Archive

Analyzing a log for security breach

Engager

I am analyzing a log and can see over 600 attempts from one ip address where the its resulting in a 404 not found error in a 2 hour period. All other failed http codes come from different ip addresses but are very low count in comparison which led me to believe this offending IP Address is spamming our server. is there any other checks I could do.

(This is just for educational purposes and not a real log.)

0 Karma

Ultra Champion

If your logs provide that info, you could look at what URL is being requested. Is it the same URL over and over, or is it trying various URLs (perhaps with weird characters, or using ../.. to try and gain access to directories outside the webserver files)?

Also investigate the IP address. Is it something internal (and if so: what environment does it belong to, who is the owner). If it is external, you could check against threat intelligence sources to see if it is a known malicious host.

600 over 2 hours is not an incredibly alarming rate (not enough to bring a server down), but it could indicate some kind of vulnerability scanning / probing activity. But it could just as well be some internal script that is trying to connect to a web page that doesn't exist anymore.

Engager

Its doing as you expected I believe and trying lots of different characters and strings. I found another example where its 1500 attempts in 5 mins so that seems malicious.

I have tried on threatminer site for the ip but doesnt seem to be a case for it. As part of my learning activity it advises the webserver was hit by spam and then a ddos attack so i kind of presumed it would been been a spam hit to try and get users to install some malware which was then performing the ddos attack. Im not sure if I can find out if the ip address is internal i had presumed was external.

Appreciate your reply Frank.

0 Karma