cares about bloggers?).

Unless the person conducts a successful compromise of my site I have no intention of tracking this poor soul down. The objective of this post is to demonstrate some ways someone managing a network or some other type of high-value asset can maximize the value of log files before an incident occurs.

Let's get started.

Initial Detection

Since publishing my last blog post, my site has received a lot of interesting attention. One example of an interesting incident came up a few days ago when I noticed that someone was probing my blog for vulnerabilities.

An unknown person scanned my blog for vulnerabilities using a tool called "WPScan". WPScan is an automated tool that scans WordPress instances for known vulnerabilities such as SQL injection and XSS, most commonly found in third party plugins.

I used some very complex data science algorithms to deduce that the scan had originated from the WPScan tool. By measuring the exact time skew of-...

...Nah I'm just kidding. WPScan includes the word "WPScan" in the user-agent by default. Unless you tell the tool to use another user-agent, it will literally tell your target server "HEY I'M SCANNING YOU WITH A VULNERABILITY SCANNER". This is especially humorous for me, because my blog doesn't run WordPress.

Here are the relevant (redacted) log files that originally piqued my interest during the log review:

103.31.XXX.XXX - - [14/Apr/2015:05:31:40 -0400] "GET / HTTP/1.1" 200 3509 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"  
103.31.XXX.XXX - - [14/Apr/2015:05:31:41 -0400] "GET / HTTP/1.1" 200 3509 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"  
103.31.XXX.XXX - - [14/Apr/2015:05:31:41 -0400] "GET /wp-content HTTP/1.1" 301 5 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"  
103.31.XXX.XXX - - [14/Apr/2015:05:31:42 -0400] "GET /b758acc8bf04e8869eadc559c1de6ab4.html HTTP/1.1" 301 5 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"  
103.31.XXX.XXX - - [14/Apr/2015:05:31:43 -0400] "GET /b758acc8bf04e8869eadc559c1de6ab4.html/ HTTP/1.1" 404 1294 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"  
103.31.XXX.XXX - - [14/Apr/2015:05:31:43 -0400] "GET / HTTP/1.1" 200 3509 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"  
103.31.XXX.XXX - - [14/Apr/2015:05:31:43 -0400] "GET /xmlrpc.php HTTP/1.1" 301 5 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"  
...
(snip)

Interesting. Let's dig a little deeper and try to piece together the (potential) attacker's mindset.

Analysis

Alright, let's move back in time. Let's see if we can figure out what other traffic has originated from this same person. I'll grep my log files for their IP address, which will show me all requests that have historically come from his machine (or at least, from this same IP address).

~ >> grep "103.31.XXX.XXX" access.log
103.31.XXX.XXX - - [14/Apr/2015:05:19:17 -0400] "GET /huthos-the-totally-100-legit-vps-provider/ HTTP/1.1" 200 6087 "https://www.facebook.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"
103.31.XXX.XXX - - [14/Apr/2015:05:19:30 -0400] "GET /rss HTTP/1.1" 301 5 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"
103.31.XXX.XXX - - [14/Apr/2015:05:19:30 -0400] "GET /rss/ HTTP/1.1" 200 14402 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"
103.31.XXX.XXX - - [14/Apr/2015:05:31:40 -0400] "GET / HTTP/1.1" 200 3509 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:41 -0400] "GET / HTTP/1.1" 200 3509 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:41 -0400] "GET /wp-content HTTP/1.1" 301 5 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:42 -0400] "GET /b758acc8bf04e8869eadc559c1de6ab4.html HTTP/1.1" 301 5 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:43 -0400] "GET /b758acc8bf04e8869eadc559c1de6ab4.html/ HTTP/1.1" 404 1294 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:43 -0400] "GET / HTTP/1.1" 200 3509 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:43 -0400] "GET /xmlrpc.php HTTP/1.1" 301 5 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:44 -0400] "GET /xmlrpc.php/ HTTP/1.1" 404 1273 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:44 -0400] "GET /wp-login.php HTTP/1.1" 301 5 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:45 -0400] "GET /wp-login.php/ HTTP/1.1" 404 1275 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:05:31:45 -0400] "GET /wp-login.php/ HTTP/1.1" 404 1275 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"
103.31.XXX.XXX - - [14/Apr/2015:11:53:43 -0400] "GET /huthos-the-totally-100-legit-vps-provider/ HTTP/1.1" 200 6087 "https://www.facebook.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
103.31.XXX.XXX - - [14/Apr/2015:11:53:45 -0400] "GET /rss HTTP/1.1" 301 5 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
103.31.XXX.XXX - - [14/Apr/2015:11:53:45 -0400] "GET /rss/ HTTP/1.1" 200 14403 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
103.31.XXX.XXX - - [15/Apr/2015:00:47:18 -0400] "GET /huthos-the-totally-100-legit-vps-provider/ HTTP/1.1" 200 6087 "https://www.facebook.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"
103.31.XXX.XXX - - [15/Apr/2015:00:47:21 -0400] "GET /rss HTTP/1.1" 301 5 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"
103.31.XXX.XXX - - [15/Apr/2015:00:47:22 -0400] "GET /rss/ HTTP/1.1" 200 14401 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"
103.31.XXX.XXX - - [15/Apr/2015:00:55:17 -0400] "GET /huthos-the-totally-100-legit-vps-provider/ HTTP/1.1" 304 0 "https://www.facebook.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"
103.31.XXX.XXX - - [15/Apr/2015:00:55:24 -0400] "GET /rss/ HTTP/1.1" 200 14402 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"

This is hard to read here, so I also dropped these log files onto Pastebin here.

Let's try to piece together what happened, starting at the first line.

103.31.XXX.XXX - - [14/Apr/2015:05:19:17 -0400] "GET /huthos-the-totally-100-legit-vps-provider/ HTTP/1.1" 200 6087 "https://www.facebook.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"  

What can we deduce from this first line?

Referrer

https://www.facebook.com/

We can see that the referrer field states that he was referred from facebook.com, which means one of his friends probably posted a link to my blog post on Facebook and he clicked it.

Time

14/Apr/2015:05:19:17 -0400

This may be useful if he successfully compromised my blog and we wanted to issue a warrent to Facebook or his ISP.

User-agent

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17

He's visiting my page from a Mac computer using Safari version 8.0.5 according to useragentstring.com.

Ok, what about line number 2?

103.31.XXX.XXX - - [14/Apr/2015:05:19:30 -0400] "GET /rss HTTP/1.1" 301 5 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"  

Apparently he thought my blog was pretty rad because 13 seconds into reading the article he subscribed via RSS. word.

Line number 3?

103.31.XXX.XXX - - [14/Apr/2015:05:19:30 -0400] "GET /rss/ HTTP/1.1" 200 14402 "http://morris.guru/huthos-the-totally-100-legit-vps-provider/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17"  

The third line is his RSS feed reader immediately reaching out and grabbing my RSS feed from /rss.

Line number 4 is where it gets interesting.

103.31.XXX.XXX - - [14/Apr/2015:05:31:40 -0400] "GET / HTTP/1.1" 200 3509 "http://morris.guru/" "WPScan v2.7 (http://wpscan.org)"  

Approximate 12 minutes after adding my website to their RSS feed reader, they kick off a scan against my blog with WPScan. The scan runs for about 4 seconds, then it either they CTRL+C, or the tool tells them they're an idiot and my blog isn't running WordPress.

Then, line #15...

103.31.XXX.XXX - - [14/Apr/2015:11:53:43 -0400] "GET /huthos-the-totally-100-legit-vps-provider/ HTTP/1.1" 200 6087 "https://www.facebook.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"  

Then, approximately 6 hours later, they click the same link on Facebook and check out the blog again. Only this time, they click the link from a different web browser according to the user-agent (possibly on a different machine). Useragentstring.com reports that it's a Chrome browser running on Windows 7.

After that, I just see some periodic RSS queries.

Attribution

Assuming the person in question was not browsing through a proxy (which is entirely possible), a geo IP lookup tells me they are located in Sydney, Australia.

~ >> geo 103.31.XXX.XXX
[+] IP Address: 103.31.XXX.XXX        Country: Australia      Region: 02      City: Sydney        Coordinates: -33.86150,151.20550

...but I'd venture to say that if you're smart enough to use a proxy, you would be smart enough to read the footer of my blog that says it runs Ghost.

I can also run a quick whois to find the name and abuse contact of their Internet service provider.

Investigative Takeaways

  • I have a nice timeline of events
  • I know what vulnerabilities the adversary is looking for
  • If I identify a compromise in the future, I have some leads on who and where it may have originated from
  • If WPScan had found a vulnerability and I saw that same vulnerability exploited on the first try from another IP address, I could likely deduce that the two IPs are the same person
  • I may not know who you are, but I know that Facebook does, and the second you break the law I'll have a warrant.

Defensive Takeaways

  • Ensure you have logging enabled
  • Monitor and regularly audit your logs
  • Ensure your software and software plugins are up-to-date
  • Use strong passwords that are not reused anywhere else

Offensive Takeaways

  • Don't conduct offensive operations from the same network that you do your regular web browsing from.
  • Conduct attacks through a proxy
  • Randomize or modify easily-identifiable attribution points such as user-agents on automated scanners

The days are long past where "defense" means "batten down the hatches, sit back, and wait for an attacker to hit us so we can do something about it."

I sincerely hope you've learned something reading this blog post. If you have any questions, feedback, or corrections, don't hesitate to reach out via email or Twitter.

Be well,
--Andrew

"Reptiles show no mercy. You either dominate them or they dominate you."