It appears that someone’s been targeting my website again looking for application vulnerabilities, here’s just a small sample of the attack detailed in my stats
20140815 | 08:05:14 | 128.199.246.204 | lm_absolute_path=http://www.google.com/humans.txt? |
20140815 | 08:04:54 | 128.199.246.204 | mosConfig_live_site=http://www.google.com/humans.txt? |
20140815 | 08:04:10 | 128.199.246.204 | CONFIG_EXT[ADMIN_PATH]=http://www.google.com/humans.txt? |
20140815 | 08:04:00 | 128.199.246.204 | cropimagedir=http://www.google.com/humans.txt? |
20140815 | 08:03:50 | 128.199.246.204 | mosConfig_live_site=http://www.google.com/humans.txt? |
20140815 | 08:03:05 | 128.199.246.204 | INC=http://www.google.com/humans.txt? |
20140815 | 08:03:03 | 128.199.246.204 | INC=http://www.google.com/humans.txt? |
20140815 | 08:03:02 | 128.199.246.204 | path[docroot]=http://www.google.com/humans.txt? |
20140815 | 08:02:57 | 128.199.246.204 | cfgProgDir=http://www.google.com/humans.txt? |
20140815 | 08:02:56 | 128.199.246.204 | language=http://www.google.com/humans.txt? |
20140815 | 08:02:52 | 128.199.246.204 | init_path=http://www.google.com/humans.txt?& |
20140815 | 08:02:53 | 128.199.246.204 | config[installdir]=http://www.google.com/humans.txt? |
20140815 | 08:02:39 | 128.199.246.204 | dir=http://www.google.com/humans.txt? |
20140815 | 08:02:37 | 128.199.246.204 | config[installdir]=http://www.google.com/humans.txt? |
20140815 | 08:02:34 | 128.199.246.204 | language=http://www.google.com/humans.txt? |
20140815 | 08:02:35 | 128.199.246.204 | GLOBALS[PT_Config][dir][data]=http://www.google.com/humans.txt? |
20140815 | 08:02:28 | 128.199.246.204 | GLOBALS[CLASS_PATH]=http://www.google.com/humans.txt? |
20140815 | 08:02:24 | 128.199.246.204 | xtrphome=http://www.google.com/humans.txt? |
20140815 | 08:02:16 | 128.199.246.204 | level=http://www.google.com/humans.txt? |
20140815 | 08:02:17 | 128.199.246.204 | bypass_installed=1&secure_page_path=http://www.google.com/humans.txt?%00 |
20140815 | 08:02:11 | 128.199.246.204 | mod_root=http://www.google.com/humans.txt? |
20140815 | 08:02:08 | 128.199.246.204 | commonIncludePath=http://www.google.com/humans.txt? |
20140815 | 08:02:04 | 128.199.246.204 | format_menue=http://www.google.com/humans.txt? |
20140815 | 08:02:00 | 128.199.246.204 | loadadminpage=http://www.google.com/humans.txt? |
20140815 | 08:01:57 | 128.199.246.204 | config[installdir]=http://www.google.com/humans.txt? |
20140815 | 08:01:52 | 128.199.246.204 | lm_absolute_path=../../../&install_dir=http://www.google.com/humans.txt? |
20140815 | 08:01:49 | 128.199.246.204 | config[installdir]=http://www.google.com/humans.txt? |
As you can see the attack was fairly constant, this attack had been going on for about 1-2hrs before I spotted it and blocked the relevant ip address from the site, but in the space of 2hrs they’d made about 2500+ attempts to find the Humans.txt
The following website Akamai Blog gives a few more details about Skipfish , you can also find some more info here
Here’s the basics from the Akamai blog about what Skipfish attempts to do:
Skipfish will test for an RFI injection point by sending the string www.google.com/humans.txt or www.google.com/humans.txt%00 to the site’s pages. It is a normal practice for sites to contain a humans.txt file, telling visitors about the people who created the site.
If an RFI attempt is successful, the content of the included page (in this instance, the quoted Google text above) will be displayed in the targeted website. The included string and the user-agent are both configurable by the attacker running Skipfish.
Anyway I’ve not blocked this IP address and made an Abuse Report against it, hoping that this will at least prevent that IP from being used again.