Abdullkarem attack – a hack against sysadmins’ bad practice

George Egri

Mystery is on the horizon, ladies and gentlemen! And we always get excited about unappreciated server attacks. Just like in case of this ‘abdulkarrem’ one. Come, put on the role of Sherlock Holmes with us.


Recently, there is a very frequent attack type. More and more sysadmin experience and complain about malicious request like these:

GET /wp-includes/css/guide.php?php4&root&upl&wphp4&abdullkarem&
GET /wp-includes/css/log.php?php4&root&upl&wphp4&abdullkarem&45
GET /wp-admin/includes/iindex.php?php4&root&upl&wphp4&abdullkarem&450799&wp&
GET /wp-includes/iindex.php?php4&root&upl&wphp4&abdullkarem&450799&wp&
GET /wp-content/uploads/wp_config.php?php4&root&upl&wphp4&abdullkarem&450799&wp&

 

At first blink it seems like a usual scan for infected files of botnets and discovery for CMS systems. But it is also easy to see there is one common thing in the queries. The word ‘abdullkarem‘. So the attackers made a mistake. They added this word to every attack query, a sysadmin could say. A lot of sysadmin react this attack with banning the word ‘abdullkarem’. This is an easy solution to stop the attack – blacklisting the word ‘abdullkarem’.

There are many different tools suitable for blacklisting. There are many different solutions like fail2ban, mod_security, iptables string matching or varnish/nginx/apache ban. So the attack is not really dangerous. Most sysadmin will be proud to defend this attack.

But wait a minute! Do you really think hackers are that dumb and added this string by mistake? No! This was part of the plan! They know you will find the logs with the different request. Almost all of them will be 404 requests, and similar to real attacks (but this case that part is not really important for them.)

The point of the attack was to make you to blacklist the word ‘abdullkarem’!

This is a new type of cyber terror attacks. The terrorists want to make the Internet blind for something. Just think of it! Someone write a blog post with nice urls, and it will look like this /important_news_about_syrian_politics_AbdullKarem. This blog is hosted by you. You have a rule to block requests containing “abdullkarem”. The search engine crawler try to crawl the content, but the access will be denied. No page indexed. Or someone want to click on a link… access denied.

Did the cyber terrorists do a good job?

Perhaps they did, as if you search for this ‘abdullkarem’ you will only find a bunch of forums where sysadmins complaining about this attack. All the real content have been filtered by sysadmins, fooled by the attack requests.

Who is Abdullkarem?

Well I haven’t researched him deeply, and search engines are blind for a lot of content, but what I was able to found he is related to Syrian politics. I have only found some speeches from him, but I can’t understand those unfortunately. But imagine such an attack with the string barackobama 3 month before the U.S. elections…

What can you do if you don’t want to help cyber terrorism?

Not blocking the attack is dangerous for your servers, as the volume of the attacks are sometimes quite high (attackers use hacked websites to proxy the attacks so resources are cheap for them). If you block the string ‘abdullkarem’ you help the attackers. Fortunately BitNinja has a better solution than the traditional tools!

By using BitNinja on your server, you can avoid blacklisting search engines and other good bots, keep the freedom of speech and keep your property safe at the same time.

BitNinja is an easy-to-use server security tool which protects your servers/websites against 99% of cyberattacks.

Share your ideas with us about this article

Previous posts

The story of BitNinja WAF from backstage
BitNinja has two very efficient detection modules. Log analysis and DoS detection does a great job in filtering attacks, but they are lack of one very important thing. Log analysis can only work on requests already reached your server. There are attacks like login brute force attacks, where it is not a problem as there is a very low chance the right user/pass combination will work within a few trials. Unfortunately, there are attacks when one good targeted request is enough to hack a web application and inject infected code or alter files and gain access. Since we started BitNinja,...
HostingCon Europe 2015 with the BitNinja team
HostingCon Europe was such a fun event this year and provided a way different experience for us, than being an exhibitor back in San Diego, at the global event. Fizzing atmosphere, great exhibitors, excellent organization and various visitors guaranteed our great time during this couple of days. Some warming up We are so proud to say that we have ninjas from all over the world by now. Building a strong community is essential to make the internet a safer place. As you know, the Netherlands has an exceptional importance in the IT strategy of Europe. In this context, has an important...