My next class:

A Couple Days of Logs: Looking for the Russian Business Network

Published: 2011-05-17. Last Updated: 2011-05-17 14:05:17 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Watching your logs can be a lot of fun, in particular if you got some interesting logs to look at. On the other hand: If you think your logs are boring, you are probably just not looking hard enough. My latest log excursion started with two alerts from the ISC poll feature we have on the index page. Within a couple minutes, two very different IP addresses submitted comments that got identified as spam:

Request #1 from 212.117.165.179.

POST /poll.html HTTP/1.1
CONNECTION: close
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HOST: isc.sans.edu
REFERER: http://isc.sans.edu/
USER-AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
COOKIE: dshield=91b1d9cff4a31d61f426935aad5bbd2
COOKIE2: $Version="1"
Post Data:
token:
poll: 2
poll_comment: USA
subject: RgPRyMuPeHQYTatPjg

Request #2 from 91.214.45.223.

POST /poll.html HTTP/1.0
HOST: isc.sans.edu
KEEP-ALIVE: 300
CONNECTION: keep-alive
USER-AGENT: Mozilla/4.0 (compatible; Synapse)
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ACCEPT-ENCODING: identity
ACCEPT-LANGUAGE: en
ACCEPT-CHARSET: iso-8859-1, utf-8, utf-16, *;q=0.1
COOKIE2: $Version=1
Post Data:
token:
poll: 4
poll_comment: add comment
subject: -1'

The first one isn't all that remarkable in my opinion. We get a couple dozen of them a day. But the second one is sort of "interesting". Can you pick out why?

"subject: -1' " is the line that caught my attention. The other odd thing was that these two requests came in very close to each other but look very differently.

If you look at the two IP addresses (91.214.45.223 and 212.117.165.179), it turns out that both are part of AS 5577, a network registered in Luxemburg. Further, looking up these addresses in Threatstop's "checkip" feature [1] shows that these are suggested to be part of the Russian Business Network

Well... what to do from here? Seeing a little bit of coordination like this always makes me think "What did I miss now?". So my next idea was "What else comes in from AS 5577". AS 5577 originates about 20 prefixes. While not everything in AS 5577 is evil, it does appear to be a hiding spot for RBN activity. The company root.lu appears to be in the super low rate dedicated hosting business [2] which frequently means not much money to spend on oversight and proper abuse handling. The next step was to filter the last few days of logs for these prefixes, to check what else we get. Here a few oddities that came to light (there were a couple hundred hits...)

1. Are we listed yet?

212.117.162.204 GET /block.txt   HTTP/1.1  libwww-perl/6.0
212.117.164.170 GET /top10-2.txt HTTP/1.0  Wget/1.11.4
212.117.172.150 GET /top10-2.txt HTTP/1.0  Wget/1.10.2 (Red Hat modified)
94.242.197.100  GET /top10-2.txt HTTP/1.0  Wget/1.12 (linux-gnu)

Looks like they keep checking if they are listed as a "top 10" or a blocked IP address. Got quite a few hits like that from AS 5577 hosts. Interestingly, they use a couple different IP address and user agents to perform these queries. And yes, they are listed from time to time.

2. Synapse as SQL Injection tool

212.117.165.179 GET /index.html?menu=-1%27& HTTP/1.0 Mozilla/4.0 (compatible; Synapse)

 The user agent points to the Apache XML Enterprise Bus "Synapse". It is not clear why this user agent here is used, or if it is actually related to the tool by Apache. But so far, all the requests with this user agent are related to SQL injection attempts.

3. Outdated Browsers and a Love for RSS

212.117.177.5 GET /diary.html?storyid=10885&rss HTTP/1.0 
              Mozilla/5.0 (en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

The URL ("&rss") indicates that the user here followed a link in our RSS feed, and the RSS feed is polled regularly by AS 5577 machines. The browser version is a bit old and set to "US English" as language. However, there is a good chance that the user agent is fake. The use of HTTP/1.0 is probably indicating a proxy. This browser did not accept cookies. However, there is some indication that a real browser is behind this as all the related files (style sheets and images) are loaded.

4. Lets ignore redirects

212.117.174.33 GET /index.php HTTP/1.0 
               http://forum.dshield.org/index.php 
               Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

We haven't used the .php extension nor the host name "forum.dshield.org" in a while. So it is odd that this IP came back 3 times in one second, but never retrieved the URL it got redirected to. Again HTTP/1.0 and a fake looking user agent (this user agent exists... but I have hardly ever seen it used legitimate these days). Maybe the old bulletin board we had at that URL years ago was vulnerable to *something* and is still listed in some search engine.

More to come...

 

[1] http://threatstop.com/checkip
[2] http://root.lu

------

Want to learn more about defending web applications? Check out DEV522 Defending Web Applications in Denver CO and Washington DC.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: rbn weblogs
2 comment(s)
My next class:

Comments

We had four hits on Sunday night of 212.117.165.179 getting a page and then trying to post corrupted viewstate information back to it on a public ASP.Net application. No other attempted file gets or posts, clean connections through the firewall set, no IPS hits.
212.117.162.244 has been in our blacklist for over a year now. Guess I'll modify that to be the entire range of Root SA

Diary Archives