Analyzing 3 months of attacks

Posted by Miguel Lopes on Sun, Jun 19, 2016
In Monitoring,

On march I moved my server and I had little time to do it I was handling 3 projects and all of them with a very tight schedule. On that transition I forgot to update the logrotate configuration. My http logs are on a directory that differs from the standard so they were left out of the rotation. A couple of days ago I went to check my logs and found an access log wich was about 62MB.

My access logs are in JSON to able to import them into some monitoring tools more easily and to have more fields available. So I decided to analyze them and create a baseline of expected attacks for future reference.

Within the 3 months of records there was a significate change on this website it changed from being static generated from wordpress to hugo. So in the first month and a half of the period there were tags inside of the files that identified it as a wordpress site. This detail proved to be significant because upon focusing on the wordpress oriented attacks I noticed that some of them depended on the tags that were announcing a wordpress engine. The response to the bruteforce attacks were always 404’s but only after changing the site to hugo the attacks halted.

After carefully removing the good bots and regular users (a big chunk of them at least) with about 50 filters I was able to examine the attacks. They were mostly not targeted attacks except for 4 which didn’t seem to be so “blind” as the rest.

I started with ~100k lines of JSON and ended up with ~6k of nocive traffic from attackers and spammers the biggest attacks seemed to be originated from Russia, Ukraine, USA, China and Morroco.

I intend to publish more posts on my findings but here is the first impression :)

comments powered by Disqus