Abdullkarem attack – a hack against sysadmins’ bad practice

Mystery is on the horizon, ladies and gentlemen! And we always get excited about unappreciated server attacks. Just like in case of this ‘abdulkarrem’ one. Come, put on the role of Sherlock Holmes with us.

Recently, there is a very frequent attack type. More and more sysadmin experience and complain about malicious request like these:
GET /wp-includes/css/guide.php?php4&root&upl&wphp4&abdullkarem&
GET /wp-includes/css/log.php?php4&root&upl&wphp4&abdullkarem&45
GET /wp-admin/includes/iindex.php?php4&root&upl&wphp4&abdullkarem&450799&wp&
GET /wp-includes/iindex.php?php4&root&upl&wphp4&abdullkarem&450799&wp&
GET /wp-content/uploads/wp_config.php?php4&root&upl&wphp4&abdullkarem&450799&wp&

At first blink it seems like a usual scan for infected files of botnets and discovery for CMS systems. But it is also easy to see there is one common thing in the queries. The word ‘abdullkarem‘. So the attackers made a mistake. They added this word to every attack query, a sysadmin could say. A lot of sysadmin react this attack with banning the word ‘abdullkarem’. This is an easy solution to stop the attack – blacklisting the word ‘abdullkarem’.
There are many different tools suitable for blacklisting. There are many different solutions like fail2ban, mod_security, iptables string matching or varnish/nginx/apache ban. So the attack is not really dangerous. Most sysadmin will be proud to defend this attack.
But wait a minute! Do you really think hackers are that dumb and added this string by mistake? No! This was part of the plan! They know you will find the logs with the different request. Almost all of them will be 404 requests, and similar to real attacks (but this case that part is not really important for them.)
The point of the attack was to make you to blacklist the word ‘abdullkarem’!
This is a new type of cyber terror attacks. The terrorists want to make the Internet blind for something. Just think of it! Someone write a blog post with nice urls, and it will look like this /important_news_about_syrian_politics_AbdullKarem. This blog is hosted by you. You have a rule to block requests containing “abdullkarem”. The search engine crawler try to crawl the content, but the access will be denied. No page indexed. Or someone want to click on a link… access denied.

Did the cyber terrorists do a good job?

Perhaps they did, as if you search for this ‘abdullkarem’ you will only find a bunch of forums where sysadmins complaining about this attack. All the real content have been filtered by sysadmins, fooled by the attack requests.

Who is Abdullkarem?

Well I haven’t researched him deeply, and search engines are blind for a lot of content, but what I was able to found he is related to Syrian politics. I have only found some speeches from him, but I can’t understand those unfortunately. But imagine such an attack with the string barackobama 3 month before the U.S. elections…

What can you do if you don’t want to help cyber terrorism?

Not blocking the attack is dangerous for your servers, as the volume of the attacks are sometimes quite high (attackers use hacked websites to proxy the attacks so resources are cheap for them). If you block the string ‘abdullkarem’ you help the attackers. Fortunately BitNinja has a better solution than the traditional tools!
By using BitNinja on your server, you can avoid blacklisting search engines and other good bots, keep the freedom of speech and keep your property safe at the same time.
BitNinja is an easy-to-use server security tool which protects your servers/websites against 99% of cyberattacks.

trial
If you have no more queries, 
take the next step and sign up!
Don’t worry, the installation process is quick and straightforward!
AICPA SOC BitNinja Server Security
Privacy Shield BitNinja Server Security
GDPR BitNinja Server Security
CCPA BitNinja Server Security
2023 BitNinja. All Rights reserved.
Hexa BitNinja Server SecurityHexa BitNinja Server Security
magnifiercross