Quite often when you read logs and see examples of scans against a system, those will be from the Acunetix vulnerability scanner. If you watch “how to hack” videos on YouTube, you’ll quite often see the Acunetix icon on the desktop. This is because it’s pretty easy to find cracked versions of the tool on forums that offer these types of tools.
Sometimes when I’m looking through logs, I’ll see some strings that I want to try to attribute to a scanner and will put them in google, looking for hits. I often don’t find any but figured if I put some in here, that might help others to find them too and attribute their log entries to Acunetix.
First, take a look at the request headers. There are a couple that Acunetix sets that are a dead giveaway:
Acunetix-Product WVS/9.0 (Acunetix Web Vulnerability Scanner – NORMAL)
Acunetix-Scanning-agreement Third Party Scanning PROHIBITED
If you see any of these, you were scanned by someone possessing the Acunetix scanner. It was not the Acunetix company scanning your site, so don’t blame Acunetix for scanning your site any more than you’d blame Ford Motor Company if someone driving a Focus rear-ended your car.
You may also find other references to Acunetix in your logs, often with attempts at Cross Site Scripting, or even references to vulnweb.com (a test server Acunetix runs, and is included in some of the scanner’s tests). But for SQL injection, specifically blind sql injection, Acunetix tries some math tests for a true or positive result. Some of those may look like:
id=-1” OR 3*2 >(0+5+905-905)
id=-1’OR 3*2 >(0+5+635-635) —
page=-1′ OR 3*2< (0+5+770-770) -- id=-1'' OR 3*2< (0+5+286-286) -- I'll try to add more examples as I find them in my logs.