Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-01-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

tcp/6379 trolling - Redis NoSQL? Or something else?

Published: 2015-01-15
Last Updated: 2015-01-16 00:39:07 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

DShield sensors report an uptick of scanning for tcp/6379, currently mostly originating from 61.160.x and 61.240.144.x, which are both CHINANET/UNICOM. tcp/6379 is the default port of the Redis NoSQL database (http://redis.io) and Redis by default accepts connections from "any". This has been known for a while though, and is also quite prominently mentioned in the Redis documentation (http://redis.io/topics/security):

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet

which makes us wonder if the service scanned for in this case is indeed Redis, or something else?  Does anyone have a packet capture of the commands that the scanners try next when they find the port open? If yes, please share via our contact form or the comments below.

Keywords:
1 comment(s)

Strange wordpress login patterns

Published: 2015-01-15
Last Updated: 2015-01-15 23:48:22 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

Reader Robert came today with a very interesting situation. He noticed odd wordpress login patterns:

T 31.47.254.62:51020 -> X.X.X.X:80 [AP]
POST /wp-login.php HTTP/1.1.
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 131.
Content-Type: application/x-www-form-urlencoded.
.
log=admin&pwd=admin%21%21%21&wp-submit=Log+In&redirect_to=http://**redacted**/wp-admin/tes1a0&testcookie=1

----------------------------------

T 62.210.207.146:43322 -> X.X.X.X:80 [AP]
POST /wp-login.php HTTP/1.1.
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 113.
Content-Type: application/x-www-form-urlencoded.
.
log=ahenry&pwd=Ahenry%24%24%24&wp-submit=Log+In&redirect_to=http://**redacted**/wp-admin/tes1a0&testcookie=1

----------------------------------

T 109.199.82.5:46902 -> X.X.X.X:80 [AP]
POST /wp-login.php HTTP/1.1.
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 110.
Content-Type: application/x-www-form-urlencoded.
.
log=natemc&pwd=Johns666&wp-submit=Log+In&redirect_to=http://**redacted**/wp-admin/tes1a0&testcookie=1

 

In the sample he sent to us, there are three specific source IP address: 109.199.82.5, 62.210.207.146 and 31.47.254.62. All three IP address have good reputation (checked on TrustedSource, SenderBase and SANS Internet Storm Center). Looks like the client is trying to reach a script called tes1a0 and setting the WordPress test cookie so Wordpress can tell the client is accepting cookies and no error is rised. I checked for the string tes1a0 in the Wordpress 4.1 installation download and it's not part of the code. It's also clear this is a fake google bot. Please check the previous diary by Dr. Johannes Ullrich on how to check when google is not google.

Have you seen this kind of wordpress attempts? If yes, let us know via Contact form. I will update the diary with the information gathered.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
0 comment(s)
Diary Archives