Sploity Blog

Spotting Bots and Botnets

Last updated: 23/07/2018

So this is gonna be a quick one, but useful if you dont know what to look for in a typical http log file or are just curious about bots, this one might be for you. So, as every sys admin should I was going over this very server's apache log file when I noticed a string of requests for a range of pages. For example, shell.php, is a common request to see if it can find a shell waiting to be used. However, strangly, it only requested php files:

log file

This isn't the most uncommon thing to see, in fact it's pretty usual traffic, but I decided to look into this one for blog potential. In a typical botnets, some 'bots' are tasked to look for vulnerable machines, so they will go out looking for stuff like this and see if they can find a vulnerable page. This bot's job was probably to go out and scan random ips for common php files, it's not a stealthy way to do it, 'but it's someone elses computer, so who gives a f*ck if gets caught' is the usual thought process of a botnet programmer. But it's real purpose is just to find more computers and welcome them to the botnet. Now lets take a closer look at this machine 47.91.228.69

log file

So we can see this machine is Chinese, and China is pretty well known for it's collection of compromised machines, so I got even more curious and decided to give it a scan and return the favor:

log file

And this nmap was interesting to say the least. We can see that port 80 (http) and port 3389 (rdp) are open and, vista?! We can see it is using up to date apache openSSL and php, i gave it a curl but returned nothing, which was not what I was expecting but apache isn't a huge deal so I looked past this. However, it had rdp exposed, which was unsual becuase rdp is more commonly behind a firewall in alot of setups due to it's naturally unsecure nature. This could possibly be an access point for an attacker to hop onto the machine.

So to conclude, this is what a typical bot might look like, of course though, it is kinda hard to tell alot of the time, the polite thing might be to contact the machine owner or hack them (that is a joke btw). So every now and again it can be fun to research suspicious ip addresses scanning your machines, I dunno, maybe you might find a pot of gold...