Archivi tag: SuperAntiSpyware

Avast! free e lo scan che non ti aspetti

Ieri, spulciando gli allarmi di Nagios relativi alla mia rete domestica, ho notato la presenza di una sequela di eventi di questo tipo:

***** Nagios HOME *****

 Notification Type: PROBLEM

 Service: HTTP Not Found
 Host: localhost
 Address: 127.0.0.1
 State: WARNING

 Date/Time: Sat Dec 26 09:04:58 CET 2015

 Additional Info:

 192.168.1.8 - - [26/Dec/2015:09:04:57 +0100] GET /HNAP1/ HTTP/1.1 404 204

ovvero il mio PC client (192.168.1.8) ha provato, in modo automatico, ad accedere a determinate URI HTTP, puntando all’indirizzo IP del suo default gateway (192.168.1.1). In particolare, il file /var/log/httpd/error_log di quest’ultimo riportava le seguenti hit:

[Sat Dec 26 09:04:57 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/HNAP1
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/rom-0
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] scrip not found or unable to stat: /var/www/cgi-bin/webproc
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/a2
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/ajaxmail
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/arr
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/at3
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/atc
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/atx
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/auth
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/bbs
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/bbs
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/bp_revision.cgi
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/br5.cgi
[Sat Dec 26 09:05:03 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/click.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/clicks.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/crtr
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/fg.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/findweather
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/findweather
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/frame_html
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/getattach
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/hotspotlogin.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/hslogin.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/ib
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/index.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/index
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/krcgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/krcgistart
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/link
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/login.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/login
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/logout
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/logout
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/mainmenu.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/mainsrch
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/msglist
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/navega
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/openwebmail
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/out.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/passremind
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/rbaccess
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/rbaccess
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/readmsg
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/rshop.pl
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/search.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/spcnweb
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/sse.dll
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/start
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/te
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/tjcgi1
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/top
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/traffic
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/verify.cgi
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/webproc
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/webscr
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/wingame.pl
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/das
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/fcgi-bin
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/fcgi-bin
[Sat Dec 26 09:05:04 2015] [error] [client 192.168.1.8] File does not exist: /var/www/html/redir

Alla luce di ciò mi sono allarmato, e, credendo che si trattasse di un malware, ho trascorso circa 2 ore tra scansioni antivirus (Avast! Free per l’appunto), Malwarebytes e SuperAntiSpyware, senza ottenere grandi risultati. Infine, giusto per scrupolo, sono andato a controllare il file /var/log/httpd/access_log che riportava lo UA (User Agent) utilizzato per accedere alle suddette URI. Di seguito ne riporto il contenuto:

192.168.1.8 - - [26/Dec/2015:09:04:57 +0100] "GET / HTTP/1.1" 200 - "-" "avast! Antivirus"
192.168.1.8 - - [26/Dec/2015:09:04:57 +0100] "GET /HNAP1/ HTTP/1.1" 404 204 "-" "avast! Antivirus"
192.168.1.8 - - [26/Dec/2015:09:05:03 +0100] "GET /rom-0 HTTP/1.1" 404 203 "-" "avast! Antivirus"
192.168.1.8 - - [26/Dec/2015:09:05:03 +0100] "GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* HTTP/1.1" 404 213 "-" "avast! Antivirus"

ovvero l’origine del presunto “attacco” era, molto semplicemente, Avast! free. Infatti, andando a spulciare tra le funzionalità del suddetto antivirus, ho notato la presenza della cosiddetta Protezione rete domestica, la quale non fa altro che scansionare il range di IP della LAN su cui è attestato il client, identificando i vari dispositivi connessi ed i servizi attivi su ciascuno di essi. avast In più, credendo che il mio default gateway fosse uno dei tanti home router dozzinali che si trovano ai discount, ha iniziato a ricercare le suddette URI palesemente vulnerabili (per maggiori info basta cercare home router vulnerabilities su Google).

Tutto è bene quel che finisce bene.

Alla prossima.