My next class:

Odd POST Request To Web Honeypot

Published: 2015-04-14. Last Updated: 2015-04-14 02:11:17 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

I just saw this odd POST request to our honeypot's index page. Has anybody seen something like this? No idea what they are trying to accomplish.

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; EIE10;ENUSMSN)\r\n
Host: [IP Address of Honeypot]
Content-Length: 364
Cache-Control: no-cache

I2pA3cU8VSiuw2nCOwlrKN+K8jeDYiuG9stiEykFE1QDf9qZ+7DWSqt4nzWXnsjB1yXtBq8Ln7nj2FExhjmxJcRTYLCuDyBnRP8cpqOAlJrM68lEatjAS4O2bpQVbtVHAyfttd9LcsaDvkYDD9UaOVcnCnDZJxq0t4M5i9WaJusrSBNJri9br9CFjEM7IrLxS1ZUS4lR6ukW1yRvMMe1seSujBbfBqrZbijFHaH4eK5TcH6AJGkikgaiVLi6uABwhnX+VL9Nzfss+RRzC4n1hX6zHKn4+XfoCIHs3hFbgUOjqQx2vPvOek3+y2fAbsndiqz8SCzMJSzW0QxBW6Jju8aNr+n9+elCQ60vRM/SRIbl

The payload looks Base64 encoded, but decoding doesn't help much either. The payload also looks like the "+" (which would be a space if URL encoded) marks a deliminator. 

<u(..i.;.k( 0000010:="" df8a="" f237="" 8362="" 2b86="" f6cb="" 6213="" 2905="" 1354="" ...7.b+...b.)..t="" 0000020:="" 037f="" da99="" fbb0="" d64a="" ab78="" 9f35="" 979e="" c8c1="" .......j.x.5....="" 0000030:="" d725="" ed06="" af0b="" 9fb9="" e3d8="" 5131="" 8639="" b125="" .%........q1.9.%="" 0000040:="" c453="" 60b0="" ae0f="" 2067="" 44ff="" 1ca6="" a380="" 949a="" .s`...="" gd.......="" 0000050:="" cceb="" c944="" 6ad8="" c04b="" 83b6="" 6e94="" 156e="" d547="" ...dj..k..n..n.g="" 0000060:="" 0327="" edb5="" df4b="" 72c6="" 83be="" 4603="" 0fd5="" 1a39="" .'...kr...f....9="" 0000070:="" 5727="" 0a70="" d927="" 1ab4="" b783="" 398b="" d59a="" 26eb="" w'.p.'....9...&.="" 0000080:="" 2b48="" 1349="" ae2f="" 5baf="" d085="" 8c43="" 3b22="" b2f1="" +h.i.="" [....c;"..="" 0000090:="" 4b56="" 544b="" 8951="" eae9="" 16d7="" 246f="" 30c7="" b5b1="" kvtk.q....$o0...="" 00000a0:="" e4ae="" 8c16="" df06="" aad9="" 6e28="" c51d="" a1f8="" 78ae="" ........n(....x.="" 00000b0:="" 5370="" 7e80="" 2469="" 2292="" 06a2="" 54b8="" bab8="" 0070="" sp~.$i"...t....p="" 00000c0:="" 8675="" fe54="" bf4d="" cdfb="" 2cf9="" 1473="" 0b89="" f585="" .u.t.m..,..s....="" 00000d0:="" 7eb3="" 1ca9="" f8f9="" 77e8="" 0881="" ecde="" 115b="" 8143="" ~.....w......[.c="" 00000e0:="" a3a9="" 0c76="" bcfb="" ce7a="" 4dfe="" cb67="" c06e="" c9dd="" ...v...zm..g.n..="" 00000f0:="" 8aac="" fc48="" 2ccc="" 252c="" d6d1="" 0c41="" 5ba2="" 63bb="" ...h,.%,...a[.c.="" 0000100:="" c68d="" afe9="" fdf9="" e942="" 43ad="" 2f44="" cfd2="" 4486="" .......bc.="" d..d.="" 0000110:="" e5="" 

Any ideas?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: web honeypot
8 comment(s)
My next class:

Comments

Working on it a little here:
http://coolfire.insomnia247.nl/sans.html

It seems to be some odd hexdumped binary format but as best I can tell, part of the first line is missing.
Something seems to have gone wrong with your "decoded" version of the text. The original is 364 bytes, so the decoded should be 364/4*3=273 bytes. It seems you have pasted a mangled version of a hex encoding (try s/0000/\n0000/g and s/="" / /g to recover the hex encoding). The raw decoded text do not look url-encoded and there would be not reason for it to be, so that comment seems like a red herring.
More probably: thinking he succeeded to install a virus in your daemon, he just sent commands to it.
If you wrap the decoded payload at 100 characters, it starts looking like hex editor output. I don't know what to make of that though.
I'm not sure where the ="" bits came from, but if you remove them it appears to be a portion of a hex viewer output. No idea what it's of though. http://pastebin.com/W51iYyi7
When decoded as Unicode instead of ASCII, it comes out to the right length (0x111 bytes). There is also a repeating pattern of 0xFDFF that looks like it could be a delimiter.

PS C:\Users\jon> [system.text.encoding]::unicode.GetString([convert]::FromBase64String($a)) | Format-Hex

0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 23 6A FD FF C5 3C 55 28 AE C3 69 C2 3B 09 6B 28 #jý.Å<U(®ÃiÂ;.k(
00000010 DF 8A F2 37 83 62 2B 86 F6 CB 62 13 29 05 13 54 ß?ò7?b+?öËb.)..T
00000020 03 7F DA 99 FB B0 D6 4A AB 78 9F 35 97 9E C8 C1 .Ú?û°ÖJ«x?5??ÈÁ
00000030 D7 25 ED 06 AF 0B 9F B9 FD FF 51 31 86 39 B1 25 ×%í.¯.?¹ý.Q1?9±%
00000040 C4 53 60 B0 AE 0F 20 67 44 FF 1C A6 A3 80 94 9A ÄS`°®. gD..¦£???
00000050 CC EB C9 44 FD FF C0 4B 83 B6 6E 94 15 6E D5 47 ÌëÉDý.ÀK?¶n?.nÕG
00000060 03 27 ED B5 DF 4B 72 C6 83 BE 46 03 0F D5 1A 39 .'íµßKrÆ?¾F..Õ.9
00000070 57 27 0A 70 D9 27 1A B4 B7 83 39 8B D5 9A 26 EB W'.pÙ'.´·?9?Õ?&ë
00000080 2B 48 13 49 AE 2F 5B AF D0 85 8C 43 3B 22 B2 F1 +H.I®/[¯Ð??C;"²ñ
00000090 4B 56 54 4B 89 51 EA E9 16 D7 24 6F 30 C7 B5 B1 KVTK?Qêé.×$o0ǵ±
000000A0 E4 AE 8C 16 DF 06 FD FF 6E 28 C5 1D A1 F8 78 AE ä®?.ß.ý.n(Å.¡øx®
000000B0 53 70 7E 80 24 69 22 92 06 A2 54 B8 BA B8 00 70 Sp~?$i"?.¢T¸º¸.p
000000C0 86 75 FE 54 BF 4D CD FB 2C F9 14 73 0B 89 F5 85 ?uþT¿MÍû,ù.s.?õ?
000000D0 7E B3 1C A9 F8 F9 77 E8 08 81 FD FF 11 5B 81 43 ~³.©øùwè.ý..[C
000000E0 A3 A9 0C 76 BC FB CE 7A 4D FE CB 67 C0 6E FD FF £©.v¼ûÎzMþËgÀný.
000000F0 8A AC FC 48 2C CC 25 2C D6 D1 0C 41 5B A2 63 BB ?¬üH,Ì%,ÖÑ.A[¢c»
00000100 C6 8D AF E9 FD F9 E9 42 43 AD 2F 44 CF D2 44 86 ƍ¯éýùéBC­/DÏÒD?
00000110 FD FF ý.

Diary Archives