Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Interesting scan for medical certification information... - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Interesting scan for medical certification information...

Craig contacted the Storm Center inquiring about an interesting scan he has seen on his server for the last several days.  The scan is at the same time everyday and only runs for a brief time, but it comes from random IPs and at a volume which almost cripples his web server for the duration of the scan.

Below are some sample logs:

209.19.138.103 - - [13/Aug/2012:06:12:53 -0500] "GET /usmle-step-2-ck%26sa%3DU%26ei%3DweAoUKXcGO7ciQLpqoHACQ%26ved%3D0CCAQFjAE%26usg%3DAFQjCNGLZeLateC1dfcmOI4HHHZ33eaFbQ HTTP/1.1" 404 27320
207.70.9.103 - - [13/Aug/2012:06:12:53 -0500] "GET /usmle-step-1/step1%26sa%3DU%26ei%3DweAoUKXcGO7ciQLpqoHACQ%26ved%3D0CDIQFjAN%26usg%3DAFQjCNE7gGV1WVr1oas2WycwK6HXMTDc9Q HTTP/1.1" 404 27323
209.19.152.71 - - [13/Aug/2012:06:12:55 -0500] "GET /comlex-level-1%26sa%3DU%26ei%3DweAoUKXcGO7ciQLpqoHACQ%26ved%3D0CCQQFjAG%26usg%3DAFQjCNE9KmW1x2RLSZwTtSFJQlaciBdtZQ HTTP/1.1" 404 27319
209.19.182.245 - - [13/Aug/2012:06:12:53 -0500] "GET /pharmacology/%26sa%3DU%26ei%3DweAoUKXcGO7ciQLpqoHACQ%26ved%3D0CBoQFjAB%26usg%3DAFQjCNGWpETjIQO-QezV9OEnvmPeKrlWDA HTTP/1.1" 404 27318
207.70.60.19 - - [13/Aug/2012:06:12:53 -0500] "GET /usmle-step-2-ck/coupons/2g35%26sa%3DU%26ei%3DweAoUKXcGO7ciQLpqoHACQ%26ved%3D0CDAQFjAM%26usg%3DAFQjCNEgHYVBqXDBUNuyVgwAjaAlyRl12A HTTP/1.1" 404 27333

 

They all appear to be a potentially valid URL followed by an encoded string and all the requests appear to be looking for content related to US medical certification exams. 

I haven't been able to find any further information on this scan.  If any of you has seen this, or can provide any insight we would appreciate a heads up, either through our comments section or our contact page.  I will summarize any information that comes in.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

 Rick

324 Posts
ISC Handler
Aug 13th 2012
Thread locked Subscribe Aug 13th 2012
9 years ago
The url's are valid url's up to the part the begins with '%26sa%'

These requests hit our web server approximately the same time every day for the past 7 days at approximately the same time, and all the requests seem to come from random ip's owned by the 'Solution Pro' hosting company
 Anonymous
Quote Aug 13th 2012
9 years ago
Here are the decoded urls, might help understand what is going on.

/usmle-step-2-ck&sa=U&ei=weAoUKXcGO7ciQLpqoHACQ&ved=0CCAQFjAE&usg=AFQjCNGLZeLateC1dfcmOI4HHHZ33eaFbQ

/usmle-step-1/step1&sa=U&ei=weAoUKXcGO7ciQLpqoHACQ&ved=0CDIQFjAN&usg=AFQjCNE7gGV1WVr1oas2WycwK6HXMTDc9Q

/comlex-level-1&sa=U&ei=weAoUKXcGO7ciQLpqoHACQ&ved=0CCQQFjAG&usg=AFQjCNE9KmW1x2RLSZwTtSFJQlaciBdtZQ

/pharmacology/&sa=U&ei=weAoUKXcGO7ciQLpqoHACQ&ved=0CBoQFjAB&usg=AFQjCNGWpETjIQO-QezV9OEnvmPeKrlWDA

/usmle-step-2-ck/coupons/2g35&sa=U&ei=weAoUKXcGO7ciQLpqoHACQ&ved=0CDAQFjAM&usg=AFQjCNEgHYVBqXDBUNuyVgwAjaAlyRl12A
 Anonymous
Quote Aug 13th 2012
9 years ago
a google search for AFQjCN (the common leading chars of the usg params, above) reveals a couple of TWiki sandbox instances which appear to be easy targets for posting SPAM
 Anonymous
Quote Aug 14th 2012
9 years ago
are there any Google Analytics "usg" parameters that don't begin as AFQjCN?
 Anonymous
Quote Aug 14th 2012
9 years ago

Sign Up for Free or Log In to start participating in the conversation!