apache2 Strange Logs HASH(0xead1b0) etc.
Hello, on one Apache2 webserver we get strange logs: The originating IP reverse lookup points to internetidentity.com - Googling about this company says they they provide anti-phishing filters to Microsoft. The file they are going for is an phishing-site, placed frequently in unpatched horde instalations. What do the HASH(***) entries in the error logs mean? 209.147.127.222 - - [12/Jul/2006:18:11:53 -0500] "GET /horde/.../www.alaskausa.org/ultrabranch.alaskausa.org/services-activatevisa-init-wait.htm HTTP/1.1" 404 1025 "-" "HASH(0xead1b0), HASH(0xed5c50), HASH(0xed11a0), HASH(0xee8e60), HASH(0xeb2e10), HASH(0xec1600), HASH(0xed3b90), HASH(0xed5ce0), HASH(0xeac910), HASH(0xed0f70), HASH(0xeadf00), HASH(0xee8ef0), HASH(0xea2b10), HASH(0xead190), HASH(0xee86a0), HASH(0xee8a50), HASH(0xed7280), HASH(0xed5cc0), HASH(0xedd640), HASH(0xeb53f0), HASH(0xed3960), HASH(0xede590), HASH(0xed5fa0), HASH(0xed14e0), HASH(0xeb2e20), HASH(0xead580), HASH(0xeb4cf0), HASH(0xea6760), HASH(0xec98d0), HASH(0xe84640), HASH(0xed65d0), HASH(0xe988b0), HASH(0xed6050), HASH(0xe896a0), HASH(0xed0c90), HASH(0xea4e10), HASH(0xec9790), HASH(0xec9850), HASH(0xec98a0), HASH(0xec9c00), HASH(0xec9ac0), HASH(0xec9970), HASH(0xec4a60), HASH(0xeca0c0), HASH(0xee8fb0), HASH(0xee8fe0), HASH(0xee9010), HASH(0xee9040), HASH(0xee9070), HASH(0xee90a0), HASH(0xee90d0), HASH(0xee9100), HASH(0xee9130), HASH(0xee9160), HASH(0xee9190), HASH(0xee91c0), HASH(0xee91f0), HASH(0xee9220), HASH(0xee9250), HASH(0xee9280), HASH(0xee92b0), HASH(0xee92e0), HASH(0xee9310), HASH(0xee9340), HASH(0xee9370), HASH(0xee93a0), HASH(0xee93d0), HASH(0xee9400), HASH(0xee9430), HASH(0xee9460), HASH(0xee9490)" Thanks a lot Enrique -- Dirk Enrique Seiffert - Lintec S.A. Ed. Torre del Reloj - Of. 401 Plaza de los Coches, Centro Cartagena - Colombia http://www.lintecsa.com -- Este mensaje ha sido analizado por MailScanner en busca de viruses y otros contenidos peligrosos, y se considera que est limpio.
They look like improperly dereferenced Perl hashes to me. That's the referrer field they're in, right? Any chance that this backdoor you're alluding to is coded so that it checks the referrer before getting chatty? On Thursday 13 July 2006 08:14, Dirk Enrique Seiffert wrote:
[...]HASH(0xed11a0), HASH(0xee8e60), HASH(0xeb2e10), HASH(0xec1600), HASH(0xed3b90), HASH(0xed5ce0), HASH(0xeac910), HASH(0xed0f70), HASH(0xeadf00), [...]
-- Fred Morris
On Thu, Jul 13, 2006 at 10:14:31AM -0500, Dirk Enrique Seiffert wrote:
Hello,
on one Apache2 webserver we get strange logs: The originating IP reverse lookup points to internetidentity.com - Googling about this company says they they provide anti-phishing filters to Microsoft. The file they are going for is an phishing-site, placed frequently in unpatched horde instalations. What do the HASH(***) entries in the error logs mean?
209.147.127.222 - - [12/Jul/2006:18:11:53 -0500] "GET /horde/.../www.alaskausa.org/ultrabranch.alaskausa.org/services-activatevisa-init-wait.htm HTTP/1.1" 404 1025 "-" "HASH(0xead1b0), HASH(0xed5c50), HASH(0xed11a0), HASH(0xee8e60), HASH(0xeb2e10), HASH(0xec1600), HASH(0xed3b90), HASH(0xed5ce0), HASH(0xeac910), HASH(0xed0f70), HASH(0xeadf00), HASH(0xee8ef0), HASH(0xea2b10), HASH(0xead190), HASH(0xee86a0), HASH(0xee8a50), HASH(0xed7280), HASH(0xed5cc0), HASH(0xedd640), HASH(0xeb53f0), HASH(0xed3960), HASH(0xede590), HASH(0xed5fa0), HASH(0xed14e0), HASH(0xeb2e20), HASH(0xead580), HASH(0xeb4cf0), HASH(0xea6760), HASH(0xec98d0), HASH(0xe84640), HASH(0xed65d0), HASH(0xe988b0), HASH(0xed6050), HASH(0xe896a0), HASH(0xed0c90), HASH(0xea4e10), HASH(0xec9790), HASH(0xec9850), HASH(0xec98a0), HASH(0xec9c00), HASH(0xec9ac0), HASH(0xec9970), HASH(0xec4a60), HASH(0xeca0c0), HASH(0xee8fb0), HASH(0xee8fe0), HASH(0xee9010), HASH(0xee9040), HASH(0xee9070), HASH(0xee90a0), HASH(0xee90d0), HASH(0xee9100), HASH(0xee9130), HASH(0xee9160), HASH(0xee9190), HASH(0xee91c0), HASH(0xee91f0), HASH(0xee9220), HASH(0xee9250), HASH(0xee9280), HASH(0xee92b0), HASH(0xee92e0), HASH(0xee9310), HASH(0xee9340), HASH(0xee9370), HASH(0xee93a0), HASH(0xee93d0), HASH(0xee9400), HASH(0xee9430), HASH(0xee9460), HASH(0xee9490)"
Those HASH() marks are signs of perl scripts. Ciao, Marcus
participants (3)
-
Dirk Enrique Seiffert
-
Fred Morris
-
Marcus Meissner