Friday, May 16, 2014, 01:39 AM - Tech and Security
Posted by Norbert
Posted by Norbert
So just how effective are those "hacking tools" you can find on most sites that consider themselves underground? The answer is complicated, and applies to both hacking AND security.
The biggest factor is, of course, the userbase. It's the sheer amount of people using all-purpose scanning technology that makes them almost entirely useless. I'm sure that scanning whole IP ranges will net you a misconfigured router here, and an unpatched web server there, but isn't the whole point of an attack being that it was targeted specifically? What point are you making by defacing the website of a small flower shop and some kid in Norway's football website? They were wide open, but you still didn't break the system you wanted.
I run this website from a local server and I can say with some authority that the internet is flooded with portscans and bulk exploit attacks every second of every day. So much so, that if the internet were a radio signal, they would be the "white noise" in the background. Before I even had a placeholder page up during development the log file was showing large blocks of spammy attempts to get into phpmyadmin, apache config, and a host of other generic "exploits" that haven't been effective since 2004, and each block of bad requests was branded with the name/catchphrase of the program running the scans.
Here are a few examples and note that they are only three attempts long because my server bans bad requests after three in a short period of time. Some of these attacks would continue for 10 lines or more.
184.108.40.206 - - [25/Jun/2014:21:31:38 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec HTTP/1.1" 404 588 "" "ZmEu"
220.127.116.11 - - [25/Jun/2014:21:31:38 -0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 588 "" "ZmEu"
18.104.22.168 - - [25/Jun/2014:21:31:39 -0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 588 "" "ZmEu"
This is clearly either from some scanning software named "ZmEu" or that's the name of the hacking group that coded it. It first identifies itself (why?) to the server and then proceeds to spam every known phpmyadmin setup location hoping that a site admin didn't delete the setup files.
22.214.171.124 - - [28/Jun/2014:10:43:25 -0400] "GET /user/soapCaller.bs HTTP/1.1" 404 588 "" "Morfeus Fucking Scanner"
It's pretty obvious the name of this scanner and it's looking for a file called soapCaller.bs. This Article explains this exploit and it was written 6 YEARS ago.
126.96.36.199 - - [26/Jun/2014:17:22:23 -0400] "GET /phpTest/zologize/axa.php HTTP/1.1" 404 588 "" ""
188.8.131.52 - - [26/Jun/2014:17:22:24 -0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 588 "" ""
184.108.40.206 - - [26/Jun/2014:17:22:24 -0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 588 "" ""
I call this one the "Zologize" attack and it's just another phpmyadmin probe.
220.127.116.11 - - [26/Jun/2014:19:40:26 -0400] "GET /HNAP1/ HTTP/1.1" 404 588 "http://18.104.22.168/" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
This is probably the most common exploit attempt I've seen. It's looking for a misconfiguration in a d-link router described Here and was patched at least 4 years ago.
I've got a 600k log file just from today of hundreds of script-clickers hitting my server in their much larger IP range sweeps for vulnerabilities. The fact that there are so many, means any exploits they attempt to use get patched immediately because people like me notice them right away, clogging up the logs with errors. Continued probes make admins even more paranoid, we institute flood controls, and that my friends, is the real problem. This situation is unavoidable with most scanning suites since you have zero control over how they run, how quickly they send requests, and how many people before you hit those same servers with that same script. Their overuse makes it so that by the time you hear the name of a hacking tool, it's already too late to use it to any real effect.
This concept works against security as well, however. Apple has long touted its operating system as superior to Windows because it "doesn't get viruses" and for now, it's not really worth the effort to develop a virus or worm to infect macs. Most businesses, banks, governments and anything else worth breaking into, including the majority of all home computers are running some flavor of Windows, but as any security expert will say, as Apple's market share increases, they WILL attract the attention of hackers and there will be a serious lack of anti-virus technology to stop them once it begins.
Whatever operating system you use though, if you're using any major anti-virus suite like McAfee, Norton, AVG, or Avast, you're not safe because, once again, too many people use them. Most viruses and exploits are written to disable the top scanning software by default before they even begin their attack. It's the users of any piece of software alone that render it useless in the long run which means that to continue to be viable on the internet, for good or for evil, you sadly have to abandon things as they become popular. I call it "Security through Obscurity".