Be Careful With Your Website’s Backup Files

When a high profile website gets hacked it always useful to see what lessons can be gleamed to insure that other websites don’t get hacked. Several days ago the technology website Ars Technica (who doesn’t have the best track record with security reporting) was breached, while the details on how they were hacked are somewhat limited, one thing stood out (emphasize ours):

At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file.

That is a good reminder that since backup files often store sensitive information (including database login details and user info), securely storing them is important to the security of your website. For example, you would not want to store the backup in a file named backup.zip in the root of your website since hackers will go looking for that as can be seen in the log file entries below from a recent attempt to find backup files on our website:

124.231.26.79 – – [03/Dec/2014:04:11:07 -0500] “HEAD /www.whitefirdesign.com.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:07 -0500] “HEAD /www.whitefirdesign.com.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:08 -0500] “HEAD /www.whitefirdesign.com.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:09 -0500] “HEAD /www.whitefirdesign.com.sql HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:10 -0500] “HEAD /whitefirdesign.com.rar HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:12 -0500] “HEAD /whitefirdesign.com.zip HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:12 -0500] “HEAD /whitefirdesign.com.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:14 -0500] “HEAD /whitefirdesign.com.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:15 -0500] “HEAD /whitefirdesign.com.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:15 -0500] “HEAD /whitefirdesign.com.sql HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:16 -0500] “HEAD /whitefirdesign.rar HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:17 -0500] “HEAD /whitefirdesign.zip HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:18 -0500] “HEAD /whitefirdesign.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:19 -0500] “HEAD /whitefirdesign.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:20 -0500] “HEAD /whitefirdesign.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:20 -0500] “HEAD /whitefirdesign.sql HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:21 -0500] “HEAD /back.rar HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:22 -0500] “HEAD /back.zip HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:23 -0500] “HEAD /back.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:23 -0500] “HEAD /back.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:24 -0500] “HEAD /back.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:25 -0500] “HEAD /back.sql HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:26 -0500] “HEAD /backup.rar HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:27 -0500] “HEAD /backup.zip HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:28 -0500] “HEAD /backup.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:29 -0500] “HEAD /backup.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:30 -0500] “HEAD /backup.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:31 -0500] “HEAD /backup.sql HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:31 -0500] “HEAD /web.rar HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:32 -0500] “HEAD /web.zip HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:33 -0500] “HEAD /web.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:34 -0500] “HEAD /web.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:35 -0500] “HEAD /web.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:35 -0500] “HEAD /web.sql HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:36 -0500] “HEAD /webroot.rar HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:37 -0500] “HEAD /webroot.zip HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:38 -0500] “HEAD /webroot.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:39 -0500] “HEAD /webroot.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:40 -0500] “HEAD /webroot.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:41 -0500] “HEAD /webroot.sql HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:41 -0500] “HEAD /www.rar HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:42 -0500] “HEAD /www.zip HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:43 -0500] “HEAD /www.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:44 -0500] “HEAD /www.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:45 -0500] “HEAD /www.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:46 -0500] “HEAD /www.sql HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:46 -0500] “HEAD /wwwroot.rar HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:48 -0500] “HEAD /wwwroot.zip HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:48 -0500] “HEAD /wwwroot.7z HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:49 -0500] “HEAD /wwwroot.xls HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:50 -0500] “HEAD /wwwroot.xlsx HTTP/1.1” 404 506 “-” “-”
124.231.26.79 – – [03/Dec/2014:04:11:51 -0500] “HEAD /wwwroot.sql HTTP/1.1” 404 506 “-” “-”

Unfortunately not every risk is that easy to spot, take for example a vulnerability in the XCloner – Backup and Restore WordPress plugin that we discussed last week that allowed any logged in user to download any backups made by the plugin.

1 thought on “Be Careful With Your Website’s Backup Files”

  1. This opportunistic exploit is still seen today. I arrived here after seeing the following line in the log:

    – – [1x/Apr/2018:00:xx:xx +TZ] “HEAD /wwwroot.rar HTTP/1.1” 302 – “-” “User Agent”

    I have obfuscated the details, just in case.

Leave a Reply

Your email address will not be published.