[LINUX] I tried ranking the user name and password of phpMyAdmin that was targeted by the server attack

Overview

I read The story of a suspicious attack from all over the world as soon as I opened a blog on my own server and checked the log of my server. It was confirmed that the access that seems to be the same cracking purpose was coming.

Among them, there were many attacks that I was relying on without guessing the user name and password of phpMyAdmin, so I counted the number of attacks on them and ranked them.

analysis

I got the Apache HTTP server log (/ var / log / httpd / access_log) of the server (CentOS 6.10) contracted with Sakura VPS. If you look at the contents, you can see that access is being attempted with a user name and password that does not apply to phpMyAdmin as shown below.

xxx.xxx.xxx.xxx - - [04/Oct/2018:02:57:44 +0900] "GET /phpMyAdmin/index.php?pma_username=root&pma_password=1qaz3edc5tgb&server=1 HTTP/1.1" 200 14538 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [04/Oct/2018:02:57:46 +0900] "GET /phpMyAdmin/index.php?pma_username=root&pma_password=1qaz@123&server=1 HTTP/1.1" 200 14546 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [04/Oct/2018:02:57:59 +0900] "GET /phpMyAdmin/index.php?pma_username=root&pma_password=1qaz@2wsx&server=1 HTTP/1.1" 200 14533 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [04/Oct/2018:02:58:03 +0900] "GET /phpMyAdmin/index.php?pma_username=root&pma_password=1qaz@WSX&server=1 HTTP/1.1" 200 14543 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [04/Oct/2018:02:58:06 +0900] "GET /phpMyAdmin/index.php?pma_username=root&pma_password=1qaz@WSX3edc&server=1 HTTP/1.1" 200 14538 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [04/Oct/2018:02:58:09 +0900] "GET /phpMyAdmin/index.php?pma_username=root&pma_password=1qaz@wsx&server=1 HTTP/1.1" 200 14533 "-" "Mozilla/5.0"

I extracted this information using python and made a histogram information. The python code is listed as an appendix at the end.

Basic information of the log to be analyzed

Acquisition period: 2018/09/26 ~ 2020/01/22 Total number of lines: 658858 lines Of these, what seems to be an attack that seems to be relying on phpMyAdmin password without guessing: 186499 line

Number of user name attacks (25 types in total)

Number of password attacks (top 30 of all 953 types)

(By the way) Passes attacked and the number of times (2 types in total)

Consideration

All rankings will be placed at here.

The overwhelming majority of user names are root, and other blog-related terms such as wordpress and blog, database-related terms such as admin and pma, and server-related terms such as apache are lined up. Compared to Article analyzing attack log on ssh server, the attack on ssh targets the person's name and OS name, while phpMyAdmin It is interesting that there are subtle differences in trends, such as blog-related terms being targeted in attacks on.

The top three passwords were "pass", "password" and "" (none). There wasn't a lot of prominent ones, and it seemed that the things that tended to be aimed at were evenly targeted. It seems to match the tendency of "worst password" as stated in here. The patterns were as follows.

• ** Famous nouns (PC related) ** --root, mysql, access, apahe, oracle, etc.
• ** Famous nouns (general) ** --welcome, monkey, freedom, money, dragon, etc.
• ** Number list ** --123456, 123123, 111111, 1234567890, 666666, etc.
• ** "password" or its derivatives ** --pass, password, Password, passw0rd, p @ $$ w0rd123, etc.
• ** Keyboard turn press ** --qwerty, qazwsx, qazxcv! @ #, Zaq1zaq1, qwert, etc.
• ** Combination of the above ** --abc123, aa123456, password123, 123qwe, admin123, etc.

In addition, the paths that were the targets of the attack were also tabulated. Only the following two types were targeted for attack.

• /phpmyadmin/index.php
• /phpMyAdmin/index.php

Target access list to prevent unauthorized access Or About URLs that are easy to be targeted It is thought that the reason why there are few variations compared to the path mentioned in the article is that this time is the result after extracting the row under the condition that "pma_password =" is included. When I actually looked at the log with the extraction condition set to "contains" phpMyAdmin "", I found that access to paths other than the two types listed this time was also attempted.

in conclusion

I have little knowledge of security, so I don't know how to secure it, but at least I decided to stop using the user name and password that are often found in databases in the default path.

That is all for the text. Thank you for reading. The following is an appendix.

appendix

Python code to extract the required information from the log. This time, the following lines were analyzed.

xxx.xxx.xxx.xxx - - [04/Oct/2018:02:58:03 +0900] "GET /phpMyAdmin/index.php?pma_username=root&pma_password=1qaz@WSX&server=1 HTTP/1.1" 200 14543 "-" "Mozilla/5.0"

If "pma_password =" is included, it is considered to be analyzed. Information is extracted from here by dividing it by spaces, specific characters, or keywords. Here is an example of information and how to retrieve it. This may differ depending on the log file export settings, etc., so please correct it accordingly.

Not all lines can be extracted this way, but I'm ignoring it because I think some exceptions will have little effect. That area is appropriate. After retrieving the element, count the number of times of interest (this time phpMyAdmin path, username, password). Finally, it sorts in descending order and displays it on standard output.

The whole source code looks like the following.

from collections import defaultdict

with open('/path/to/access_log','r') as f:
    logs = f.readlines()

#Extraction of attacks on phpMyAdmin
pma_attacks = [log for log in logs if 'pma_password' in log]

#ip, time_stamp, method, path, username,Extract password
#Rewrite as appropriate according to the log format
extracted_pma_infos = []
for pma in pma_attacks:
    #The ip address is the 0th element separated by spaces
    ip = pma.split(' ')[0] 
    #The time stamp is"["From"]"String up to
    time_stamp = pma.split('[')[1].split(']')[0] 
    #Method (POST, GET, etc.) is the sixth element separated by spaces with the first character removed.
    method = pma.split(' ')[5][1:]
    #path is the sixth element separated by spaces"?"Character string up to just before
    path = pma.split(' ')[6].split('?')[0]
    #The user name is"pma_username="Most recent"?"String up to
    username = pma.split('pma_username=')[1].split('&')[0]
    #The password is"pma_password="Most recent"?"String up to
    password = pma.split('pma_password=')[1].split('&')[0]
    #Exception handling when password is last query
    #At this time, the latest"?"Does not exist and is included up to the end of the log, so it can be done just before the space
    if ' ' in password:
        password = password.split(' ')[0]
    extracted_pma_infos.append([ip,time_stamp,method,path,username,password])

#Histogram of attacked paths, usernames and passwords
pathlist = defaultdict(int)
unlist = defaultdict(int)
pslist = defaultdict(int)
for pma in extracted_pma_infos:
    path = pma[3]
    un = pma[4]
    ps = pma[5]
    pathlist[path]+=1
    unlist[un]+=1
    pslist[ps]+=1

#Histogram data of arguments(dict_obj)A function that parses and creates a list in descending order
def orderedlistFromDict(dict_obj):
    count = list(set([dict_obj[v] for v in dict_obj]))
    count.sort()
    orderedlist = []
    for c in count[::-1]:
        for key in dict_obj:
            if dict_obj[key] == c:
                orderedlist.append((key,dict_obj[key]))
    return orderedlist

#List of attacked paths, usernames, passwords by number of times
ordered_path = orderedlistFromDict(drlist)
ordered_un = orderedlistFromDict(unlist)
ordered_ps = orderedlistFromDict(pslist)

#View pass ranking
for val in ordered_path:
    print(val[0],val[1],sep=',')

#Display user name ranking
for val in ordered_un:
    print(val[0],val[1],sep=',')

#Password ranking display
for val in ordered_ps:
    print(val[0],val[1],sep=',')