0

One of the websites I manage had unusual traffic last month. There was ~6,500 hits on a URL within the site that doesn't exist (the server sent a correct 404 response according to the logs).

The URL was /fkzk-start.html and the hits were from a variety of IP addresses from all over the world. Each IP also visited other pages on the website, but the traffic to the /fkzk-start.html page used a different user agent;

"MobileSafari/602.1 CFNetwork/808.3 Darwin/16.3.0"

There were the usual dozen or so automatic attacks against exposed CMS admin directories, which would have all received 404 responses as well, but no other traffic that was out of the ordinary.

Was this an attempted hack on my website?

GeoffAtkins
  • 261
  • 2
  • 9

2 Answers2

2

In order to know if it is a "real" attack you need to know what type of request were done. If these IP were just doing 6500 GET request over a month it cannot be qualified as an "attack" in my opinion. You need to analyze log file to determine what ressource were to be accessed from this URL. At first glance it could appear as a DDOS according to the different IP but as I said before the number of request over a span time of one month is way not enough to throttle a web server in my opinion.

jehutyy
  • 141
  • 7
  • Yes, they were GET requests. And no, 6,500 requests over a month had zero effect on the web server's performance. What struck me as odd was the request for the same strange and nonexistent html file, and the odd user agent string in the logs. – GeoffAtkins Apr 19 '17 at 12:06
  • It could be a crawler bot that aim different kind of site without any distinction about existing page or not. – jehutyy Apr 19 '17 at 12:09
2

The amount (~6,500) of 404 hits doesn't tell much without knowing the ratio to all hits. However, if these are from IP addresses from your normal users and the ratio is low, it's not likely an attack.

The MobileSafari/602.1 CFNetwork/808.3 Darwin/16.3. in the user agent usually refers to a situation where an iPhone user is using the Add to Home Screen option in Share menu. While the normal user-agent from the client starts with Mozilla/5.0 (iPhone; CPU iPhone OS followed by the actual version information and lots of stuff for purely historical reasons,

the Add to Home Screen sends different user-agent while it tries to retrieve standard Apple Touch Icons and the /favicon.ico standardized in HTML 4.01 and XHTML 1.0.

GET /apple-touch-icon-120x120-precomposed.png HTTP/1.1 
GET /apple-touch-icon-120x120.png HTTP/1.1 
GET /apple-touch-icon-precomposed.png HTTP/1.1 
GET /apple-touch-icon.png HTTP/1.1 
GET /favicon.ico HTTP/1.1

In addition to these standard locations there might be something else defined in 

<link rel="apple-touch-icon" href="some.png" />
<link rel="apple-touch-icon-precomposed" href="some.png" />

causing it to be retrieved during the shortcut addition.

CFNetwork is an Apple Framework for MacOS ja iOS. Therefore the same user-agent may have been caused by an iOS App. If your site serves any iOS Apps, check that the App doesn't have any historical code that tries to access /fkzk-start.html.

This particular /fkzk-start.html file doesn't seem to be a known sign of a vulnerable CMS or alike. Sometimes that kind of known paths are crawled to identify vulnerable sites before an actual attack.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • The total requests for .html files on the site resulting in a 200 response is ~12,700 for the same period. There are zero apps served by this website (which is for a small business). There were ~2,500 attempts to access the `/fkzk-start.html` file in February, and ~1,000 in January, but zero in December. – GeoffAtkins Apr 19 '17 at 14:02
  • I wasn't aware that fkzk-start had any actual use; I did Google it before coming here. None of these requests also looked for any touch-icon files, though. – GeoffAtkins Apr 19 '17 at 14:05
  • Try to surf on this site with an iPhone/iPad and see whether there are similar requests from your IP or not. – Esa Jokinen Apr 19 '17 at 14:10
  • I did that after you mentioned this. And no. There's none of these odd requests appearing in the logs. – GeoffAtkins Apr 19 '17 at 14:55