Last Updated: 2011-05-17 14:05:17 UTC
by Johannes Ullrich (Version: 1)
Watching your logs can be a lot of fun, in particular if you got some interesting logs to look at. On the other hand: If you think your logs are boring, you are probably just not looking hard enough. My latest log excursion started with two alerts from the ISC poll feature we have on the index page. Within a couple minutes, two very different IP addresses submitted comments that got identified as spam:
Request #1 from 188.8.131.52.
POST /poll.html HTTP/1.1 CONNECTION: close ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HOST: isc.sans.edu REFERER: http://isc.sans.edu/ USER-AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) COOKIE: dshield=91b1d9cff4a31d61f426935aad5bbd2 COOKIE2: $Version="1" Post Data: token: poll: 2 poll_comment: USA subject: RgPRyMuPeHQYTatPjg
Request #2 from 184.108.40.206.
POST /poll.html HTTP/1.0 HOST: isc.sans.edu KEEP-ALIVE: 300 CONNECTION: keep-alive USER-AGENT: Mozilla/4.0 (compatible; Synapse) ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ACCEPT-ENCODING: identity ACCEPT-LANGUAGE: en ACCEPT-CHARSET: iso-8859-1, utf-8, utf-16, *;q=0.1 COOKIE2: $Version=1 Post Data: token: poll: 4 poll_comment: add comment subject: -1'
The first one isn't all that remarkable in my opinion. We get a couple dozen of them a day. But the second one is sort of "interesting". Can you pick out why?
"subject: -1' " is the line that caught my attention. The other odd thing was that these two requests came in very close to each other but look very differently.
If you look at the two IP addresses (220.127.116.11 and 18.104.22.168), it turns out that both are part of AS 5577, a network registered in Luxemburg. Further, looking up these addresses in Threatstop's "checkip" feature  shows that these are suggested to be part of the Russian Business Network
Well... what to do from here? Seeing a little bit of coordination like this always makes me think "What did I miss now?". So my next idea was "What else comes in from AS 5577". AS 5577 originates about 20 prefixes. While not everything in AS 5577 is evil, it does appear to be a hiding spot for RBN activity. The company root.lu appears to be in the super low rate dedicated hosting business  which frequently means not much money to spend on oversight and proper abuse handling. The next step was to filter the last few days of logs for these prefixes, to check what else we get. Here a few oddities that came to light (there were a couple hundred hits...)
1. Are we listed yet?
22.214.171.124 GET /block.txt HTTP/1.1 libwww-perl/6.0 126.96.36.199 GET /top10-2.txt HTTP/1.0 Wget/1.11.4 188.8.131.52 GET /top10-2.txt HTTP/1.0 Wget/1.10.2 (Red Hat modified) 184.108.40.206 GET /top10-2.txt HTTP/1.0 Wget/1.12 (linux-gnu)
Looks like they keep checking if they are listed as a "top 10" or a blocked IP address. Got quite a few hits like that from AS 5577 hosts. Interestingly, they use a couple different IP address and user agents to perform these queries. And yes, they are listed from time to time.
2. Synapse as SQL Injection tool
220.127.116.11 GET /index.html?menu=-1%27& HTTP/1.0 Mozilla/4.0 (compatible; Synapse)
The user agent points to the Apache XML Enterprise Bus "Synapse". It is not clear why this user agent here is used, or if it is actually related to the tool by Apache. But so far, all the requests with this user agent are related to SQL injection attempts.
3. Outdated Browsers and a Love for RSS
18.104.22.168 GET /diary.html?storyid=10885&rss HTTP/1.0 Mozilla/5.0 (en-US; rv:22.214.171.124) Gecko/20090729 Firefox/3.5.2
The URL ("&rss") indicates that the user here followed a link in our RSS feed, and the RSS feed is polled regularly by AS 5577 machines. The browser version is a bit old and set to "US English" as language. However, there is a good chance that the user agent is fake. The use of HTTP/1.0 is probably indicating a proxy. This browser did not accept cookies. However, there is some indication that a real browser is behind this as all the related files (style sheets and images) are loaded.
4. Lets ignore redirects
126.96.36.199 GET /index.php HTTP/1.0 http://forum.dshield.org/index.php Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
We haven't used the .php extension nor the host name "forum.dshield.org" in a while. So it is odd that this IP came back 3 times in one second, but never retrieved the URL it got redirected to. Again HTTP/1.0 and a fake looking user agent (this user agent exists... but I have hardly ever seen it used legitimate these days). Maybe the old bulletin board we had at that URL years ago was vulnerable to *something* and is still listed in some search engine.
More to come...