Thursday, January 11, 2007

Santy or s8 - the analysis process

While chating with fellows in freenode #snort-gui, David raised the interesting s8 probes that targetting web servers. As I'm seeing those probes as well, I would like to figure out what is happening in the network and why there are running in the wild.

After discussed with David, I tried not to dive into the network data but googling, however google doesn't return much useful information regarding the probes. In fact you may not know what I'm talking about regarding s8 myth, here are some entries -

1168444804.073301 %252740 GET /s8Region.asp
1168444830.868371 %252837 GET /s8qq.txt (404 "Not Found" [394]
1168444909.394569 %253078 GET /s8qq.txt (404 "Not Found" [387]
1168444992.374820 %253366 GET /eWebEditor/db/s8ewebeditor.mdb (404 "Not Found" [412]
1168452273.423501 %275283 GET /s8qq.txt (404 "Not Found" [389]
1168453495.280041 %278412 GET /s8showerr.asp?BoardID=0&ErrCodes=54&action= script JavaScript:alert(document.coo
kie); /script ( span style="font-weight: bold;" 404 /span "Not Found" [390]
1168453512.055104 %278412 GET /s8flash/downfile.asp?url=jackie/../../conn.asp (404 "Not Found" [397]

I have renamed all the hostname to blablalo and I think it doesn't hurt. So it is all about http get requests to the file with s8 prefix. Since I have no clue at all as those requests are unsuccessful - 404 and I don't have the files it requested, thus I tried to figure out what kind of domains they are targetting. After some info gathering, apparently all the sites that crawled by s8 requests are powered by discuz content management system. It seems discuz is very popular in China and it offers both asp and php based solutions.

To analyze further, I decided to go through the web server logs by looking for the s8 strings. Then extract all the IPs and performing whois to help me in doing correlations. Interestingly it helps me to conclude my finding. Below are the commands I executed when inside apache logs directory -

shell>for i in `egrep -i '/s8[a-z0-9]*\.asp' * \
| awk '{ print $1 }' | cut -f 2 -d : | uniq`; \
do jwhois $i >> s8whois.log; done

I navigated the results in s8whois.log and found that almost all source IPs are from China. Then I came to realize why google doesn't show up much results with their caches even regarding the s8 probes. Check out the link below - is the most popular search engine in China and I suspected that they are actually performing something similar to this but utilize their own popular search engine to query targeted vulnerable cms.

In fact the automated scripts that running to look for all the malicious scripts that been uploaded to vulnerable sites that powered by discuz should perform operating system or web server fingerprinting(latter easier to be done and more accurate) with better search engine query strings before performing http request on malicious scripts to remain unseen in unix based server.

I guess China system administrators(or whoever) use discuz cms have more headaches than us -

All for now, Peace (;])

Temp solution: Blocking user agent - InetURL:/1.0 via mod_security, all of the requests are carried by it that is pretty identical. - - [08/Jan/2007:17:30:05 +0800] "GET /s8servu.aspx HTTP/1.1" 404
- "-" "InetURL:/1.0"

No comments: