Interesting HTTP User Agent "chroot-apach0day"

Published: 2014-07-28
Last Updated: 2014-07-28 23:19:45 UTC
by Johannes Ullrich (Version: 1)
17 comment(s)

Our reader Robin submitted the following detect:

I've got a site that was scanned this morning by a tool that left these entries in the logs:
[HTTP_USER_AGENT] => chroot-apach0day
[HTTP_REFERRER] => /xA/x0a/x05
[REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget  

The URL that appears to be retrieved does not exist, even though the domain does.

In our own web logs, we have seen a couple of similar requests: - - [28/Jul/2014:05:07:15 +0000] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-" - - [28/Jul/2014:18:48:36 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-" - - [28/Jul/2014:20:04:07 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;; HTTP/1.0" 301 178 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB" "-"

If anybody has any ideas what tool causes these entries, please let us know. Right now, it doesn't look like this is indeed an "Apache 0 Day" 

There are a couple other security related sites where users point out this user agent string, with little insight as to what causes the activity or what the goal is.

Johannes B. Ullrich, Ph.D.

17 comment(s)
Diary Archives