The other day I was browsing through our WebTrends report for the last week (not WebTrends Live, just the one that looks at your logs). Then I get to the authenticated users section. We use HTAccess to allocate licence numbers to download our software. I see this:

User: aborir
Hits: 99
User Sessions: 1

Firstly, there's no user "aborir" who's in our htaccess or htpasswd file for downloads. Secondly, "aborir" looks like a misspelling of our business name "aborior". And Thirdly, 99 seems like quite a convenient number.

So I'm really confused about the whole thing. I checked our raw log files, and looks like "aborir" has managed to get in, but not download the software (like they've managed to get to the CGI script that manages file downloads, but haven't been able to download the actual software, perhaps even if you're denied access the logs will say you've accessed the particular file you were looking for). Only it's happened 99 times!

Does anyone have any idea what could be going on?

Are you running cgi-wrap or some sort of cgiwrapper that requires the script is run under the default userid and groupid?

This might perhaps explain it..if your cgi script is running under a user called aborir that may show up in your stats.

hope this helps.

regards,

Simon

That would make some sense, but unfortunately it's not running under a CGI wrapper. And even if it was, "aborir" is not our username, although it is close.

The similarity between the usernames makes me think someone was trying to guess a username and password or something. But 99 hits?

hehe...yep 99 hits does sound rather too strange doesn't it ;-)

Not too sure on this front. Keep and eye on it and see what your stats generate next month.

regards,

Simon

If you can, post the relevant logs (part of them) and maybe some of us can get a better idea of the error and problem at hand. Check the error and access logs. Are you saying that you believe that managed to download the actual CGI script that commences the downloads of the software you are protecting from unauthorized downloads (Did I understand you correctly)? If so, what gives you that indication? What makes you think they got in?

This could have been a brute force password attack on your authentication, which isn't a big deal really, unless they managed to get in and grab something you are concerned about them having... which it sounds like that is your current concern.

Well here's an example of one of the lines out of the log:

207.227.82.69 - aborir [24/Feb/2001:13:35:10 +1100] "GET /products/encore/software/downloads/payfiles/_download.cgi?file=encore1-23b.zip HTTP/1.1" 401 650 "http://www.aborior.com/products/encore/software/download.shtml" "Go!Zilla 3.5 (www.gozilla.com)"

Looking at that, I understand what's going on, it's just weird. I originally thought it may have been a brute force password attack, and now I'm pretty much convinced. But that has a 401 error, so they mustn't have gotten in.

All the evidence points to a brute force attack:

1. "aborir" misspelling of "aborior" which would be an obvious choice for an attempted username.
2. 99 attempts seems a convenient number for some sort of program doing the password attempts.

It's all okay... the only thing that confuses me is why would WebTrends report the user as being authenticated? I searched through the log for a similar line with 200 instead of 401 (200 is a successful hit isn't it?) and couldn't find one. Must be a bug or something I guess.

Webtrends screwed up.

The username entry from the logs is clearly marked in the apache docs as being invalid whenever the status code is 401.

Originally posted by Lawrence
Well here's an example of one of the lines out of the log:

207.227.82.69 - aborir [24/Feb/2001:13:35:10 +1100] "GET /products/encore/software/downloads/payfiles/_download.cgi?file=encore1-23b.zip HTTP/1.1" 401 650 "http://www.aborior.com/products/encore/software/download.shtml" "Go!Zilla 3.5 (www.gozilla.com)"

Looking at that, I understand what's going on, it's just weird. I originally thought it may have been a brute force password attack, and now I'm pretty much convinced. But that has a 401 error, so they mustn't have gotten in.

All the evidence points to a brute force attack:

1. "aborir" misspelling of "aborior" which would be an obvious choice for an attempted username.
2. 99 attempts seems a convenient number for some sort of program doing the password attempts.

It's all okay... the only thing that confuses me is why would WebTrends report the user as being authenticated? I searched through the log for a similar line with 200 instead of 401 (200 is a successful hit isn't it?) and couldn't find one. Must be a bug or something I guess.


401 is the error page for failed authentication, yes. So if you saw nothing other than 401, that user likely didn't gain access. I'd check that that IP resolves to and see if it' a large server or a small one. If it's a small one that's not likely to have any legitimate users that will be accessing your site, deny access to that IP block. Also, check that IP in the access and error logs, not just the user, and see if they have logged in as another user before.

This just looks like some one is using Go Zilla as their download manager and it by default tries 99 times to download a file (used it in the past). GozIlla probably poped up with a box asking the user for a password/user name and some one just mistyped your name in. GoZilla takes over all links that look like a downloadable file rather than something the browser shows. It also takes over loads it shouldn't!

GoZIlla installs loads of extra adverts stuff as well though so watch out. grc.com's optout lists the stuff GoZIlla installes as spyware!

Thanks for the insight _G_, sounds like that's the most likely case!