Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What bot is that? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What bot is that?
Hi folks,

since a few weeks, one of my webservers with an unprotected comment form is receiving weird POSTs..
about five per day. The content is always only a 13 digit hex number, currently at 590b4ba3859d7.
The user agent string is always the same Firefox 7 on WinXP.
"Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
The weird thing is.. the POSTs come from IPs all over the world, but are strictly incremental,
so it's either some kind of timestamp, or centrally coordinated.

Has anyone seen the same behaviour, and maybe found out what bot is doing that, and for what purpose?

Regards
Visi
Visi

39 Posts
Can you share a pcap? Xme

305 Posts
ISC Handler
I've started a capture, might take an hour or two for the next bot hit.

Apache log is:
109.163.234.2 - - [07/May/2017:21:44:04 +0200] "POST /anmeldung.php HTTP/1.1" 302 210 "http://woo.li/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"

last two weeks had 164 hits from 155 IPs

last submissions are:
anname=591025669d178&email=valid.mail@yahoo.com
anname=5910254f82f42&email=valid.mail@gmail.com

so the name is an ever-increasing hex number, the email field is filled with random mail adresses I don't know, so probably filled from a spam list..
Visi

39 Posts
No, we cannot their is some procedure that we need to follow. reachiso

1 Posts

Sign Up for Free or Log In to start participating in the conversation!