Heavy Scans for Low-Hanging Fruit

I’ve been working on developing the 8G Firewall. Digging through log files and crunching the data, the big new trend I’m noticing is heavy scanning for easy targets, low hanging fruit. Bad actors are looking for any little hidden files stashed on your server. Mostly PHP files, also ZIP and RAR files, and other file formats commonly used for compressing and archiving content. Basically, anything that might contain useful information (like login credentials, database backups, email addresses, etc.). Also, 99% […]


This content originally appeared on Perishable Press and was authored by Jeff Starr

I’ve been working on developing the 8G Firewall. Digging through log files and crunching the data, the big new trend I’m noticing is heavy scanning for easy targets, low hanging fruit. Bad actors are looking for any little hidden files stashed on your server. Mostly PHP files, also ZIP and RAR files, and other file formats commonly used for compressing and archiving content.

Basically, anything that might contain useful information (like login credentials, database backups, email addresses, etc.). Also, 99% of the requests for these files target the public root directory. Noticing a high volume of requests for such files across servers. Just malicious little bots searching for anything you (or anyone) might have forgotten about.

99% of the requests for these files target the public root directory.

Some Examples

To get a better idea of what I’m referring to when I say “low hanging fruit”, let’s look at some examples of the types of files being targeted. There are many such files, with names usually ranging in length between one and four characters. For single-digit names, they basically scan for all of them:

0.php
1.php
2.php
3.php
.
.
.
a.php
b.php
c.php
.
.
.
x.php
y.php
z.php

But they’re not stopping with single-character names. Here are some examples of targeted file names containing two characters. They’re not looking for every letter combination, just certain ones. Like things they imagine people would name their one-off, odd little experiments and temporary files, for example:

0z.php
db.php
xx.php
fx.php
up.php
go.php
me.php
ok.php
hi.php
v1.php
v2.php
1a.php
2c.php
3uv.php
45.php
it.php

So they’re digging around in the cracks, looking for loose or otherwise forgotten files stashed in the corners of servers around the Web, low-hanging fruit like:

bak.php
web.php
x0x.php
you.php
404.php
777.php
100.php
www.php
new.php
doc.php

Because you just know that there are people out there who actually name their files things like www.php and new.php. And most likely such files contain some sort of information that can be exploited somehow. That’s obviously what the scanners are thinking, and just based on the sheer volume of these types of scans, apparently the strategy is paying off for them (or they wouldn’t be doing it).

More examples

Most scans or probes or whatever you want to call them are looking specifically for PHP files. But also seeing heavy activity searching for file formats like TAR, RAR, ZIP, GZ, like tar.gz and other compressed formats, for example:

www.rar
www.zip
wwwroot.rar
backup.zip
wpzip.php
bak.7z
web.rar

Also commonly requested, files named with short words and common phrases. Software names and abbreviations, etc. For example, info.php is a very popular file name, as are files with names such as these:

blog.php
test.php
note.php
hide.php
info.php
vuln.php

1984.php
2020.php

wp.php
ws.php
wii.php
cms.php
wp2.php

Again, these are file names that people might use when moving stuff around on the server, saving data, making backups on the fly, etc. A good example is the humble index.php file. They’re relentlessly looking for variations on index.php, like:

1ndex.php
1index.php
123index.php
xindex.php
sindex.php
index1.php
index2.php
index3.php
.
.
.

Do people actually name index files things like index1.php and then leave them on the server? Sadly, YES. It’s an easy way to make a quick backup or snapshot of a file or script. And those are the types of loose, rogue files that are heavily targeted.

Further discussion

As mentioned, I’m working the next version of the nG Firewall, which blocks a LOT of these “low-hanging fruit” type requests. Such requests are tricky to block because you never know which files are legit. The targeted file names all comprise common characters like letters and numbers. 8G Firewall strives to balance effective blocking of short file names with a minimal rate of false positives.

Of course, bad bots and spammers are scanning for anything they can find, not just files with short names. That is why I develop firewalls like 7G, 8G, and BBQ/Pro. These firewalls offer strong protection against a wide range of threats and malicious requests. They work well with very low number of false positives, because they aren’t blocking requests for anything that could be a legitimate file.

The downside to minimizing false positives is that many requests for small random file names make it through. But really, if the file doesn’t exist, the only difference between blocking and allowing is the response code, either 403 “Forbidden” or 404 “Not Found”, respectively. In some cases however, for example with WordPress, returning a 404 response typically means loading up PHP, the database, assets, and everything else. Whereas returning a 403 response typically requires only a few bytes of data. Thus, blocking as many short-filename requests as possible can help to improve your site’s performance.

All that in mind, best advice to avoid getting stung by one of these scans is to just make sure that your server is clean of any one-off odd whatever files. Just stick with the core app files and related assets, etc. Any files that are not part of the project, and not used for anything, should be removed from the server. If you need to store something on the server, lock it down with authentication or just deny all public access via private directory or similar.

Closing thoughts

Take-home message for admins and developers is to avoid using short, simple file names. Instead follow best practice and use descriptive naming for all files, especially if they’re located in the public root directory of your site. For example project-name-date-version.php is going to be much harder to find than script1.php or some other lazy/weak file name. Using precise, descriptive file names improves the footprint and clarity of your app, while helping to avoid any nefarious entanglements with shady characters and their relentless low-hanging fruit scans.



This content originally appeared on Perishable Press and was authored by Jeff Starr


Print Share Comment Cite Upload Translate Updates
APA

Jeff Starr | Sciencx (2023-04-26T22:28:35+00:00) Heavy Scans for Low-Hanging Fruit. Retrieved from https://www.scien.cx/2023/04/26/heavy-scans-for-low-hanging-fruit/

MLA
" » Heavy Scans for Low-Hanging Fruit." Jeff Starr | Sciencx - Wednesday April 26, 2023, https://www.scien.cx/2023/04/26/heavy-scans-for-low-hanging-fruit/
HARVARD
Jeff Starr | Sciencx Wednesday April 26, 2023 » Heavy Scans for Low-Hanging Fruit., viewed ,<https://www.scien.cx/2023/04/26/heavy-scans-for-low-hanging-fruit/>
VANCOUVER
Jeff Starr | Sciencx - » Heavy Scans for Low-Hanging Fruit. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2023/04/26/heavy-scans-for-low-hanging-fruit/
CHICAGO
" » Heavy Scans for Low-Hanging Fruit." Jeff Starr | Sciencx - Accessed . https://www.scien.cx/2023/04/26/heavy-scans-for-low-hanging-fruit/
IEEE
" » Heavy Scans for Low-Hanging Fruit." Jeff Starr | Sciencx [Online]. Available: https://www.scien.cx/2023/04/26/heavy-scans-for-low-hanging-fruit/. [Accessed: ]
rf:citation
» Heavy Scans for Low-Hanging Fruit | Jeff Starr | Sciencx | https://www.scien.cx/2023/04/26/heavy-scans-for-low-hanging-fruit/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts