 |
|
 |
|
10.28.09 How Hackers Are Trying To Penetrate Cloud Computing  By Dan MorrillNow that my two cloud servers have been up and running long enough for scanners, hackers and other folks to find them. What is interesting is seeing what kind of hacker activity the two cloud servers are seeing, and how they are standing up to being exposed on the internet. A bit about the servers, they are default AWS (Amazon Web Services) servers, using LAMP and on Linux. They have their own static IP's and are in a subdomain off the primary domain that we are using. They provide LMS (Learning Management Systems), podcasting, and blogging platforms for people to use and share information. Some of that sharing is also free so we are doing an open training campus for folks to help them keep up with what is changing in the world of technology. The first site in the system is our LMS system. This gets some scanning, but no real dedicated attempts at hacking the system. Most of the scanning is drive by and looking for specific directories that might contain vulnerable programs or systems. The scanning primarily consists of hackers looking for PHP My Admin or shopping carts, and in some cases looking for wordpress installations or other software packages like Drupal. (Click to enlarge image.) 
The scanning activity throughout the time of existence primarily looks for information like the above example (and there are hundreds of these over the 90 days that they have been running). What is interesting is that they all seem to bounce off after about 15 to 20 quick scans with the Invalid URI error. Another interesting scan to show up was this one: [client 66.98.218.74] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) W00t is an older scanner from 2005 that the ISC at SANS no longer has an affiliation with. What is interesting is that such an old scanner would still be used. This was more of an annoyance scan showing up three or four times a day. Another were the standard XMLRPC scan attacks like the one below. [client 87.230.13.210] script/home/webuser/helloworld/htdocs/blog/xmlrpc.php' The XMLRPC attacks showed up much more often, 8 or 9 times a day looking for XSS style attacks that could be used against the site. These are much more dangerous because users could be easily sent to a dangerous site if we were not filtering script and html codes out of all data inputs. The blogging web server though was seeing a lot more activity and more dangerous activity in the longer run and obviously presented a bigger better target to hackers. Hackers really went after the Wordpress installation not realizing that the system was set up to run very securely. Standard attacks took a more direct approach trying to initialize or run scripts that did not exist like below. Continue reading this article. About the Author: Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs. |
|
| ||
| -- ITProWire is an iEntry, Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 2009 iEntry, Inc. All Rights Reserved Privacy Policy Legal archives | advertising info | news headlines | free newsletters | comments/feedback | submit article |
