Watching your logs can be a lot of fun, in particular if you got some interesting logs to look at. On the other hand: If you think your logs are boring, you are probably just not looking hard enough. My latest log excursion started with two alerts from the ISC poll feature we have on the index page. Within a couple minutes, two very different IP addresses submitted comments that got identified as spam:
Request #1 from 126.96.36.199.
POST /poll.html HTTP/1.1
USER-AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
poll_comment: add comment
The first one isn't all that remarkable in my opinion. We get a couple dozen of them a day. But the second one is sort of interesting. Can you pick out why?
subject:-1' is the line that caught my attention. The other odd thing was that these two requests came in very close to each other but look very differently.
If you look at the two IPaddresses (188.8.131.52 and 184.108.40.206), it turns out that both are part of AS 5577, a network registered in Luxemburg. Further, looking up these addresses in Threatstop's checkip feature  shows that these are suggested to be part of the Russian Business Network
Well... what to do from here?Seeing a little bit of coordination like this always makes me think What did I miss now?. So my next idea was What else comes in from AS 5577. AS 5577 originates about 20 prefixes. While not everything in AS 5577 is evil, it does appear to be a hiding spot for RBN activity. The company root.lu appears to be in the super low rate dedicated hosting business  which frequently means not much money to spend on oversight and proper abuse handling. The next step was to filter the last few days of logs for these prefixes, to check what else we get. Here a few oddities that came to light (there were a couple hundred hits...)
1. Are we listed yet?
220.127.116.11 GET /block.txt HTTP/1.1 libwww-perl/6.0
18.104.22.168 GET /top10-2.txt HTTP/1.0 Wget/1.11.4
22.214.171.124 GET /top10-2.txt HTTP/1.0 Wget/1.10.2 (Red Hat modified)
126.96.36.199 GET /top10-2.txt HTTP/1.0 Wget/1.12 (linux-gnu)
Looks like they keep checking if they are listed as a top 10 or a blocked IP address. Got quite a few hits like that from AS 5577 hosts. Interestingly, they use a couple different IPaddress and user agents to perform these queries. And yes, they are listed from time to time.
2. Synapse as SQL Injection tool
188.8.131.52 GET /index.html?menu=-1%27 Synapse)
The user agent points to the Apache XMLEnterprise Bus Synapse. It is not clear why this user agent here is used, or if it is actually related to the tool by Apache. But so far, all the requests with this user agent are related to SQL injection attempts.
3. Outdated Browsers and a Love for RSS
184.108.40.206 GET /diary.html?storyid=10885 rv:220.127.116.11) Gecko/20090729 Firefox/3.5.2
The URL(rss)indicates that the user here followed a link in our RSS feed, and the RSS feed is polled regularly by AS 5577 machines. The browser version is a bit old and set to US English Windows NT 5.1)
We haven't used the .php extension nor the host name forum.dshield.org in a while. So it is odd that this IPcame back 3 times in one second, but never retrieved the URL it got redirected to. Again HTTP/1.0 and a fake looking user agent (this user agent exists... but I have hardly ever seen it used legitimate these days). Maybe the old bulletin board we had at that URLyears ago was vulnerable to *something* and is still listed in some search engine.
More to come...
Want to learn more about defending web applications?Check out DEV522 Defending Web Applications in Denver CO and Washington DC.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.