Wow Ken, Thanks for the thorough research. I just did a whois and
figured it wasn't an attack.
But being a complete rookie (no experience with linux or servers prior
to creating a droplet on DO 2 weeks ago)
I was curious to not see any request prefix (GET|POST|CONNECT...etc...)
and then I saw that the request was successful (status 200) instead of a
404. And what 11k of data did my server send in response...
In 13 days of logs this IP has only hit my server once and this is the
only time I've seen such a request... So no issue with their legitimate
research...
Thanks for tracking this down and please keep me in the loop if you hear
back from them again.
dave
On 7/8/2016 2:41 PM, Spork Schivago wrote:
Okay Red-Tail Books, I got more information for you! This is the
latest response I got:
"The malware is installed via a range of vulnerabilities including
social engineering. This scan is really testing for the malware's
rendezvous protocol for command and control. As a rule, we have been
informing law enforcement about infected machines and they have been
doing victim notification and thus if your correspondent is infected
they will be contacted. However, I believe that this particular
malware works exclusively with IIS and thus an Apache user is unlikely
ot have much to worry about. Unfortunately, I don't know the precise
meaning of the string or what it elicits and Paul (cc'd) who is the
grad student lead on this project is currently away on his honeymoon,
but I'm sure we can respond more succinctly once he returns"
So, it seems that you're in the clear and have nothing to worry about,
mainly because you're running Apache and not IIS. I wish I could
answer what the actual hex string means and what Apache responded
with. Perhaps when Paul gets back from his honeymoon, we'll receive
an answer.
Best of luck.
Ken.
On Fri, Jul 8, 2016 at 5:32 PM, Spork Schivago
<sporkschiv...@gmail.com <mailto:sporkschiv...@gmail.com>> wrote:
I contacted one of the people involved with CESR and I have
received a response. This is what they say:
"Yes, this is a scan from our group. It is not in fact looking for
a vulnerability, but for a very specific infection. The scan is
harmless, but there is a very rare and stealthy piece of malware for
which this scan will elicit a response (indicating that the server is
compromised and is awaiting instructions). The scan is part of a
survey looking at how this particular threat actor has been targeting
different organizations. If the scan is causing a problem for
someone, please have them contact me and I can ask that their site be
removed from the scan."
I am waiting to hear back from him to see if there's away to tell
if you're actually vulnerable to this malware or not. The good
news is your site isn't under attack or anything. Once I hear back
from him, I'll let you know what he says.
Thanks!
On Fri, Jul 8, 2016 at 3:56 PM, Spork Schivago
<sporkschiv...@gmail.com <mailto:sporkschiv...@gmail.com>> wrote:
I think I can shed a little light on this. I believe it has
something to do with exploits / vulnerabilities. I'm not
sure what the hex values are, but I'm guessing that's part of
the exploit. I've tried searching for it but couldn't find
anything. Maybe the query is confusing the search engines?
Anyway, the ip address....if you research that IP address, you
see that it resolves to: researchscan1.eecs.berkeley.edu
<http://researchscan1.eecs.berkeley.edu>
If you go there, you see the message:
Hello,
This is a research scanning machine from the University of
California at Berkeley. This machine regularly conducts scans
of the entire Internet so you may have been scanned as part of
an ongoing research project.
If you have been or are currently being scanned and would like
to opt out, please email cesr-scann...@lists.eecs.berkeley.edu
<mailto:cesr-scann...@lists.eecs.berkeley.edu> with the IP
ranges you would like to exclude in CIDR format and we will
respond immediately.
If you search google for the IP address, you see a lot of
people saying this IP address tried hacking into their site or
scanned it or something along those lines. If I were to take
a guess, just a guess, I'd guess that maybe they're conducting
a large scan of the internet, trying to find servers that are
exploitable for research purposes. You might be able to find
more information or someone more knowledgeable might be able
to provide better advice on what to do.
I've also googled cesr and found this:
Center for Evidence-based Security Research (CESR)
The Center for Evidence-based Security Research is an ongoing
collaboration with researchers at the University of
California, San Diego, seeking to understand modern Internet
threats and develop effective countermeasures using analysis
rooted in empirical observation.
I found that here:
https://www.eecs.berkeley.edu/Research/Areas/Centers/
To me, it seems like it's a valid research and they're not
actually trying to do bad stuff, they're just looking for
exploitable servers and making a list of the issues they
found. I'd be more interested in knowing if they actually
got in. If they found something, it's just a matter of time
before someone who really wants to do bad stuff finds the same
exploit and takes advantage of it.
I hope this helps.
Sincerely,
Ken
On Fri, Jul 8, 2016 at 3:32 PM, Red-Tail Books
<i...@redtailbooks.com <mailto:i...@redtailbooks.com>> wrote:
Saw this in my access.log this morning...
169.229.3.91 - - [08/Jul/2016:05:44:24 -0700]
"^\x05A\xea\xa1\xfa\xbe\x15" 200 11434 "-" "-"
Can someone more knowledgeable explain what the "request"
was and why it was successful? And what 11k of data did
apache serve?
Thanks
dave
--
Red-Tail Books
204 N Florence St
Casa Grande, Az
520-836-0370
