CSAM: WebHosting BruteForce logs

Published: 2013-10-04
Last Updated: 2013-10-04 19:52:58 UTC
by Pedro Bueno (Version: 1)
3 comment(s)

The Log today came from a Web Hosting control panel software, the popular cPanel.  

While there are a couple of exploits for the control panel itself, today we will analyze a portion of log generated by the CSF. 

CSF is the ConfigServer Firewall plugin for cPanel. It basically works like a log checker for difference daemons in the system and checks the logs for different services like SSH, STMP, FTP,etc...

Once it identifies possible malicious behavior, it can take some actions like block the offending IP.

The log we received today is below:

lfd: blocked 113.78.38.218 (CN/China/-)
Time:     Fri Oct  4 02:59:09 2013 -0400
IP:       113.78.38.218 (CN/China/-)
Failures: 5 (smtpauth)
Interval: 300 seconds
Blocked:  Yes

Log entries:

2013-10-04 02:58:54 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:58:55 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:58:58 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:59:00 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:59:03 courier_login authenticator failed for (pc07) [113.78.38.218]:2622: 535 Incorrect authentication data (set_id=xedofghj)

--

Basically what it says is that this IP address: 113.78.38.218 was blocked because it had 5 invalid logins in less than 5 minutes (300 seconds).

Lets break the log message to understand it better. 

The first part if about the description of the event:

--

lfd: blocked 113.78.38.218 (CN/China/-)
Time:     Fri Oct  4 02:59:09 2013 -0400
IP:       113.78.38.218 (CN/China/-)
Failures: 5 (smtpauth)
Interval: 300 seconds
Blocked:  Yes

 --

This shows that the IP 113.78.38.218, which according the geolocation belongs to China, had 5 failure attempts to login. The service targeted is the SMTPAUTH, which is used to provide authentication to the SMTP service (email).

The time threshold set in this case is 300 seconds, and the action is to block.

This can be modified at: 

Plugins-> ConfigServer Security & Firewall-> Firewall Configuration-> Login Failure Blocking and Alerts

 If you disable it, remember that you will be unable to detect bruteforce attempts against your system, so you may want to fine tune it before think about disable.

Btw, do you recognize this IP as a bad offender?

--

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

3 comment(s)

Comments

I'd like to point out that CSF is separate from cPanel. While it was originally developed (I think) for cPanel, it can be run on its own via CLI. This set of scripts has been my choice of auto monitoring, taking action based on certain events, and reporting for quite a while - and I HATE cPanel (and do all of my administration from the command line).

You can download CSF from http://configserver.com/cp/csf.html.

Here's a typical line in my CSF log file I see quite often:
Sep 29 05:41:30 elmer lfd[24696]: (sshd) Failed SSH login from 218.64.114.103 (CN/China/-): 5 in the last 300 secs - *Blocked in csf* [LF_SSHD]
> do you recognize this IP [113.78.38.218] as a bad offender?

A SANS web-site: http://isc.sans.edu/ipdetails.html?ip=113.78.38.218
gives a "no".

QED.
Hello There,

For IP 113.78.38.218 it does have a poor reputation as per WOT : Web of Trust. to check reputation of a site ipvoid.com is good site.

I have checked HTTP transaction for that site but didn't find anything suspicious. I would say treat the IP as suspicious and action it accordingly.

FL

Diary Archives