Analecta Cyber Company Blog: March 2015


Possible Compromised Host Scanning for Shellshock


At 2015-03-12T03:00:44 a scan originated from IP address (1&1 Internet AG, associated with domain ONLINEHOME-SERVER.INFO) attempting to exploit the 2014 Shellshock vulnerabiliy (CVE-2014-6271). If successful, the payload commands would have created multiple reverse TCP and UDP connections to a second IP address in attempts to extract detailed information likely to be used for further compromise.


Shellshock Attempts in the Wild


From 2015-03-09T20:29:29 until 2015-03-09T20:29:51 automated scans originating from IP address  Scans attempted to exploit the 2014 Shellshock vulnerability (CVE-2014-6271). If successful the commands from the attacker would download a malicious Remote Administrative Tool (RAT) and provide remote access to the system via an Internet Relay Chat (IRC) server hosted at IP address (default IRC port, 6667). This report includes information about the exploit scan, payload, RAT hash values, source, command and control, and the damage assessment.


Scanning Activity


From 2015-03-12T06:41:04 until 2015-03-12T06:42:25 abnormal scanning behavior was identified originating from IP address claiming a User Agent of "".

User Agent

Panscient (website) purports to be a content supplier for search engines. They claim to focus on people related data. Requests made to Panscient to determine whether the observed activity was related to legitimate company activity were not returned.

Origin IP Address

The source IP address ( resolves to - typically indicative of a commercial or residential IP address operated by the Verizon FiOS Internet services (in Newark, New Jersey).


Most activity was consistent with a couple specific exceptions:

  1. robots.txt file was requested - but not as the initial request. Legitimate indexing bots should request the robots.txt file first - as it includes directives for the indexing bot.
  2. Malformed requests were identified.

Malformed Requests

All cross-referenced resources within the site were individually retrieved - common for a crawler. However, additional requests were made but not based on any reference internal to the site:


Research into the likely source of this request resulted in no immediate leads. Analysts with Analecta are continuing research into likely explanations.

Damage Assessment

No damage was sustained by the server from these requests.