{"id":5018,"date":"2024-02-29T22:57:57","date_gmt":"2024-02-29T22:57:57","guid":{"rendered":"https:\/\/osintme.com\/?p=5018"},"modified":"2024-03-01T23:04:05","modified_gmt":"2024-03-01T23:04:05","slug":"examples-of-recent-attacks-against-my-website","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2024\/02\/29\/examples-of-recent-attacks-against-my-website\/","title":{"rendered":"Examples of recent attacks against my website"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"osint\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\u201cThe Wordfence Web Application Firewall has blocked 467 attacks over the last 10 minutes. Wordfence is blocking these attacks, and we\u2019re sending this notice to make you aware that there is a higher volume of attacks than usual.\u201d<\/em><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

If it’s your first time to have received an email like this, it can cause your heart to skip a beat or two. But you shouldn’t really worry and honestly, there isn’t much you can do anyway. This message is proof that Wordfence, your friendly WAF for your WordPress blog, is working as intended.<\/p>

This blog post will focus on some of the most common types of attacks I have recently observed against my website, followed by mitigation suggestions and a summary of points on how to make your own website most resilient to these and other attacks.<\/p>

Suggestions and tips are welcome, as always. Let’s go.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Connections from bad reputation IP addresses<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

One of the most basic, most commonly encountered and easiest to detect types of malicious activities are the incoming connections to your website or web application from IP addresses with bad reputation.<\/p>

This kind of activity is largely automated and executed by crawlers and scanners that search for vulnerabilities, misconfiguration and other weak points that can be exploited.<\/p>

MITIGATION:<\/strong> Employing spam filters, blocklists or geo-blocking techniques to disallow connections from known bad IP addresses and high risk countries. Also using some of the dedicated plugins for WordPress.
<\/em><\/p>

More often than not, connections from bad reputation IP addresses are linked to spam campaigns, which brings us to the next item on this list.<\/p>

Example: https:\/\/www.talosintelligence.com\/reputation_center\/lookup?search=41.98.208.139<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Spam<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Spam is as old as email, but the spam hitting websites and web apps is a bit different to what you would expect to see in your inbox.<\/p>

The most common spamming methods include attempts to bulk-post comments under blog posts and articles. These comments will usually include URLs of suspicious websites – anything from advertising drop-shipped products to financial scams and suspicious substances vendors.<\/p>

Note that the more malicious spam campaigns will proliferate URLs that lead to risky websites, where malware drive-by download could be a real possibility.<\/p>

You might also see spam sign ups to your newsletter, which can result in multiple fake email addresses appearing in the subscription list, resulting in a slower distribution of your newsletter.<\/p>

MITIGATION:<\/strong> Same as above + regular manual reviews of the approved comments to catch and delete those that somehow managed to bypass the automated filters.
<\/em><\/p>

\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"osint\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Rogue login attempts<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This malicious activity can come in several different flavours – from attempts to log in as a user to admin account brute forcing. Often a simple user account takeover attempt is an action against that particular user, not the entire platform – but if the attackers can gain admin access, they can do much more damage that way.<\/p>

Attackers often try inputting generic credentials – I see these attempts nearly every week (login: admin; password: admin, etc.). More sophisticated actors might delve into data breach records to find your old email addresses and dig up your old password if they were in a breach. They will then try to feed those credentials into the login panel, in the hope that you were lazy and decided to reuse some of the passwords.<\/p>

MITIGATION:<\/strong> Do not use default credentials! Use unique, alphanumeric passwords too. If you have test or service accounts, make sure you disable them if they are not in use. Unused and old \/ dormant accounts should be deleted as well. To protect against brute force attacks, use plugins that limit login attempts or other similar solutions. Finally, enable multi factor authentication on all accounts.
<\/em><\/p>

\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Connections from parties with a malicious user agent<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This is a threat that can be closely related to any and all of the above mentioned ones.<\/p>

The detection is based on identifying HTTP requests involving user agent headers with client information. These by default reveal the web browser type & version, the operating system, platform, etc.<\/p>

When malicious activity such as brute force attacks or malware proliferation takes place, user agents commonly associated with this activity can be blacklisted and any future similar connections dropped.<\/p>

Certain types of malware for example often use a particular HTTP user agent for communicating with the C2 servers. Check out the Github repository below for a large list of examples:<\/p>

https:\/\/github.com\/mthcht\/awesome-lists\/blob\/main\/Lists\/suspicious_http_user_agents_list.csv<\/a><\/p>

MITIGATION:<\/strong> Enable a WAF or a similar type of a connection filtering system. To bolster that setup, you can import a list of malicious user agents like the one above and customise the filtering rules accordingly.
<\/em><\/p>

\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Malicious file uploads<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Every blog or personal website offers the feature of uploading files – but naturally, the idea is that the upload function is exclusively for users and admins with the correct permissions.<\/p>

Rogue actors attempt to upload files without permissions, hoping that the website’s or web app’s server is misconfigured and that it allows code execution. Instead of uploading images or videos like a regular user would, the attackers will try to upload executable code, like PHP scripts or JSP files.<\/p>

MITIGATION:<\/strong> Anti-malware solutions can be used to scan any uploaded files. Beyond that, robust server configuration, patching and updates are always recommended.
<\/em><\/p>

\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"osint\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Unauthenticated file downloads<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This attack is made possible by the vulnerability described in CVE-2019-19985<\/a> – basically, some really old versions of the Email Subscribers & Newsletters plugin for WordPress are vulnerable to unauthenticated file downloads, resulting in data breaches and unauthorised disclosure.<\/p>

I do my best to patch and update everything I can on the day of the patch release. I doubt these attacks were targeted ones, since I would not have software with a 5 year old vulnerability just sitting there, ripe for the hacking. But I’m sure there are still websites out there that do…<\/p>

MITIGATION:<\/strong> Patch, patch and patch again. Also, be sure to uninstall any unused or redundant plugins, if you don’t need their functionalities on the website.
<\/em><\/p>

\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Cross-site scripting (XSS)<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This is a very well known attack – cross-site scripting is a type of a code injection attack. The attacker basically injects script code into the web pages in a way that might involve an element of social engineering – for instance, using a malicious link sent via email.<\/p>

The malicious script will be injected into user-provided input. This attack can also be carried out by modifying requests. The consequences of XSS can include malicious redirection, capturing user credentials (as they are being typed on a malicious clone website, for example) or the execution of various browser based exploits.<\/p>

It’s worth noting that XSS can occur in one of the three variants:<\/p>

Stored XSS<\/strong> – the malicious payload ends up getting stored in a database, comment field or anywhere where user input is accepted. It can affect subsequent user interactions.<\/p>

Reflected XSS<\/strong> – it occurs when user input is being returned to the user, like in the instance of a webform where a user submits their name and then sees a new page that reads: \u201cHello, name<\/em>\u201d. The difference is that instead of the “name” value the user receives the malicious script and could end up getting redirected to a malicious website.<\/p>

DOM-based XSS<\/strong> – the malicious script is injected into a response. It involves manipulating the document object model (DOM) data to craft a malicious URL. Worth noting that the DOM-based XSS attack happens on the client browser.<\/p>

Examples of XSS code recently used to attack my blog:<\/p>

1'\"()&%<zzz><script>alert(document.domain)<\/script><\/pre>
<\/script><script>alert(document.domain)<\/script><\/pre>
url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E<\/pre>
MITIGATION:<\/strong> There are a number of techniques that can be used to stop the XSS attacks, with the main one being input sanitisation & validation – which basically means disallowing some special characters such as brackets to disable script execution. Read more about XSS prevention in this OWASP Cross Site Scripting Prevention Cheat Sheet<\/a>.
<\/em><\/p>
\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
Directory traversal<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
Another attack method that targets vulnerabilities arising from misconfiguration. Directory traversal can be effective when web servers allow the inclusion of operators that navigate directory paths. Moreover, file system access controls don\u2019t restrict access to files stored on the server.<\/p>
The idea here is to exploit the directory structure in the search of a file that contains hashed user passwords, outside of the areas of the filesystem that are reserved for the web server.<\/p>
Example attack:<\/p>
rev = a\/..\/..\/..\/..\/html\/pix\/f\/<input><img src=x onerror=alert(document.domain)>.png

_variables = {\"_metadata\":{\"classname\":\"i\/..\/lib\/password.properties\"},\"_variables\":[]}<\/pre>
MITIGATION:<\/strong> Regular patching is a solid defense mechanism. User input validation also works.
<\/em><\/p>
\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
SQL injection<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
Another well known type of an attack, this time directed against databases. It can target both the confidentiality and the integrity of the database – SQL injections typically result in data breaches or unauthorised records alterations.<\/p>
Various SQL commands can be injected into the fields that accept user input. This results in the execution of predefined SQL commands and subsequent exploitation.<\/p>
Example:<\/p>
cat_list = (SELECT(0)FROM(SELECT(SLEEP(6)))a)<\/pre>
MITIGATION:<\/strong> Check out this OWASP SQL Injection Prevention Cheat Sheet<\/a> for a comprehensive guide.
<\/em><\/p>
\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
SUMMARY<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
So here’s what I do to keep my own site as safe and secure as I can:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
  1. ABP – Always Be Patching<\/strong> – regular application of patches, updates and security fixes is mandatory for the online wellbeing of any website or web application. Make sure to set up email alerts and notifications for whenever a new patch becomes available. Don’t put it off, do it now.<\/li>
  2. WAF – Web Application Firewall<\/strong> – you can install Wordfence for free on any WordPress site, so there is really no excuse not to. With a small amount of tuning it takes care of over 90% of the problems for you in an automated way.<\/li>
  3. 2FA – two factor authentication<\/strong> – ideally a hardware token or a mobile OTP app. Mandatory layer of defence in the event of unauthorised disclosure of your login credentials.<\/li>
  4. Credentials hygiene<\/strong> – strong, unique password (not reused!), stored encrypted in a password manager.<\/li>
  5. Hardening<\/strong> – this means removing all unused themes, plugins, accounts, forms and pages. The ultimate goal is to reduce the potential attack surface.<\/li>
  6. Monitoring<\/strong> – regardless of the good setup, you still have to keep an eye on everything and dabble in the security settings from time to time.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"
    Taking a look at some recent attacks against the Osintme.com blog & exploring the ways to mitigate and defend against them.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[18],"tags":[33,139,15,79],"class_list":["post-5018","post","type-post","status-publish","format-standard","hentry","category-digital-privacy-security","tag-osint-me-setup","tag-plugins","tag-security","tag-website"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/5018","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/comments?post=5018"}],"version-history":[{"count":55,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/5018\/revisions"}],"predecessor-version":[{"id":5078,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/5018\/revisions\/5078"}],"wp:attachment":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/media?parent=5018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/categories?post=5018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/tags?post=5018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}