Update: More information about this attack is now available from SANS: https://isc.sans.edu/diary.html?storyid=13312
I filed this one under "programming" because at some point in their career every programmer will be asked to investigate suspicious activities. In all likelihood they have received zero training on how to do something like this. Although I did my master's thesis on artificial intelligence for network intrusion detection I hardly consider myself a security expert.
Still I've been on the receiving end of many "hey could you take a look at this?" requests, usually for web traffic coming from a country that's a known haven for hackers. Yes, I know that most of the LulzSec hackers were arrested here in the United States. The key word there is "arrested", none of them are currently openly running fake anti-virus sites with authorities from their government looking the other way. We're plenty screwed-up over here but we sure excel at jailing people.
Anyway, this particular attack was not only different but not found on Google. So this is either something new or experimental, that's what makes it interesting.
It started with the following request:
404 1803 "-" "
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
I have light experience with PHP but can tell right away what this is trying to do. This request is hoping that you've unsecured your site to the point where an authenticated internet user can change PHP settings. If so it's going to disable security, allow some stuff you usually would turn off, and then inject some additional content on your index.
At first I figured this was just some script kiddie who I could report to their ISP if I felt like burning a couple calories. The source IP address resolves to AT&T in North Carolina so this theory held up for a second. Then I looked at the browser string one more time - Windows 2000 running Internet Explorer 6. So either we have a 12 year-old PC someone built for their grandparents to check email on or a bot that's using a fake user agent string. A very quick Google search reveals a dozen different bots using this string.
The real giveaway though is the IP address it's trying to import a file from - 18.104.22.168. Golly gee Beaver, I wonder what country that could possibly resolve to?
IP address: 22.214.171.124
Reverse DNS: [No reverse DNS entry per dns01.privatelayer.com.]
Reverse DNS authenticity: [Unknown]
ASN Name: RELIANS (ISP Relians, Moscow, Russia)
IP range connectivity: 9
Registrar (per ASN): RIPE
Country (per IP registrar): EU [EU]
Country Currency: EUR [euros]
Country IP Range: 126.96.36.199 to 188.8.131.52
Country fraud profile: Normal
City (per outside source): Moscow, Moskva
Country (per outside source): RU [Russian Federation]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 184.108.40.206
Well I'm shocked.
Now let's see what exactly this request is trying to inject into sites. I would advise setting-up a virtual machine + Tor before poking around sites like this one. Here's a screenshot of the info3.txt file it's trying to import:
So all it's doing is injecting a string onto the site. This makes me suspect it's a two-part attack. First they want to create an inventory of vulnerable sites then attack them all at once. If they did them one site at a time there's a chance one of the early ones would figure out what's going on and word would spread about this attack. Now if they grab a couple thousand sites all at once they can launch one heck of a fake anti-virus campaign or whatever they're doing.
So if there's an info3.txt I figure there's probably an info2.txt. Sure enough there was:
What we can see here is the author of this attack has serious issues with their masculinity. He was probably picked last a lot in whatever they play on Russian schoolyards. The other thing we can see is that this writes c99.php to the web server. You can Google that for the details (and the source code).
I tried info.txt and info4.txt but only got their 404 message:
They are kind enough to share what web server they're running by not customizing their 404 pages.
I think this is where I'll leave things for now. I don't know if this site is part of a crime ring but since it has access to a botnet I'm going to assume it is. The 220.127.116.11 IP isn't showing up anywhere as a distributor of malware which is odd. Maybe this is a web server that was recently compromised or an IP address recently acquired by whoever is organizing this attack.
I could add 18.104.22.168 to my blacklist but it won't accomplish anything in this case, I'll probably do it anyway out of spite. It would be really peachy if ISPs would boot computers running botnets. I know some morons would complain about "net neutrality" or "access to information" but I don't really have a problem with it. An ISP is a private business and they should be allowed to set a rule that says "if your PC is under control of a botnet and risking the security of other PCs and/or web sites we're disconnecting it".
There's no practical solution to block all Russian IPs from accessing my site. Well, other than doing exactly that. Yeah I'd lose some legitimate visitors but maybe it's worth the trade-off. Despite going to American public schools in the 80s I have nothing at all against Russians or the country of Russia. I do have an issue though with all the hacking attempts and spam coming from Russian IPs. On another site I manage we recently broke the 200th Russian IP banned for comment spam. It's a shame because I know the spammers and hackers represent such a small portion of the total Russian population.
So to wrap things up... I'd be curious if anyone else has seen this particular hacking attempt. Maybe it's been going around for a while but Google sure seems oblivious to it. I'd also be curious to learn what the second phase of this attack looks like. My money is on something related to fake anti-virus software.