Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Poetry attack? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Poetry attack?

If like me you spend a fair amount of time looking at network traffic and logs there are generally things that make you frown, groan and utter noises of dismay.  It isn't often that you get a little chuckle (other than coding errors that are copied between pieces of malware by the various people creating it).  Today though, definitely chuckle time.  

If you have a look in your web server logs for "Request Method DELETE"  or "DELETE your logs"  or IP address 151.217.177.200 (Possibly others in that range it is a /16). You may find the following: 

DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0
User-Agent: masspoem4u/1.0 
Accept: */*

The IP address/range belongs to the Chaos Computer Club based in Germany. 

Not seeing anything else being delivered, but gave a number of us a nice chuckle to end the year with. 

Happy New Year. 

Mark H.

Mark

391 Posts
ISC Handler
The name 'masspoem' may indicate that they just renamed masscan and recompiled. Simple and effective!
Royce

4 Posts
Why do you think, that the address 151.217.177.200 is in any way related to the Chaos Computer Club? According to ripe whois this address is still not allocated - one of the few still free ipv4 addresses. And a traceroute to this address ends up in Nirvana.

So I guess, that the sender of this 'nice' poem faked his originating ip address.
Royce
7 Posts
Hi,
Because the CCC receives temporary IP addresses from RIPE during the event. The event is now over and IP addresses has been released!

inetnum: 151.217.0.0 - 151.217.255.255
netname: DE-CCC-20151201
descr: Chaos Computer Club Veranstaltungsgesellschaft mbH
remarks: ===========================================
remarks: === _________ ____ _____ ===
remarks: === |___ /___ \ / ___|___ / ===
remarks: === |_ \ __) | | |_ \ ===
remarks: === ___) / __/| |___ ___) | ===
remarks: === |____/_____|\____|____/ ===
remarks: === ===
remarks: === 32nd Chaos Communication Congress ===
remarks: === events.ccc.de/congress/2015/ ===
remarks: === December 27th to 30th, 2015 ===
remarks: ===========================================
remarks: === ===
remarks: === If you have trouble with users from ===
remarks: === this netblock, please call our ===
remarks: === ===
remarks: === ABUSE HOTLINE: +49 40 2318891984 ===
remarks: === ===
remarks: ===========================================
country: DE
org: ORG-CCCV23-RIPE
sponsoring-org: ORG-CCCE3-RIPE
admin-c: CCC-RIPE
tech-c: CCC-RIPE
status: ASSIGNED PI
remarks: Temporary assignment (start date: 2015/12/01, end date: 2015/12/31 and duration 30 days)
Xme

455 Posts
ISC Handler
For some reason, I can't read the whole poem without copying it out of the webpage.. the long unwrapped line totally messes up the layout on FF43 (pushing the commenters avatars and names off the screen etc).
Visi

41 Posts

Sign Up for Free or Log In to start participating in the conversation!