We all understand the need for backup and websites are no exception. Typically, before significant changes or during transfers/upgrades, the admins perform a full backup of the website documents and in many cases they archive the files in one big zip or tar file for transfer or download. In many cases, the backup file remains there as the admins get caught into other tasks. This is what many hackers wait for, a chance to get a copy of the entire website, containing in many cases the information they need to compromise it.
Let’s take a look at what type of files the threat actors are looking for. Using Splunk to search through 30 days worth of IIS logs (for www.eventid.net), we get almost 2500 distinct types of files that are looked up by hackers. This search is compiling stats for events that contain “.tar” or “.zip”:
index=iis cs_uri_stem=”*.tar*” OR cs_uri_stem=”*.zip*” | stats count by cs_uri_stem | sort -count
Here is just a small sample of the types of files that are searched:
So, from the actual site URL they will scan for many .zip and .tar combinations of the main domain name, folders used by popular web server, generic, quick file names that an admin might use in the spur of the moment: web.zip, a.zip, backup.zip, data.zip, etc… Basically, a brute force attack against the backup file names. Interestingly, MirServer, a file name related to online gaming, has a few hundred number of variations.
From a demographics perspective, 85% of the requests are coming from China followed by USA with 10% and Russia with 2%.
Next time you create a backup of your website(s), make sure that the file is not accessible from the website itself or if it is, use a file name that is not easy to guess. Apart from using the website as a way to move the backup file to an off-line location, there is no reason to store it there. If you need to download it, use a hard to guess name, retrieve the file and then remove it.