LiquidFiles Documentation
LiquidFiles Documentation

Automated Attacks

On any system that's connected to the Internet, you will see a range of automated attacks that's pretty much happening constantly. This can be referred to as Internet noise or Script Kiddie attacks.

What has happened is that after a vulnerability as been discovered, someone writes a script to exploit this particular vulnerability and then these "script kiddies" uses this script and just scans the Internet up and down looking for vulnerable systems. This is sort of the equivalent of someone walking up and down the street pulling door handles looking for an open door. It's a very unsofisticated attack.

If you look in any system that's connected to the Internet and has a web server, if you look in the log you will see log entries like this:

152.136.41.189 - - [18/Sep/2020:02:10:55 +0000] http://52.55.253.91 -/- "GET /admin/index.php HTTP/1.1" 404 55 639 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "#; charset=utf-8"
152.136.41.189 - - [18/Sep/2020:02:11:00 +0000] http://52.55.253.91 -/- "GET /admin/pma/index.php HTTP/1.1" 404 59 643 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "#; charset=utf-8"
152.136.41.189 - - [18/Sep/2020:02:11:00 +0000] http://52.55.253.91 -/- "GET /admin/PMA/index.php HTTP/1.1" 404 59 643 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "#; charset=utf-8"
152.136.41.189 - - [18/Sep/2020:02:11:00 +0000] http://52.55.253.91 -/- "GET /admin/mysql/index.php HTTP/1.1" 404 61 645 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "#; charset=utf-8"
152.136.41.189 - - [18/Sep/2020:02:11:01 +0000] http://52.55.253.91 -/- "GET /admin/mysql2/index.php HTTP/1.1" 404 62 646 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "#; charset=utf-8"
152.136.41.189 - - [18/Sep/2020:02:11:03 +0000] http://52.55.253.91 -/- "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 66 650 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "#; charset=utf-8"
152.136.41.189 - - [18/Sep/2020:02:11:03 +0000] http://52.55.253.91 -/- "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 66 650 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "#; charset=utf-8"
152.136.41.189 - - [18/Sep/2020:02:11:04 +0000] http://52.55.253.91 -/- "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 67 651 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "#; charset=utf-8"
5.188.210.227 - - [18/Sep/2020:04:00:08 +0000] http://5.188.210.227 -/- "GET http://5.188.210.227/echo.php HTTP/1.1" 400 666 826 "https://www.google.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "text/html; charset=utf-8"

If you look at the GET /path you'll see that all of these attacks are targeting PHP, which is a common script system on the Internet. Most of these attack seem to be targeting PHP — but LiquidFiles does not use PHP so is just not vulnerable to these.

So how do I stop these automated attacks?

If you have a door, how do you prevent someone from pulling the handle to see if it's open? You can't really. And same with systems connected to the Internet, you can't prevent someone from scanning your IP addresses looking for vulnerabilities.

But I really want to stop these automated attacks?

If you're really concerned, you will need to use some for of Web application firewall (WAF). On top of that, you'll have to spend weeks tweaking each web application you have to ensure that the Web Application Firewall does not block legitimate traffic. Your best bet is likely to engage a local security company that can monitor all your web applications, firewalls and anything else you have connected to the Internet on an ongoing basis.

How do I know if the attack succeeded?

First, anything where you see anything in regards to PHP, it's not going to succeed because LiquidFiles does not use PHP.

Second, you can't prove a negative — i.e. you can't prove that no one has succeeded breaking in to any system.

What you have to do is to inspect, and keep inspecting, that there's no actual suspicious activity in the logged in activity.

Are there any good news?

Yes, it's extremely unlikely that a system like LiquidFies, which uses a modern web application framework, that is designed with security in mind and gets frequently security scanned is vunerable to any of these automated attacks.

The one thing you have to ensure is that your system is kept up to date. On default LiquidFiles has auto-update enabled to ensure that as many customers have up to date systems to further minimize the risk of any LiquidFiles system being vulnerable. If you don't want to enable auto-update, you will have to develop your own procedure to update LiquidFiles (and any other system you have connected to the Internet) periodically.