Still, we are seeing an uptick of scans on web servers looking for such files that really shouldn't be present.
The scan looks for about 50 different file names that are commonly associated with SSH keys. In addition, it also probes for the presence of common Unix shell history files:
One signature that the scans so far had in common is that the first request is always to "checknfurl123".
This is most likely a test to determine how the scanned server responds to requests for files that do not exist, so that false positives can be eliminated in the subsequent attempts to read the SSH keys. I am currently running a honeypotty to see what the scanners do next if the "HEAD" request comes back with an okay (200). No luck yet, so if you already have that bit of intel, please share via the comments below.
|
Daniel 385 Posts ISC Handler Jun 11th 2014 |
Thread locked Subscribe |
Jun 11th 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!