hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Strange HTAccess Problem
Reply

Forum Jump

Strange HTAccess Problem

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 03-02-2001, 07:18 PM
Lawrence Lawrence is offline
Closed
 
Join Date: Oct 2000
Location: Australia
Posts: 538
The other day I was browsing through our WebTrends report for the last week (not WebTrends Live, just the one that looks at your logs). Then I get to the authenticated users section. We use HTAccess to allocate licence numbers to download our software. I see this:

User: aborir
Hits: 99
User Sessions: 1

Firstly, there's no user "aborir" who's in our htaccess or htpasswd file for downloads. Secondly, "aborir" looks like a misspelling of our business name "aborior". And Thirdly, 99 seems like quite a convenient number.

So I'm really confused about the whole thing. I checked our raw log files, and looks like "aborir" has managed to get in, but not download the software (like they've managed to get to the CGI script that manages file downloads, but haven't been able to download the actual software, perhaps even if you're denied access the logs will say you've accessed the particular file you were looking for). Only it's happened 99 times!

Does anyone have any idea what could be going on?



Sponsored Links
  #2  
Old 03-02-2001, 10:03 PM
Si-WHN Si-WHN is offline
Junior Guru Wannabe
 
Join Date: Mar 2001
Posts: 31
Are you running cgi-wrap or some sort of cgiwrapper that requires the script is run under the default userid and groupid?

This might perhaps explain it..if your cgi script is running under a user called aborir that may show up in your stats.

hope this helps.

regards,

Simon

__________________
Simon Weller
Web Hosting Network
http://www.www-hosting.net
The home of WHNBilling

  #3  
Old 03-02-2001, 10:40 PM
Lawrence Lawrence is offline
Closed
 
Join Date: Oct 2000
Location: Australia
Posts: 538
That would make some sense, but unfortunately it's not running under a CGI wrapper. And even if it was, "aborir" is not our username, although it is close.

The similarity between the usernames makes me think someone was trying to guess a username and password or something. But 99 hits?

Sponsored Links
  #4  
Old 03-03-2001, 05:11 PM
Si-WHN Si-WHN is offline
Junior Guru Wannabe
 
Join Date: Mar 2001
Posts: 31
hehe...yep 99 hits does sound rather too strange doesn't it ;-)

Not too sure on this front. Keep and eye on it and see what your stats generate next month.

regards,

Simon

__________________
Simon Weller
Web Hosting Network
http://www.www-hosting.net
The home of WHNBilling

  #5  
Old 03-05-2001, 05:07 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
If you can, post the relevant logs (part of them) and maybe some of us can get a better idea of the error and problem at hand. Check the error and access logs. Are you saying that you believe that managed to download the actual CGI script that commences the downloads of the software you are protecting from unauthorized downloads (Did I understand you correctly)? If so, what gives you that indication? What makes you think they got in?

This could have been a brute force password attack on your authentication, which isn't a big deal really, unless they managed to get in and grab something you are concerned about them having... which it sounds like that is your current concern.

  #6  
Old 03-05-2001, 06:48 AM
Lawrence Lawrence is offline
Closed
 
Join Date: Oct 2000
Location: Australia
Posts: 538
Well here's an example of one of the lines out of the log:

207.227.82.69 - aborir [24/Feb/2001:13:35:10 +1100] "GET /products/encore/software/downloads/payfiles/_download.cgi?file=encore1-23b.zip HTTP/1.1" 401 650 "http://www.aborior.com/products/encore/software/download.shtml" "Go!Zilla 3.5 (www.gozilla.com)"

Looking at that, I understand what's going on, it's just weird. I originally thought it may have been a brute force password attack, and now I'm pretty much convinced. But that has a 401 error, so they mustn't have gotten in.

All the evidence points to a brute force attack:

1. "aborir" misspelling of "aborior" which would be an obvious choice for an attempted username.
2. 99 attempts seems a convenient number for some sort of program doing the password attempts.

It's all okay... the only thing that confuses me is why would WebTrends report the user as being authenticated? I searched through the log for a similar line with 200 instead of 401 (200 is a successful hit isn't it?) and couldn't find one. Must be a bug or something I guess.

  #7  
Old 03-05-2001, 07:19 AM
cperciva cperciva is offline
Retired Moderator
 
Join Date: Jan 2001
Posts: 2,603
Webtrends screwed up.

The username entry from the logs is clearly marked in the apache docs as being invalid whenever the status code is 401.

  #8  
Old 03-05-2001, 01:09 PM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
Quote:
Originally posted by Lawrence
Well here's an example of one of the lines out of the log:

207.227.82.69 - aborir [24/Feb/2001:13:35:10 +1100] "GET /products/encore/software/downloads/payfiles/_download.cgi?file=encore1-23b.zip HTTP/1.1" 401 650 "http://www.aborior.com/products/encore/software/download.shtml" "Go!Zilla 3.5 (www.gozilla.com)"

Looking at that, I understand what's going on, it's just weird. I originally thought it may have been a brute force password attack, and now I'm pretty much convinced. But that has a 401 error, so they mustn't have gotten in.

All the evidence points to a brute force attack:

1. "aborir" misspelling of "aborior" which would be an obvious choice for an attempted username.
2. 99 attempts seems a convenient number for some sort of program doing the password attempts.

It's all okay... the only thing that confuses me is why would WebTrends report the user as being authenticated? I searched through the log for a similar line with 200 instead of 401 (200 is a successful hit isn't it?) and couldn't find one. Must be a bug or something I guess.
401 is the error page for failed authentication, yes. So if you saw nothing other than 401, that user likely didn't gain access. I'd check that that IP resolves to and see if it' a large server or a small one. If it's a small one that's not likely to have any legitimate users that will be accessing your site, deny access to that IP block. Also, check that IP in the access and error logs, not just the user, and see if they have logged in as another user before.

  #9  
Old 03-05-2001, 01:31 PM
_G_ _G_ is offline
Junior Guru Wannabe
 
Join Date: Feb 2001
Posts: 85
This just looks like some one is using Go Zilla as their download manager and it by default tries 99 times to download a file (used it in the past). GozIlla probably poped up with a box asking the user for a password/user name and some one just mistyped your name in. GoZilla takes over all links that look like a downloadable file rather than something the browser shows. It also takes over loads it shouldn't!

GoZIlla installs loads of extra adverts stuff as well though so watch out. grc.com's optout lists the stuff GoZIlla installes as spyware!

  #10  
Old 03-06-2001, 12:58 AM
Lawrence Lawrence is offline
Closed
 
Join Date: Oct 2000
Location: Australia
Posts: 538
Thanks for the insight _G_, sounds like that's the most likely case!

Reply

Related posts from TheWhir.com
Title Type Date Posted
Microsoft Azure Swap Deployment Feature Restored After Global Outage Web Hosting News 2013-10-31 11:16:53
Outbound Spam Causing Sleepless Nights? Blog 2013-05-13 09:52:21
Data Center Catharsis: Six Months After Sandy--Now What? Blog 2013-04-22 14:06:29
How To Deliver Products Customers Will Pay For with David Koston - HostingCon 2012 Web Hosting News 2012-07-18 10:46:16
HostingCon Preview: Q&A with David Koston of Fortuity LLC Web Hosting News 2012-07-10 12:54:20


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?