Thanks Spork for the detailed reply you got from Berkeley, I got a similar one,
though not quite as detailed. I think the problem with Apache is that it is
simply an index.html sending a 200 “OK” and not actually replying to say yes I
am infected with whatever it is they are looking for. At the time when I first
noticed this I looked into various ways of getting Apache to send a 400 or 403
but it involved messy rewrite rules which I just hate.
Seeing that I am now seeing this same string in various different formats
coming in daily now from IP’s all over the globe I would say whatever infected
servers out there who have been already been implanted with this malicious
software are now perhaps being called into action, possibly a big DDOS attack
planned or something else of a more sinister nature. Seeing that Berkeley are
working with and reporting this to law enforcement makes me believe there is
something quite sinister behind all of this.
Anyways, certainly a very interesting one to keep an eye on. I am now also
seeing similarly formatted strings now coming in over the past few days as per
the example below which now also seem to be targetting SQL servers. Luckily
none of mine are open to the public and only run as localhost but I am a sure a
lot of people which port 3306 exposed are in for something being planned.
This example below came in as a User-Agent string this morning in my logs, so
not only are they sending crazy formatted strings via normal http / https
requests but also now forging user agent string with similar stuff.
"}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:46:\x22eval($_REQUEST[1]);JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xFD\xFD\xFD\xFD
“
I must say every morning there is always something interesting to be found in
one’s logs, sadly a great deal of people running servers out there don’t seem
to monitor their logs as frequently as they should if at all.
Kind Regards
Mitchell
https://mitchellkrog.com
From: Spork Schivago <[email protected]>
Reply: [email protected] <[email protected]>
Date: 07 October 2016 at 8:10:58 AM
To: [email protected] <[email protected]>
Subject: Re: [users@httpd] Unknown accepted traffic to my site
Oh! Tawasol, I forgot. If you're not already doing so, you should have your
server scanned for vulnerabilities. There's free websites out there that can
do this, like https://scanmyserver.com/
I believe nmap can also help you scan your server, although I don't think it
was really designed for vulnerability scanning. There's free for personal use
programs, like Nessus. The free version of Nessus only works on the local
area network though. However, websites like https://scanmyserver.com use the
paid version of Nessus. So, you can have your server scanned with Nessus by
using something like scanmyserver.com.
If there's any exploits installed, the vulnerability scanner(s) should detect
them. Just make sure to whitelist the IP address in LFD and CSF before
proceeding and double check the logs to make sure that CSF / LFD doesn't block
the scanning website.
On Fri, Oct 7, 2016 at 1:53 AM, Spork Schivago <[email protected]> wrote:
Tawasol,
You might want to look into more than just mod_security. For example, there's
modules out there for PHP, for instance, that will make PHP run as a certain
user. If someone manages to take advantage of some poorly written PHP code,
for example, they would only have limited user access and only be able to
access the files in the directory where the html files are being stored.
I have crontab entries setup to scan for rootkits and do a bunch of other
things.
Another program you might want to look into is ClamAV. It's freeware.
Mod_security I like the best though. It really does catch a lot of bad stuff.
It can be a bit confusing setting it up though. Best of luck.
On Fri, Oct 7, 2016 at 1:31 AM, Tawasol Go <[email protected]> wrote:
I use CentOS 7.x also CSF/LFD installed.
Till now they did not get into the server.
I'll look into mod_security.
Thanks,
On Fri, Oct 7, 2016 at 1:01 AM, Anthony Biacco <[email protected]> wrote:
On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago <[email protected]> wrote:
Are you sure they haven't successfully found away in? There are some free
programs that I use to help prevent this stuff. ConfigServer Firewall / LFD
is a good one. Rkhunter and chkrootkit scan for rootkits. The big one that
helps the most, I feel, is Mod Security. That's the one that monitors the
traffic looking for known scanning software, exploits, etc and blocks it. I
run in a *nix environment and don't have a lot of experience with Windows
servers though. Not sure what you're running. I'm always really paranoid
and would definitely be worried about by system being compromised if I saw
traffic like you're seeing though. But again, I'm not really that intelligent
when it comes to stuff like this.
Ken
I was going to suggest mod_security as well. I'm not running it, but it's on my
TODO list. I have to determine the performance implications, if any.
-Tony
On Thu, Oct 6, 2016 at 5:21 PM, Spork Schivago <[email protected]> wrote:
Thanks Tony! Much appreciated.
Erik,
Did I ever try to run what on my server? The string query that Berkeley sends
looking for the malware to respond? If so, no, I have never tried to send
that carefully crafted packet to my Apache server. From the previous user who
had what appears to be the same issue as Mitchell though, I would imagine it'd
probably just deliver my default web page (index.html). That's my guess
though.
If anyone cares, I can copy the other e-mails they sent to me that explain how
it all works and why the full string isn't in the Apache logs (I think that has
something to do with the way Apache responds to the string).
They're not actually trying to exploit the server, they're just trying to find
servers that have been infected. If the malware sees a special string, it
responds with a special string. At that point in time, the college contacts
the local law enforcement for that area to inform them and hope that they
contact the owner of the server to inform them that they're infected. Not the
best way I guess to inform people, but better than nothing I guess.
Here, in my city, I doubt the local law enforcement would ever contact me with
anything computer related. I contacted them before because of a crime that
happened in my house but because the internet and a computer was involved, they
said they couldn't help and my best bet would be trying to contact the FBI or
some other government organization. I doubt anyone at my police station
really knows much about PCs. There doesn't seem to be a cyber crimes division
or anything like that.
On Thu, Oct 6, 2016 at 4:08 PM, Anthony Biacco <[email protected]> wrote:
On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago <[email protected]> wrote:
There's away to do a reverse IP lookup on the IP address and see if there's a
DNS entry for it. That's how I was able to successfully figure out who the
senders were (Berkeley) originally. I used dig I believe. I don't have
access to my Linux box right now, otherwise I'd check to see if the IP
addresses are actually from Berkeley. There's always a chance that they're
using more than one server / IP now to conduct the scanning. I believe they
were originally trying to scan the whole internet.
based on the IP of 169.229.3.91 given by Mitchell:
91.3.229.169.in-addr.arpa. 9787 IN PTR researchscan1.EECS.Berkeley.EDU.
University of California - Office of the President UCSD-NET-169-228
(NET-169-229-0-0-1) 169.229.0.0 - 169.233.255.255
University of California at Berkeley ISTDATA (NET-169-229-0-0-2) 169.229.0.0 -
169.229.255.255
-Tony
They had said it's a very specific type of malware that only affects IIS to
their knowledge. If you're not running a Windows server running IIS, you
should be good to go.
On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <[email protected]>
wrote:
On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <[email protected]> wrote:
> From the looks of it I would say it is targeting servers running SSL. Are
> you serving up HTTP or HTTPS ?
I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler diary entry just yesterday about this:
https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTTP+Servers/21551/
if I try `openssl s_client -connect localhost:14020`, I get the below
entry in my access.log,
which matches the description in the diary:
127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
"\x16\x03\x01\x01,\x01" 400 226 "-" "-"
this, however, is something completely different. I'd also guess it's some kind
of vulnerability scan:
> IP
> 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
> "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
> 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
> "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
> 200 48605
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
