Category Archives: webattacks

Faking (all) user agents

If you are going to fake a user agent, do it right :) Seeing some web scanners faking all possible browsers out there in one single request: Firefox/3.6 Chrome/9 Firefox/3.0 Opera/9.99? Safari and more.. This is the actual log (searching … Continue reading

Posted in log analysis, webattacks | Tagged , , | Leave a comment

OSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those: <rule id=”31110″ level=”6″> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule>   It looks for the possibly dangerous … Continue reading

Posted in ossec, webattacks | Tagged , , | Leave a comment

Detecting outdated (web) applications with OSSEC

For the last few days I started working (again) on the system auditing module for OSSEC and one thing that can make it more useful is to detect outdated applications (specially web apps). Things like WordPress, Joomla, Wikis and others … Continue reading

Posted in log analysis, v27, webattacks | Tagged , | 9 Comments

WordPress to Syslog

WPsyslog2 is a global log plugin for WordPress. It keeps track of all system events and log them to syslog. It tracks events such as new posts, new profiles, new users, failed logins, logins, logouts, etc. It also tracks the … Continue reading

Posted in ossec, webattacks | Leave a comment

Web attacks resource

I have a few honeypots out there just collecting information about web attacks and they have been great to help me improve OSSEC and how it parses web/proxy logs. Since I couldn’t find any public resource dedicated to store this … Continue reading

Posted in webattacks | Leave a comment

Hammered by web attacks (KorWeblog)

Some of my web honeypots are being hammered by attacks against KorWeblog. If fact, even my real systems are received a lot of these too.. It looks like they are trying to exploit an old vulnerability (from 2005), which sounds … Continue reading

Posted in log analysis, webattacks | Leave a comment