Understanding a Basic Web Attack Using Log Data

A colleague of mine recently asked me to take a look at some logs he was investigating. The LogRhythm Web Application Defense Module had initially keyed him into the suspicious behavior and he was now examining the raw logs to better understand the extent of the attack.

The behavior that triggered the alert was pretty basic; a quick series of 404 errors generated by the same origin IP address against different URLs. As anyone that spends much time looking at web logs will tell you, it is not uncommon to see this behavior and the important part is to gauge whether or not the attack was successful. More on that in a second.

Often times when I’ve seen this behavior it’s one of two things: either a crawler of some sort that has cached an old directory structure for the website or a malicious bot/script/scanner. In this case it was the latter.

So what makes this case any more important? Good question! There were two things in the logs that stood out. First, the script/bot had parsed the domain name of the website and was using that to request specific file names. While this is not unheard of by any means it did catch my eye and warrant further investigation.

Next, instead of looking for login pages or vulnerable web application files/components the bot was looking backup files.

This is not a complicated attack. However, if successful, it could prove to be quite disastrous to someone that was storing their backups in a publicly accessible directory.

With that being said, it should be easy enough to see in the log data if any of the bots requests were successful. In addition to that, keep in mind that The LogRhythm Web Application Defense Module will use it’s Smart Response functionality to add the attacking IP to a list of known attackers.

From there you  can quickly run an investigation or report to see if those IPs have shown up anywhere else in your log data.