Welcome to WebmasterWorld Guest from 35.175.120.174

Forum Moderators: phranque

Message Too Old, No Replies

Cyberattacks in General

     
1:53 am on Jul 17, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 579
votes: 60


I am wondering if the oft reported cyberattacks of companies go through http ports, or can they go through any open server port. I guess I just don't know enough about cyberattacks. I am not talking about physhing email exploits, which go through the mail server.

I have been playing with various open source hacking software which you can state a specific port to use for an attack, along with the IP of the server, the exploit and various other variable settings. For internet traffic on an Apache server these attacks would be captured in the raw access log and internet request headers. How are these attacks documented on other non-http server ports?

I do not wish to assist hackers, but just to understand how the attack would be documented on the server. This would be the first step in monitoring traffic in an effort to predict and prevent an attack.
2:55 am on July 17, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


To have any specific discussion, I think we need a more explicit term than "cyberattacks."

There are various attacks in cyberland:

• Denial of Service (DoS)

• Ransomware

• Viruses

• Worms

• Man in the middle (MITM)

• Drive-by

• Pharming

• Phishing

• Script Injection

• Vector

• Trojans

• Spyware & Adware
9:29 pm on July 19, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 579
votes: 60


Are all hacking attempts that try to break into a web site or server, for Apache, logged in the raw access log?
10:31 pm on July 19, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Depending on how your server access or server error log is set up, yes all requests either successful or failed should be logged.

Most server logs are set up to display failed requests in both the access log and the error log, although often reflecting some different information.
10:43 pm on July 19, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15943
votes: 890


Are all hacking attempts that try to break into a web site or server, for Apache, logged in the raw access log?
As above: what kind of hacking attempts? Anything in the form of an http request--GET, POST, PUT (hahahaha)--will show up in logs. They’re the ones with long convoluted query strings containing code that is supposed to execute and Do Bad Things; look for suspicious numbers of \ backslashes and { braces }. But those tend to be trivially easy to block. If you have your own server, you may have a firewall that prevents some requests from even reaching the server, so those won't show up in access logs, though you will probably log them in some other way.

What happens on other ports will depend on what the server has been set up to do with them. Take the most elementary example: if a server contains no secure sites, it may not even be listening on port 443, so any attempted entries will simply time out.

I can't imagine setting up a server to listen on all possible ports by default. It would be like leaving all your ground-floor doors and windows open on the off chance that your cat might one day want to come in by a non-standard route.

:: detour to MAMP config file, followed by Apache docs ::

Yeah, that's what I thought. You have to tell it the specific ports to listen on. In fact, in Apache 2.2 and later you must include a Listen directive.
11:30 pm on July 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3514
votes: 87


>>• Vector

i thought vector just meant a 'type' of attack eg. Phishing is a vector ... i could be wrong though!

>>I have been playing with various open source hacking software which you can state a specific port to use for an attack

i'd say generally most servers are locked down with only a few open ports:
80 443 8080 (for http access)
if the server is also a mail server then typically: 25, 110, 143, 465, 587, 993
there might also be open ports for MySQL, ftp and ssh
possibly other ports for various apps that could be running on specific ports
... al other ports are generally shut!

... quite honestly MySQL and ssh should be firewalled to allow acces from specific IPs only
and no-one should be using ftp anymore either so that should be shut - ftp should be through the ssh or other methods.

thus most attacks would be through the 80, 443 or 8080 ports

these would most likely be logged by apache - assuming you have setup the logs accordingly.

as lucy24 said :
>.They’re the ones with long convoluted query strings containing code that is supposed to execute and Do Bad Things; look for suspicious numbers of \ backslashes and { braces }.

this is generally some kind of injection attack that should be blocked somewhere in your code one way or another
- for instance you can check query string length and anything longer than expected then deal with it accordingly.

you wil notice in your logs loads of request to various wordpress or other similar type files - these are effectively probes checking to see if those files exist ... if they do then a hack attempt will follow.
one of the advantages of home grown code - is that even if it is not as well written as other code, assuming you don't publish it, then no-one knows how to exploit it, the big cms systems (if open source) are available for anyone to analyse.

i know you haven't asked this but another line of defence is making sure your data is encrypted... so even if you ae hacked then at least the data stolen isn't in plaintext.
obviously product descriptions etc don't matter as they are presumably available on your website anyway, but private customer data is another matter.
12:05 am on July 20, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 579
votes: 60


Thanks very much. I was just curious. If someone was to attack a server I'd like to know that if I monitor the raw access log I'd have a front row seat for all the action, and perhaps to launch a defense.

I already get the usual Wordpress attacks, so I'm familiar with them. Thanks, All.
12:42 am on July 20, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15943
votes: 890


If you don’t already do so, ftp into your site periodically. Make sure nothing is there that shouldn’t be, and that any datestamps are what they ought to be.