Analecta Cyber Company Blog: March 2015

2015-03-23

Possible Compromised Host Scanning for Shellshock

Synopsis

At 2015-03-12T03:00:44 a scan originated from IP address 82.165.157.217 (1&1 Internet AG, associated with domain ONLINEHOME-SERVER.INFO) attempting to exploit the 2014 Shellshock vulnerabiliy (CVE-2014-6271). If successful, the payload commands would have created multiple reverse TCP and UDP connections to a second IP address in attempts to extract detailed information likely to be used for further compromise.

2015-03-16

Shellshock Attempts in the Wild

Synopsis

From 2015-03-09T20:29:29 until 2015-03-09T20:29:51 automated scans originating from IP address 128.199.200.157.  Scans attempted to exploit the 2014 Shellshock vulnerability (CVE-2014-6271). If successful the commands from the attacker would download a malicious Remote Administrative Tool (RAT) and provide remote access to the system via an Internet Relay Chat (IRC) server hosted at IP address 216.70.100.172 (default IRC port, 6667). This report includes information about the exploit scan, payload, RAT hash values, source, command and control, and the damage assessment.

2015-03-15

Scanning Activity

Synopsis

From 2015-03-12T06:41:04 until 2015-03-12T06:42:25 abnormal scanning behavior was identified originating from IP address 173.70.141.168 claiming a User Agent of "panscient.com".

User Agent

Panscient (website) purports to be a content supplier for search engines. They claim to focus on people related data. Requests made to Panscient to determine whether the observed activity was related to legitimate company activity were not returned.

Origin IP Address

The source IP address (173.70.141.168) resolves to pool-173-70-141-148.nwrknj.fios.verizon.net - typically indicative of a commercial or residential IP address operated by the Verizon FiOS Internet services (in Newark, New Jersey).

Activity

Most activity was consistent with a couple specific exceptions:

  1. robots.txt file was requested - but not as the initial request. Legitimate indexing bots should request the robots.txt file first - as it includes directives for the indexing bot.
  2. Malformed requests were identified.

Malformed Requests

All cross-referenced resources within the site were individually retrieved - common for a crawler. However, additional requests were made but not based on any reference internal to the site:

/js/?===c&(g+=m.css(a,c+T%5Bf%5D,!0,e)),d?
/js/?)),c.overflow&(p.overflow=
/js/?C=N;O=D

Research into the likely source of this request resulted in no immediate leads. Analysts with Analecta are continuing research into likely explanations.

Damage Assessment

No damage was sustained by the server from these requests.