Welcome to WebmasterWorld Guest from 35.172.195.49

Forum Moderators: Ocean10000

Hi

Pages exploit UA

     
1:00 pm on Oct 3, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


UA: Hi
URI: /Pages/login.htm
ISP: Multi (from Florida to Taiwan)
Error: 400 (HTTP/1.1 request without hostname)

Info: First seen Oct. 2; dribbling but doubling hits every 12 hours. Different Host hits minutes to seconds apart. Related to recent Apple's "Pages" app update (Sept. 30th; v.8.2)?
5:20 pm on Oct 3, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15941
votes: 889


This will sound tangential but it's relevant to understanding the response:
HTTP/1.1 request without hostname
Pfui--or Agrippina or Demelza or whatever the heck your name is--have you got your own server? I'm pretty sure this category of error would never show up in shared hosting, because the server has no way of knowing it was your site (your VirtualHost) they're aiming for.

I saw the subject line and thought “Dammit, do I have to go find a moderator and ask them to make up something more useful?” before seeing that “Hi” is the full, actual, literal user-agent. I suppose one could make up an access-control rule requiring the UA string to be at least some-number-of-characters.

:: detour for experimentation ::

SemRushBot, 10 characters
Photon/1.0, 10 characters
cortex/1.0, 10 characters (has some connection to FB)
PleskBot, 8 characters
B2B Bot, 7 characters

I guess it becomes an academic question if they're just getting 400s anyway.
9:28 pm on Oct 3, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


- Lucy, you crack me up. My real name's Annie so you can take your pick. And yes, I tend to a private server so I have access to raw logs depending on IP configuration. (I'm definitely spoiled by this set-up; I'd go nuts in a shared situ.) I thought I'd toss in the Error code because it means the "Hi"-named exploit is misconfigured, at least at this apparently early stage.

- "Hi" is the shortest UA I've seen, not counting empty spaces. At first I thought it was some brand new CS student's unimaginative project:) Another recent shortie: Hakai/2.0

- Fortunately Hi is both stupidly named and coded. But at least its terse greeting means it's a heckuva lot easier on log file size than this egotistic insanity:

Mozilla/5.0 (Windows NT 10.0.17763.379; osmeta 10.3.31799) AppleWebKit/602.1.1 (KHTML, like Gecko) Version/9.0 Safari/602.1.1 osmeta/10.3.31799 Build/31799 [FBAN/FBW;FBMD/VivoBook 14_ASUS Laptop E406SAS;FBSN/Windows;FBSV/10.0.17763.615;FBSS/1;FBCR/;FBID/desktop;FBLC/en_US;FBOP/45]
10:04 pm on Oct 3, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15941
votes: 889


this egotistic insanity
I do believe I can top that :) and, after all, this is the SSID subforum, so anything goes. Excluding malign-robotic-script UAs (the ones packed with brackets and backslashes) the longest in current logs is--surprise!--not an MSIE build but:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 NokiaN90-1/3.0545.5.1 Series60/2.8 Profile/MIDP-2.0 Configuration/CLDC-1.1 Mozilla/5.0 (X11; U; Linux armv7l; en-GB; rv:1.9.2b6pre) Gecko/20100318 Firefox/3.5 Maemo Browser 1.7.4.7 RX-51 N900
I make it 439 characters, although logs suggest it really was just another malign robot. (There's a cluster of blocked requests, each with a different humanoid UA.) Even in isolation, the part where it claims to be concurrently an iPhone and an Android is a bit, hm, suspect.

:: waiting to see if anyone can top 500 characters ::
11:01 pm on Oct 3, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


Bot or not, I think that's a winner, length-wise. Sheesh, they should've just called that mishmash KitchenSink:)
12:15 am on Oct 4, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10590
votes: 1126


Do these bot folks think we are stupid?

Rhetorical question. :)
10:52 am on Oct 4, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5507
votes: 5


Given that the majority of website owners/administrators don't have a clue what a raw log is (or even have them turned on) (as well as owners/administrators that have appeared here over decades asking what raw logs are), most bots have their run of the majority of websites. Thus certainly believing most owners/administrators are dense (why else would they keep hammering when the get 403's?)
2:15 pm on Oct 4, 2019 (gmt 0)

New User

joined:Oct 4, 2019
posts:2
votes: 0


So I'm a security analyst and I started noticing this traffic on our client networks the night before last. The packet contents are all the same (see below). This is hitting on an ancient Snort rule (WEB-MISC login.htm access) from 1999. I've pasted the rule below. It's a very vague rule which hits on a whole lot of benign traffic, but it caught this botnet activity.

This is the first (and so far only) place that I have seen people talking about this traffic so I just wanted to say thanks and if anyone finds out anymore info I'll be keeping an eye out for updates.

Snort rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:6;)

Packet Content:
GET /Pages/login.htm HTTP/1.1
Connection: close
Content-Type: text/xml
Accept: */*
Accept-Language: en-us
Cache-Control: max-age=0
User-Agent: Hi

[edited by: phranque at 10:00 pm (utc) on Oct 4, 2019]
[edit reason] disable gaphics smile faces for this post [/edit]

6:35 pm on Oct 4, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15941
votes: 889


It does seem to be a very recent UA. Is yours getting a 400 response or something else? If the behavior is as described by Pfui in the first post
Error: 400 (HTTP/1.1 request without hostname)
you probably won't see it in logs at all unless you've got your own server, which it sounds as if you do.

The request for /Pages/login.htm sounds at first glance like the kind of thing any malign robot would ask for. But capitalizing Pages is interesting. Does it go back to some particular CMS? (But if so, why the .htm extension?) Does the robot have some reason to think this URL actually exists on your site? I checked and don't find any requests for this URL on my own sites, though there is no shortage of the standard malign-robot URL patterns.

:: uneasily wondering why G is suddenly showing icons on search results, when it didn't yesterday ::
7:39 pm on Oct 4, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


- yeahokayman: Welcome to WW and thanks for the confirmation and additional info. You can pretty much count on this merry band o' log addicts to find oddities at early, later, and dang-back-again stages:)

- FWIW: I keep thinking it's in some way related to Apple's Pages update because of the capitalization and because the new Pages version that corresponds with iOS 13 and MacOS 14 (Mojave) is just a week old. I don't use Pages so I can't talk about how its pages work -- if, for example, the URI sought is part of the program proper, or part of pages generated *by* the program. Anybody familiar with the program or the URI?

- All: There's a hit pattern shift. All Hi hits are still single but for this Taiwan ISP this morning:

10/04 03:14:32 /Pages/login.htm
10/04 03:14:34 /Pages/login.htm
10/04 03:14:36 /Pages/login.htm
10/04 03:14:51 /Pages/login.htm
10/04 03:15:12 /Pages/login.htm
10/04 03:16:04 /Pages/login.htm

The staggered timing after the initial hits semi-suggests something manual. Hmm.
9:10 pm on Oct 4, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10590
votes: 1126


I'm getting sparse (as in very few) hits from Mexico, Italy, Florida (USA) and Hong Kong ... same request, same lame UA ... Will this become a growing phenom?

Note: fails as 403 for "login" ...
9:50 pm on Oct 4, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10590
votes: 1126


Left out France...
10:02 pm on Oct 4, 2019 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11874
votes: 245


welcome to WebmasterWorld [webmasterworld.com], yeahokayman!
4:20 am on Oct 5, 2019 (gmt 0)

New User

joined:Oct 4, 2019
posts:2
votes: 0


Thanks for the warm welcome!

I work for an MSSP so I'm seeing this traffic across many different organizations. My insight is limited though since I can only see the network traffic across our devices and any log sources are limited to what the client gives us (which in most cases does not include web server logs). So I'm not able to see the responses back to these requests since those usually don't hit on a Snort rule.

The requests are coming in from all over the world and its usually just 2 or so hits from each IP, so if smells like a botnet for sure. We've seen about 800-1,000 hits a day since Oct. 2.

The only other thing I have found is this user [abuseipdb.com ] at abuseipdb has posted quite a few hits on "GET /Pages/login.htm HTTP/1.1"

I'll keep digging but so far there's not much to find. Thanks again!
5:26 am on Oct 5, 2019 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11874
votes: 245


for those like me who were wondering, MSSP = managed security service provider (e.g., firewall management services)