Signs of a script kiddie
So I was reviewing some IIS logs for a customer and noticed some attempts at malicious activity...I got a chuckle out of the calling cards.
2013-12-17 03:15:51 X.X.X.X GET /w00tw00t.at.blackhats.romanian.anti-sec
- 80 - 203.171.229.184 ZmEu 404 0 2 250
2013-12-09 01:40:59 X.X.X.X GET /muieblackcat - 80 - 37.77.7.238 - 404 0 2 281
They're poking at the default site root and then try to poke around and see if they can get to php, cgi-bin, or WordPress resources:
2013-12-19 19:45:24 X.X.X.X GET /wp/wp-login.php - 80 - 202.117.1.240 Mozilla/5.0+(X11;+U;+Linux+i686;+pt-BR;+rv:1.9.0.15)+Gecko/2009102815+Ubuntu/9.04+(jaunty)+Firefox/3.0.15 404 0 2 328
2013-12-17 03:15:51 X.X.X.X GET /phpMyAdmin/scripts/setup.php - 80 - 203.171.229.184 ZmEu 404 0 2 250
2013-12-16 03:02:49 X.X.X.X GET /cgi-bin/php5 - 80 - 89.248.160.192 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+9
404 0 2 171
But these don't exist. What's interesting is the "Romanians" are coming from a China source, I think someone is trying to get fingers pointed the other way
2013-12-17 03:15:51 X.X.X.X GET /w00tw00t.at.blackhats.romanian.anti-sec
- 80 - 203.171.229.184 ZmEu 404 0 2 2502013-12-09 01:40:59 X.X.X.X GET /muieblackcat - 80 - 37.77.7.238 - 404 0 2 281
They're poking at the default site root and then try to poke around and see if they can get to php, cgi-bin, or WordPress resources:
2013-12-19 19:45:24 X.X.X.X GET /wp/wp-login.php - 80 - 202.117.1.240 Mozilla/5.0+(X11;+U;+Linux+i686;+pt-BR;+rv:1.9.0.15)+Gecko/2009102815+Ubuntu/9.04+(jaunty)+Firefox/3.0.15 404 0 2 328
2013-12-17 03:15:51 X.X.X.X GET /phpMyAdmin/scripts/setup.php - 80 - 203.171.229.184 ZmEu 404 0 2 250
2013-12-16 03:02:49 X.X.X.X GET /cgi-bin/php5 - 80 - 89.248.160.192 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+9
404 0 2 171But these don't exist. What's interesting is the "Romanians" are coming from a China source, I think someone is trying to get fingers pointed the other way
Comments
-
chaser7783
Member Posts: 154
Good ole Zmeu scanner, also dont pay to much attention to w00tw00t.at.blackhats.romanian.anti-sec:, it's a default string in the scanner. -
YFZblu
Member Posts: 1,462 ■■■■■■■■□□
I saw those same GET requests come in a couple days ago where I work. Chinese IP address as well. We see a ton of automated attacks looking for vulnerable PHP. -
lsud00d
Member Posts: 1,571
Good point @chaser7783, I didn't have a chance to do follow up recon. I'll look into the Zmeu scanner!
@YFZblu, don't you deal with SIEM's? -
chaser7783
Member Posts: 154
Yea i see hundreds of these request a day, payload will look something like this.
GET /w00tw00t.at.blackhats.romanian.anti-sec: )HTTP/1.1
Accept: text/html, application/x-javascript, text/javascript, text/css, text/xml, application/xml, application/xhtml+xml, text/plain, application/*
Accept-Language: en-us
User-Agent: ZmEu
X-Language: ES -
YFZblu
Member Posts: 1,462 ■■■■■■■■□□
Good point @chaser7783, I didn't have a chance to do follow up recon. I'll look into the Zmeu scanner!
@YFZblu, don't you deal with SIEM's?
Yes - One of the rules we have firing detects the ZmEu user-agent. So we see this one a lot.