0

My site had been hacked today and I was also able to find the injection point in my site. I'm working on how to prevent this in future.

This is my server log:

8.37.230.5 - -  "POST /admin/images/uploads/pro_01-04rin.php HTTP/1.1" 200 38597
"http://mywebsite.com/admin/images/uploads/pro_01rin.php"
"Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; SM-G313HZ Build/KOT49H)
AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0
UCBrowser/10.10.8.820 U3/0.8.0 Mobile Safari/534.30"

What I know:

  • I have tracked down this IP 8.37.230.5 but it leads to nowhere because every hacker uses some kind of proxies, so definitely this is a fake IP.
  • Information about User agent is Mozilla/5.0 (Linux; U; Android 4.4.2; AppleWebKit/534.30 UCBrowser/10.10.8.820 U3/0.8.0 Mobile Safari/534.30)

My questions:

  • If every hacker uses proxy then what is the benefit of getting this ip in the server log?
  • Is there any other way to get the real ip of the user by any modification in my website so that I can identify who did this?
  • As you can see in user agent, there are Android 4.4.2 and UCBrowser/10.10.8.820. What does this mean? Did they hack my website from UC Browser in Android 4.4.2?

I've googled about this but no luck.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Tejas Pandya
  • 153
  • 1
  • 1
  • 11
  • 1
    1) "leads nowhere" is wrong - it goes somewhere, 2) Not all hackers use proxies. – schroeder Dec 23 '17 at 11:28
  • 1
    *"..what is the benefit of getting this ip in the server log?"* - do you use your server log only to detect hackers? Most use it also to get an idea how many visits the site has, from where etc - and then logging the IP makes sense since it is usually the real IP of the visitor. – Steffen Ullrich Dec 23 '17 at 12:55

1 Answers1

3
  1. The IP goes to Quantil Networks. Quantil is the datacenter for UCWeb, the maker of UC Browser (the useragent used). This is very useful info.

  2. There are ways to use Java to unmask a proxy user, but they are not foolproof. There are many questions here about how to do that.

  3. An online useragent parser returns:

    UC Browser 10 on Android (KitKat) Samsung SM-G313HZ

Useragents can easily be changed or spoofed, but this is what this useragent means, real or not. Given where the IP is coming from, it is likely accurate.

None of these things will prevent attacks in the future, but they do help you understand who sent this attack. It looks like a UCBrowser user on a Samsung device using the UCWeb proxy. You could try reporting this abuse behavior to UCWeb and they might be able to look into it further.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • thank you for your response . but how can i know the real ip and as you wrote `they do help you understand who sent this attack` can you explain how can i know who sent this attack ? – Tejas Pandya Dec 23 '17 at 11:42
  • @Tej you cannot know the real IP, but you know at least one of the IPs involved. You might not need to know the real IP in order to get this one incident investigated and stopped. – schroeder Dec 23 '17 at 11:52
  • I wonder if it had X-Forwarded-For. If it is a caching proxy, it almost certainly does. – forest Dec 23 '17 at 11:53
  • @schroeder ok get it but what does this mean from an ISP who are the same makers of the browser ? maker of the browser tries to hack my site ? is it so ? – Tejas Pandya Dec 23 '17 at 11:53
  • @Tej I am trying to find proof of this, but I suspect that UCWeb offers caching, which makes it look like the traffic is coming from the UCWeb server, even though a user device actually made the request. – schroeder Dec 23 '17 at 11:57
  • 2
    @Tej You should configure your server to log the X-Forwarded-For header next time, as caching proxies like this very often add the original IP address to that, given that the purpose of the proxy is performance rather than anonymity. There may not be much you can do this time, but if you are able to record the original IP from the headers, you don't need to go about (potentially illegally) trying to use Java applets or Flash to deanonymize your users. – forest Dec 23 '17 at 11:58
  • @forest and schroeder thank you guys for your guidance , so my conclusion is > This guy definitely used Android 4.4.2 and UCBrowser for this and as forest said . i should configure my server to log X-Forwarded i will work on that . – Tejas Pandya Dec 23 '17 at 12:24
  • 1
    Almost definitely used (chances are good, but it is not a guarantee). What's even more important though is closing the exploitation vector. Judging by the URLs you gave, it seems like it was simply someone who uploaded a PHP shell as an image. There are many ways to prevent that. – forest Dec 23 '17 at 12:26
  • @forest yes you are right . I'm currently working on that and placing validation both side to check for file . – Tejas Pandya Dec 23 '17 at 12:49