I remember this! I contacted the college that was running the scanners and got indepth information about what it was and how it worked.
This is the responses I got back from the people running the scan... Apologies for the long delay. As Stefan said, I've been away on my honeymoon. As far as we know the malware is windows-only and injects itself into IIS. I believe most AV vendors have signatures for the malware. Also as Stefan said, we've informed law enforcement about infections we've discovered, so we expect they'd contact victims. This malware is extremely rare, so the likelihood of the party you're interacting with being infected is very very low. If the party would like to share their external public IP I'm also happy to check our logs and see if they come back as infected. With respect to the string and what it elicits. It's a series of 64 random bytes of data that have been lightly modified to meet a specific bit-mangling pattern. An infected machine responds back with what looks like 64 random bytes that have the same big mangling pattern (but not the same bytes). If you have further questions, I'm happy to respond. In Apache, one person was receiving the bytes and their Apache server was responding back with a 200. The person I talked to looked into it and said for that particular IP address, it looked like Apache was sending back the default html file, but said the response would vary depending on what service was running. Some might respond with an error page, some might respond with an error code, some might send a default page, etc. There's away to do a reverse IP lookup on the IP address and see if there's a DNS entry for it. That's how I was able to successfully figure out who the senders were (Berkeley) originally. I used dig I believe. I don't have access to my Linux box right now, otherwise I'd check to see if the IP addresses are actually from Berkeley. There's always a chance that they're using more than one server / IP now to conduct the scanning. I believe they were originally trying to scan the whole internet. They had said it's a very specific type of malware that only affects IIS to their knowledge. If you're not running a Windows server running IIS, you should be good to go. On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <rainer.cana...@sevenval.com> wrote: > On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmul...@arccorp.com> wrote: > > From the looks of it I would say it is targeting servers running SSL. > Are > > you serving up HTTP or HTTPS ? > > I don't think that that is valid SSL, unless your httpd discards the > first few bytes. > There was a SANS handler diary entry just yesterday about this: > > https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+ > HTTP+Servers/21551/ > > if I try `openssl s_client -connect localhost:14020`, I get the below > entry in my access.log, > which matches the description in the diary: > > 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] - > "\x16\x03\x01\x01,\x01" 400 226 "-" "-" > > this, however, is something completely different. I'd also guess it's some > kind > of vulnerability scan: > > > IP > > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] > > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605 > > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] > > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\ > x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\ > xfc\xc5\"\xed\xa3u" > > 200 48605 > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
