[tor-talk] Is this a practical vulnerability?

Sat Oct 20 10:29:57 UTC 2012

On 19/10/2012 13:40, Andreas Krey wrote:
> On Fri, 19 Oct 2012 11:25:34 +0000, Anon Mus wrote:
> ...
>> Within 24hrs of making that Tor hidden service live I could see, in my
>> firewall logs, hundreds of repeated attempts trying to hack my server,
>> directly from the internet, not via my hidden Tot service.
> Welcome to the internet. Have an open web server, and it will get
> accessed by scum that tries known vulnerabilities: /memberlist.php,
> /index.php, /user/soapCaller.bs, thats normal.
> ?

I had been creating/running corporate web sites since the mid 1990's, I 
hardly think that qualified me as a newbie. Not sure what was the 
purpose of this remark was.

The web server itself was supposed to be fire walled from the open web 
(with only Tor access) but a "hole" bug in the firewall's code meant 
that a "stop access" mode only caused "logging" mode to be initially 
turned on.

>> All were
>> attempting to access various types of services/permissions which were
>> mainly focused on attempting to gain control of a "web page server".
> How can you tell that from firewall logs? If it just blocks the access
> you will only see the source address, but not the actual HTTP request.
>

Well with you being such an "experienced" and "savvy" web person I am 
sure you will know that there's are things called  software "firewalls" 
out there which give indications of "attacks" and fully log unusual 
traffic. The one I used included a real-time "allow"/"block" traffic 
mode with live log and I used that to track and block / delay some 
accesses. Again I am perplexed, bearing i mind your huge experience that 
you should even ask this question.

Of course, once again your vast experience will lead you to the 
conclusion that once alerted to the attacks I used other tools (such as 
my web server log & a packet sniffer) to see the details of the traffic.

> ...
>> attack strategy over a 12 hour period. Hundreds of commands were sent,
>> many in quick succession as if they were in some sort of script file,
> Can you be any more detailed about those attacks? What commands, on
> what service, and why do you even get to know the commands if there
> is no such service on your computer?
>
> Andreas
>

There were many attacks which I am sure you can research on the net 
yourself. They were mainly aimed at accessing parts of the server such 
as files and various rpc O/S components.

They did focus on trying to identify what web server I was using, I 
believe there were about 4 or 5 different

Of course my web server did log the traffic that did get through, these 
logs are now gone but here's a section from one which I queried someone 
as to what it was..

> #Fields:
> time c-ip cs-method cs-uri-stem sc-status
> 13:05:35 xxx.xxx.xxx.xxx GET /{Tor hidden service 
> ID}/nonexistentfile.php 404
> 13:05:35 xxx.xxx.xxx.xxx GET /adxmlrpc.php 404
> 13:05:35 xxx.xxx.xxx.xxx GET /adserver/adxmlrpc.php 404
> 13:05:36 xxx.xxx.xxx.xxx GET /phpAdsNew/adxmlrpc.php 404
> 13:05:36 xxx.xxx.xxx.xxx GET /phpadsnew/adxmlrpc.php 404
> 13:05:36 xxx.xxx.xxx.xxx GET /phpads/adxmlrpc.php 404
> 13:05:37 xxx.xxx.xxx.xxx GET /Ads/adxmlrpc.php 404
> 13:05:37 xxx.xxx.xxx.xxx GET /ads/adxmlrpc.php 404
> 13:05:37 xxx.xxx.xxx.xxx GET /xmlrpc.php 404
> 13:05:38 xxx.xxx.xxx.xxx GET /xmlrpc/xmlrpc.php 404
> 13:05:38 xxx.xxx.xxx.xxx GET /xmlsrv/xmlrpc.php 404
> 13:05:38 xxx.xxx.xxx.xxx GET /blog/xmlrpc.php 404
> 13:05:39 xxx.xxx.xxx.xxx GET /drupal/xmlrpc.php 404
> 13:05:39 xxx.xxx.xxx.xxx GET /community/xmlrpc.php 404

I was told the above were attempts to gain access to a web servers 
management system.

The attacks all fell on stoney ground because none actually guessed the 
web server I was using before I closed the loophole.