Insight into web attacks

Posted by jerry as Hacking, Security

I’ve been fairly attentive to my web server logs lately.  I noticed something strange this morning in the logs for syslog.org:

200.88.114.166 - - [12/Nov/2007:10:21:21 -0500] “POST /forum/index.php?action=quickmod2;topic=249.0 HTTP/1.1″ 200 11257 “http://www.syslog.org/forum/index.php?PHPSESSID=5537d4fd7661fd20c7aa6aa8b3f05a05&topic=249.msg2124” “Opera/9.0 (Windows NT 5.1; U; en)”

Now, all day long, bots and sites are trying to submit stuff and run automated hacking tools.  This entry caught my eye because it had a session ID.  Not sure why it caught my eye, but it did.  So, I grep for the session id and get this other line:

69.46.16.2 - - [12/Nov/2007:10:21:14 -0500] “GET /forum/index.php?PHPSESSID=5537d4fd7661fd20c7aa6aa8b3f05a05&topic=249.msg2124 HTTP/1.1″ 200 22114 “-” “-”

Grepping the log files for both IPs only gives those two lines.  What I find particularly interesting is that they are clearly different sources, but obviously working together to somehow do something.  Then I decided to look at a longer term - 3 months.  There were a total of 801 hits that included that session ID, going all the way back to the start of the logs.  The sources where from hundreds of different IP addresses.  Some of them running through a battery of tests, but most of them only occuring once.

A search of google for the string turns up nothing - though it probably will now that this article is up.  So, what does that tell me?  At some point long ago, someone probably logged into SMF and included the resulting URL into a database that is used by bots to launch attacks from.