How many hack attempts?

Over Five Thousand Eight Hundred attempts in one day!

The most shocking thing about 5800+ hack attempts in one day might be, simply, that it’s not shocking. Numbers like this are trivial because they are scripted and automated; very little human effort is involved. The attacker, or attackers, might have made this many attempts on thousands of other computers the same day without any additional effort.

Most, nearly all, of these attempts are harmless. They’re harmless because they mainly target vulnerabilities that (should) have been patched long ago, but also because they (usually) only target specific applications.

An example: /phpauction/admin/admin.php (about 80 lines from the top)

The phpauction hack attempt is described at Security Focus.

A flaw in /admin/login.php has been reported in PHPAuction, which could allow users to gain escalated privileges.

Reported in July, 2002, this vulnerability is of no concern to anyone not running PHPAuction software, which no longer seems to be available anyway. But you never know, someone out there might still be running 20 year-old software, and it costs the attacker nothing to add this line to their script.

The background radiation of the Internet

Automated hack attempts abound. It’s difficult to estimate the percentage of traffic malicious botnets consume, but it’s probably a big number. Every server I’ve been responsible for, and every other Sysadmin I’ve spoken to concurs, if your computer is publicly visible, hundreds of attempts to break into it will occur every single day, more or less.

Sometimes it’s as few as 20 or 30, and sometimes, like what happened to Sandbox on July 10th, 2021, it can be thousands.

The complete list of July 10th’s hack attempts on Sandbox can be found here. 

A point of clarification

The hacks described in this presentation are all HTTP hacks. 

HTTP stands for HyperText Transfer Protocol, and it is the protocol that Sir Tim Berners-Lee wrote while working at CERN in 1989. HTTP makes the World Wide Web possible. 

A server can only be vulnerable to HTTP attacks if it is running HTTPD software, in other words, if it is a web server. A server on the Internet is completely safe from HTTP attacks as long as it does not run web server software.

Other protocols exist, such as SSH and FTP, but for this presentation we are only discussing hacks that attempt to compromise a server via HTTP.

Some terms

Server: A server is simply a computer, usually someone else’s computer, but actually anyone can put one online, call it a server, and not technically be wrong. For the purpose of this presentation we are focusing on one server: Sandbox which is the dev version of the Workshift application.

Hack: “Hack” is a very broad term that can have both good and bad connotations. For the purpose of this presentation, we are using it in the negative. A “hack” is an attempt to break into someone else’s computer without permission and with malicious intent.

Security through obscurity: A completely fictitious concept where people think their server will never be attacked because it is not hosting a famous or popular site.

IP Address: IP stands for Internet Protocol, and address means exactly that. IPv4 has been the default protocol since the early eighties. IPv6 is slowly being adopted. The “domain names” in the URLs we all use, such as bsc.coop, are conveniences for humans. The actual address of anything that lives on the Internet is its IP Address, a series of numbers, and in the case of IPv6 quite a long series with letters, too. These addresses are what the hackers use to find their targets, and they run through them systematically, hitting every number in sequence.