Jan 31, 2010: Made status updates below.

In this post I’m taking rough notes of what appear to be attempted exploits against planetjk.com. I’m noting these partially for my benefit, so I can keep a log of things to potentially upgrade/mitigate.

I have a CSV file of traffic (currently logging the last 20 months) for cumulative analysis, but I couldn’t get Open Office to quickly trim out my home and work IP’s so right now I’m just eyeballing the data.

For a bit of a visual, here’s the visitor traffic broken down by country, courtesy of Mint:

  • Someone with an IP in Sweden is trying to login to my Tasks and Gallery2 (photo albums). A lot.
  • My installation of Mint needs to be updated //Done
  • I’m seeing a moderate amount of trolling for phpMyAdmin directories
  • In Mid-December, I see a lot of HTTP 500’s returned from disparate IP’s trying to get to this blog. Perhaps I was doing maintenance?
  • An obvious zombie host tried exploiting some PHP code in the FAQ to surreptitiously upload a PDF (presumably loaded with more exploits). Oh wow: I just scrolled up and saw 12 more instances of the same thing, to different target paths, from the same source. That’s getting reported. //Done: sent an e-mail to the Abuse coordinator at Americanis
  • A machine in Brazil tried to route the Photo Albums through a known brute force tool previously hosted online (I say previously because the domain name has since been suspended). I’m glad that DreamHost has one-click installs which allow me to upgrade ASAP. Now that I think about it more, I host photo albums and blogs for a few friends that don’t really use them anymore. It might be time to remove them. //Done: sent e-mails to friends

Okay, that’s enough for this morning- I have some abuse POC’s to contact. The notes above represent a reverse chronological eyeballing of traffic from Dec 2009 through now.

The biggest “problem” I have is that search bots don’t have memory loss. I still get trolled for directory structure that I had in place in 2001- I should really look into modifying robots.txt or creating proper sitemaps so they know where to go. It’s not really a security issue but it creates a ton of noise in the logs.

The biggest note to self is that I REALLY need to make a habit out of checking logs more often. Getting pwn3d on your personal domain is a bad thing for an IT security guy.

One thought on “Summary of PlanetJK exploit attempts”

Leave a Reply

Your email address will not be published. Required fields are marked *