Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: XATattacks (attacks on SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
XATattacks (attacks on

Couple of days ago, one of our readers, submitted a script he identified as sending some weird traffic to the IP address of

The script in question is a PHP script and was not obfuscated so it was easy to analyze what it does. It also appears that certain details were, unfortunately, missing.

It looks as the submitted script crawls over the web site to retrieve information about registered accounts. I'm not quite sure what people do on – it appears that, besides chatting they can also trade some things in "xats" – I'm not quite sure what this is about (if you do know please let me know or post in comments :).

The script uses a local database – unfortunately the file specifying the database connection parameters was missing. It then goes into a loop that is supposed to crawl information about users. The loop uses curl to do the crawling and the method doing the crawling is supposed to use a different proxy for every request. The list of proxies is stored in a file called proxies.txt – unfortunately that file was missing too.
However, the snippet of code below explains why Haren saw network traffic to

Snippet of the script

If the script failed to load the list of proxies, the $ip variable that is later used to set the curl proxy is automatically populated with and this will, obviously fail.

What the script really tries to do is retrieve an URL from (i.e. it request something like, where the t variable is randomly generated).

After retrieving that URL, depending on the results, the script checks the received user’s ID. If the user ID was not found, the script considers it to be a rare user ID and stores it in the database. I’m not sure what this is used for later unfortunately (as I failed to figure out what really does).

This is another example why it really pays to monitor your outgoing traffic. Our reader in this case had a SIEM product that allowed him to inspect outgoing traffic on port 80 – if you see one of your servers sending traffic to on port 80, this is something that warrants more analysis for sure.

Just as a reminder, I posted two diaries about analyzing outgoing network traffic almost exactly a year ago – check them at and


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Amsterdam October 2021


400 Posts
ISC Handler
Aug 11th 2013
I found this which links to a News link which seems to offer the basic info that its a chat service where you can pay real money to get "xats" which is their virtual currency you can use to have special chat "powers" ... Seems like they have mobile device apps... all in all its rather a bizarre sort of thing... maybe its hot in foreign countries or something...
I found the below:

Order Deny,Allow
Deny from all
AuthName "Htacess"
AuthUserFile /var/www/Test/.htpasswd
AuthType Basic
Require valid-user
Allow from
Satisfy Any

AuthName "Htaccess"
AuthUserFile /var/www/test/.htpasswd
AuthType Basic
Satisfy Any
<Limit GET POST>
Order Deny,Allow
Deny from all
Allow from
Require valid-user

14 Posts

Sign Up for Free or Log In to start participating in the conversation!