did you ever try to run that on your own server? what would be the html response? E
On 6 October 2016 at 16:47, Spork Schivago <sporkschiv...@gmail.com> wrote: > I remember this! I contacted the college that was running the scanners > and got indepth information about what it was and how it worked. > > This is the responses I got back from the people running the scan... > > Apologies for the long delay. As Stefan said, I've been away on my > honeymoon. > > As far as we know the malware is windows-only and injects itself into > IIS. I believe most AV vendors have signatures for the malware. Also > as Stefan said, we've informed law enforcement about infections we've > discovered, so we expect they'd contact victims. This malware is > extremely rare, so the likelihood of the party you're interacting with > being infected is very very low. > > If the party would like to share their external public IP I'm also > happy to check our logs and see if they come back as infected. > > With respect to the string and what it elicits. It's a series of 64 > random bytes of data that have been lightly modified to meet a > specific bit-mangling pattern. An infected machine responds back with > what looks like 64 random bytes that have the same big mangling > pattern (but not the same bytes). > > If you have further questions, I'm happy to respond. > > > > In Apache, one person was receiving the bytes and their Apache server was > responding back with a 200. The person I talked to looked into it and > said for that particular IP address, it looked like Apache was sending back > the default html file, but said the response would vary depending on what > service was running. Some might respond with an error page, some might > respond with an error code, some might send a default page, etc. > > > There's away to do a reverse IP lookup on the IP address and see if > there's a DNS entry for it. That's how I was able to successfully figure > out who the senders were (Berkeley) originally. I used dig I believe. I > don't have access to my Linux box right now, otherwise I'd check to see if > the IP addresses are actually from Berkeley. There's always a chance that > they're using more than one server / IP now to conduct the scanning. I > believe they were originally trying to scan the whole internet. > > They had said it's a very specific type of malware that only affects IIS > to their knowledge. If you're not running a Windows server running IIS, > you should be good to go. > > On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan < > rainer.cana...@sevenval.com> wrote: > >> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmul...@arccorp.com> wrote: >> > From the looks of it I would say it is targeting servers running SSL. >> Are >> > you serving up HTTP or HTTPS ? >> >> I don't think that that is valid SSL, unless your httpd discards the >> first few bytes. >> There was a SANS handler diary entry just yesterday about this: >> >> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT >> P+Servers/21551/ >> >> if I try `openssl s_client -connect localhost:14020`, I get the below >> entry in my access.log, >> which matches the description in the diary: >> >> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] - >> "\x16\x03\x01\x01,\x01" 400 226 "-" "-" >> >> this, however, is something completely different. I'd also guess it's >> some kind >> of vulnerability scan: >> >> > IP >> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] >> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605 >> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] >> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\ >> xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u" >> > 200 48605 >> >> Rainer >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >
