A Couple Days of Logs: Looking for the Russian Business Network

Published: 2011-05-17
Last Updated: 2011-05-17 14:05:17 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Watching your logs can be a lot of fun, in particular if you got some interesting logs to look at. On the other hand: If you think your logs are boring, you are probably just not looking hard enough. My latest log excursion started with two alerts from the ISC poll feature we have on the index page. Within a couple minutes, two very different IP addresses submitted comments that got identified as spam:

Request #1 from

POST /poll.html HTTP/1.1
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HOST: isc.sans.edu
REFERER: http://isc.sans.edu/
USER-AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
COOKIE: dshield=91b1d9cff4a31d61f426935aad5bbd2
COOKIE2: $Version="1"
Post Data:
poll: 2
poll_comment: USA
subject: RgPRyMuPeHQYTatPjg

Request #2 from

POST /poll.html HTTP/1.0
HOST: isc.sans.edu
CONNECTION: keep-alive
USER-AGENT: Mozilla/4.0 (compatible; Synapse)
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ACCEPT-CHARSET: iso-8859-1, utf-8, utf-16, *;q=0.1
COOKIE2: $Version=1
Post Data:
poll: 4
poll_comment: add comment
subject: -1'

The first one isn't all that remarkable in my opinion. We get a couple dozen of them a day. But the second one is sort of "interesting". Can you pick out why?

"subject: -1' " is the line that caught my attention. The other odd thing was that these two requests came in very close to each other but look very differently.

If you look at the two IP addresses ( and, it turns out that both are part of AS 5577, a network registered in Luxemburg. Further, looking up these addresses in Threatstop's "checkip" feature [1] shows that these are suggested to be part of the Russian Business Network

Well... what to do from here? Seeing a little bit of coordination like this always makes me think "What did I miss now?". So my next idea was "What else comes in from AS 5577". AS 5577 originates about 20 prefixes. While not everything in AS 5577 is evil, it does appear to be a hiding spot for RBN activity. The company root.lu appears to be in the super low rate dedicated hosting business [2] which frequently means not much money to spend on oversight and proper abuse handling. The next step was to filter the last few days of logs for these prefixes, to check what else we get. Here a few oddities that came to light (there were a couple hundred hits...)

1. Are we listed yet? GET /block.txt   HTTP/1.1  libwww-perl/6.0 GET /top10-2.txt HTTP/1.0  Wget/1.11.4 GET /top10-2.txt HTTP/1.0  Wget/1.10.2 (Red Hat modified)  GET /top10-2.txt HTTP/1.0  Wget/1.12 (linux-gnu)

Looks like they keep checking if they are listed as a "top 10" or a blocked IP address. Got quite a few hits like that from AS 5577 hosts. Interestingly, they use a couple different IP address and user agents to perform these queries. And yes, they are listed from time to time.

2. Synapse as SQL Injection tool GET /index.html?menu=-1%27& HTTP/1.0 Mozilla/4.0 (compatible; Synapse)

 The user agent points to the Apache XML Enterprise Bus "Synapse". It is not clear why this user agent here is used, or if it is actually related to the tool by Apache. But so far, all the requests with this user agent are related to SQL injection attempts.

3. Outdated Browsers and a Love for RSS GET /diary.html?storyid=10885&rss HTTP/1.0 
              Mozilla/5.0 (en-US; rv: Gecko/20090729 Firefox/3.5.2

The URL ("&rss") indicates that the user here followed a link in our RSS feed, and the RSS feed is polled regularly by AS 5577 machines. The browser version is a bit old and set to "US English" as language. However, there is a good chance that the user agent is fake. The use of HTTP/1.0 is probably indicating a proxy. This browser did not accept cookies. However, there is some indication that a real browser is behind this as all the related files (style sheets and images) are loaded.

4. Lets ignore redirects GET /index.php HTTP/1.0 
               Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

We haven't used the .php extension nor the host name "forum.dshield.org" in a while. So it is odd that this IP came back 3 times in one second, but never retrieved the URL it got redirected to. Again HTTP/1.0 and a fake looking user agent (this user agent exists... but I have hardly ever seen it used legitimate these days). Maybe the old bulletin board we had at that URL years ago was vulnerable to *something* and is still listed in some search engine.

More to come...


[1] http://threatstop.com/checkip
[2] http://root.lu


Want to learn more about defending web applications? Check out DEV522 Defending Web Applications in Denver CO and Washington DC.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: rbn weblogs
2 comment(s)


We had four hits on Sunday night of getting a page and then trying to post corrupted viewstate information back to it on a public ASP.Net application. No other attempted file gets or posts, clean connections through the firewall set, no IPS hits. has been in our blacklist for over a year now. Guess I'll modify that to be the entire range of Root SA

Diary Archives