httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Dobák <erik.do...@gmail.com>
Subject Re: [users@httpd] Unknown accepted traffic to my site
Date Thu, 06 Oct 2016 18:41:36 GMT
did you ever try to run that on your own server? what would be the html
response?
E

On 6 October 2016 at 16:47, Spork Schivago <sporkschivago@gmail.com> wrote:

> I remember this!   I contacted the college that was running the scanners
> and got indepth information about what it was and how it worked.
>
> This is the responses I got back from the people running the scan...
>
> Apologies for the long delay. As Stefan said, I've been away on my
> honeymoon.
>
> As far as we know the malware is windows-only and injects itself into
> IIS. I believe most AV vendors have signatures for the malware. Also
> as Stefan said, we've informed law enforcement about infections we've
> discovered, so we expect they'd contact victims. This malware is
> extremely rare, so the likelihood of the party you're interacting with
> being infected is very very low.
>
> If the party would like to share their external public IP I'm also
> happy to check our logs and see if they come back as infected.
>
> With respect to the string and what it elicits. It's a series of 64
> random bytes of data that have been lightly modified to meet a
> specific bit-mangling pattern. An infected machine responds back with
> what looks like 64 random bytes that have the same big mangling
> pattern (but not the same bytes).
>
> If you have further questions, I'm happy to respond.
>
>
>
> In Apache, one person was receiving the bytes and their Apache server was
> responding back with a 200.   The person I talked to looked into it and
> said for that particular IP address, it looked like Apache was sending back
> the default html file, but said the response would vary depending on what
> service was running.   Some might respond with an error page, some might
> respond with an error code, some might send a default page, etc.
>
>
> There's away to do a reverse IP lookup on the IP address and see if
> there's a DNS entry for it.   That's how I was able to successfully figure
> out who the senders were (Berkeley) originally.   I used dig I believe.   I
> don't have access to my Linux box right now, otherwise I'd check to see if
> the IP addresses are actually from Berkeley.   There's always a chance that
> they're using more than one server / IP now to conduct the scanning.   I
> believe they were originally trying to scan the whole internet.
>
> They had said it's a very specific type of malware that only affects IIS
> to their knowledge.   If you're not running a Windows server running IIS,
> you should be good to go.
>
> On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <
> rainer.canavan@sevenval.com> wrote:
>
>> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@arccorp.com> wrote:
>> > From the looks of it I would say it is targeting servers running SSL.
>> Are
>> > you serving up HTTP or HTTPS ?
>>
>> I don't think that that is valid SSL, unless your httpd discards the
>> first few bytes.
>> There was a SANS handler diary entry just yesterday about this:
>>
>> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT
>> P+Servers/21551/
>>
>> if I try `openssl s_client -connect localhost:14020`, I get the below
>> entry in my access.log,
>> which matches the description in the diary:
>>
>> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
>> "\x16\x03\x01\x01,\x01" 400 226 "-" "-"
>>
>> this, however, is something completely different. I'd also guess it's
>> some kind
>> of vulnerability scan:
>>
>> > IP
>> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
>> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
>> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
>> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\
>> xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
>> > 200 48605
>>
>> Rainer
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Mime
View raw message