Re: [suse-security] Apache Log - rusftpsearch is back

20 Jan 2001

      Ring0 (that was a nifty one):

http://www.sans.org/y2k/practical/Haruna_Isa.txt

Detect #4: Ring0

Apache Access Log View

194.209.172.145 - - [03/Feb/2000:15:06:27 -0500] "GET 
http://www.rusftpsearch.net/cgi-bin/pst.pl?pstmode=writeip
&psthost=a.cable.host&pstport=80 HTTP/1.0" 404 292

1. Identity

194.209.172.145/border1.leunet.ch
Whois: Leunet, Frauenfeld, Switzerland
WWW (www.leunet.ch): Leunet Internet Provider

2. Technique

Attempting to send back to web server www.rusftpsearch.net that the 
targeted host is running an anonymous web proxy.  The machine 
conducting the probe has likely been compromised by the Ring0 trojan.

3. Intent

Compiling a list of anonymous web proxies.  If the targeted machine had 
been running an anonymous web proxy, it would have accessed the cgi-
script at www.resftpsearch.com and passed its IP address as an 
argument.  Presumably, the cgi script would add the IP address to a 
list of anonymous web proxies it was compiling.  Trojan'd computers do 
the scanning, therefore the owner of the originating computer in this 
case might be unaware of the activity.

4. Active Targeting

Sort of.  The Trojan randomly selects addresses to probe for web 
proxies.  Also, the owner of the source machine is likely unaware of 
the activities of the Trojan.

5.  Evaluation

Anonymous web proxies allow any user to proxy a web connection through 
them thus hidng the source address of that user.  A web site accessed 
through the proxy would record the address of the proxy as the source.  
This mechanism is a favorite with hackers to hide their identity when 
mounting attacks or doing recon.  These probes are conducted by the 
Ring0 trojan.  The source name 'border1' seems to be indicative of some 
type of network border device (firewall, NAT device, etc.) Since this 
is an ISP, the actual compromised machine might be behind the 'border' 
device thus the address we have is not necessarily the address of the 
compromised machine.

Bottom Line: Low threat.  The targeted machine is not running an 
anonymous web proxy.  The web server which logged the access denied the 
request.

Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net

----- Original Message ----- 
From: "Ulrich Klenk" 
To: 
Sent: Saturday, January 20, 2001 2:21 AM
Subject: [suse-security] Apache Log - rusftpsearch is back
...
Hello all,
found this one in an Apache access-log-file:
"GET
http://www.rusftpsearch.net/cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62
.127&pstport=80".
Can someone please point me to some information for that probe?
What were they doing?
I found something about this in the list for December 1999, but there are
only discussions about rusftpsearch.net..
Greetings,
Uli
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com