Topic: Using OSSEC to detect / block the XMLRPC.PHP attack.
The basis of this post came from this persons blog. A big thanks to he/she/it for the info!
For my purposes however, I made a couple small changes.
First, for some reason, the Apache log was being tagged a a pureftp-transfer decode. Since I dont run PureFTP, I simply disabled this decoder and removed the pure xml config file from ossec.conf.
I added the below config to the local rules file, but also included the group name to make sure it was added to web,accesslog.
<group name="web,accesslog,"> <rule id="100167" level="1"> <if_sid>31108</if_sid> <url>xmlrpc.php</url> <match>POST</match> <description>WordPress xmlrpc attempt.</description> </rule> <rule id="100168" level="10" frequency="2" timeframe="600"> <if_matched_sid>100167</if_matched_sid> <same_source_ip /> <description>WordPress xmlrpc attack.</description> <group>attack,</group> </rule> </group> <!-- Web access log -->
There are a lot of IP security cameras out there today at really good deals.
Putting one in your house to keep an eye on things is a great idea and they are easy to setup.
But, do you trust them? What about the cheaper ones you can get from China? After all, you hear in the news all the time about some of the products being imported being prebuilt with Trojans or other malicious software.
I have several cameras by a popular Chinese based manufacturer. I decided to check up and see what happens when it boots up and whom it tries to talk to while itâ€™s running.
Disclaimer: I run these in a dedicated / isolated VLAN and they normally have no ability to talk to the Internet or see the rest of my network. Essentially for my purposes, I really donâ€™t care whom they try to talk to.
For my test, I tried to boot the camera two ways. First boot was with the firewall blocking the connection. Second test was with the firewall wide open allowing the camera to do whatever it felt like doing.
Firewall: Cisco ASA5505
Switch: Cisco 2960 (Camera port #13, traffic mirrored to #33)
Sniffer: WireShark on my laptop, plugged into #33
My first test with the firewall blocking all connections resulted in the camera trying to establish a remote TCP connection to one of six different IP addresses; all of which are located in China. Destination ports 80, 443 and 8000 are attempted. All firewall blocked.
My second test resulted in the camera actually connecting to three separate IP addresses 220.127.116.11(china), 18.104.22.168(amazonEC2) and 22.214.171.124(china). This canâ€™t be good, right?
After those connections were established, every three minutes or so, the camera then tried to talk to three more IP addresses, 126.96.36.199(Czech Republic), 188.8.131.52(amazonEC2) and 184.108.40.206(china).
I would call it highly suspicious that these cameras call home like they are doing and would suspect either malware or some other nefarious purpose.
yum install ccze -y
sudo apt-get install ccze -y
- How to use…
tail /var/log/syslog | ccze -A
1. Shut Filezilla down.
2. Hold COMMAND – OPTION – SHIFT
3. Keep holding and start the app back up.
It should start on screen.