WeBWorK Main Forum

Suspicious login attempts

Suspicious login attempts

by Alex Jordan -
Number of replies: 2

I had occasion to look at the login.log from one of our courses here, and I noticed these entries:

[Mon May 25 01:04:01 2020] LOGIN FAILED user unknown user_id="><script>alert('pubcookie_xss.nasl');</script> login_type=normal credential_source=params host= port=60134 UA=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
[Mon May 25 01:05:38 2020] LOGIN FAILED user unknown user_id=jffnms_user_sql_injection.nasl' UNION SELECT 2,'admin','$1$RxS1ROtX$IzA1S3fcCfyVfA9rwKBMi.','Administrator'-- login_type=normal credential_source=params host= port=37328 UA=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Then I looked in other courses and I see this happening frequently. A random sample of 6 courses, something like this is in 3 of them. And when it is there, it is happening on Mondays at 1:04 or so in the morning. In one course it happened 5 weeks in a row, then stopped in early May. In another course, it's been happening for two months. It's there in at least one course that use the LTI with our LMS, and it's there in at least one course that does not use the LMS at all.

I Googled some of what I see, and found this page:

This suggests something is trying to exploit some database security vulnerability. Thankfully it appears the attempt is failing, but I thought I should report this. I wonder if anyone using an older version of WW with an older database/password scheme would be vulnerable to whatever this is.

This makes me wonder if I should hide all our courses and just rely on students and faculty either using the LMS or following direct links to their courses.

In reply to Alex Jordan

Re: Suspicious login attempts

by Danny Glin -

It looks like someone is probing your system for sql injection vulnerabilities.  There are a few things that make me suspect that it may be internal security testing and not an actual attack:

  • They use "sql_injection" in the name of their script.
  • It happens at the same time every week.
  • The source IP address is a 192.168.*.* address, which is only valid on your local network.  Unless there is a proxy server in front of your WeBWorK server, that address could only come from within the same network as the server.

The link you provided won't open for me, but from what I can glean it describes a vulnerability in a specific web application written in PHP.  Based on what I'm seeing this is a very simple attack to see if the form is sanitizing entries.  If the login screen in WeBWorK were vulnerable to this type of attack I would think that it would have caused problems long ago.

In reply to Danny Glin

Re: Suspicious login attempts

by Alex Jordan -
Thanks Danny,

I forwarded your suspicions to our IT liaison. She determined that it is indeed internal security testing. Apparently it has been running for several years, but in all that time I'd never seen this showing up in the login log. Something about it is not systematically probing every course, so maybe it just never hit one where I had occasion to look at the log.

Anyway, thanks for the tip.