Closed nocomp closed 4 years ago
DloomPlz
commented
4 years ago Hello ! It looks like your server answer with a status code of 200 when Chopchop asks for "/images/imgpaper.png" and others. Can you please try this command to see if it still answer with a status_code of 200 : "curl -D - https://xxxxxxxxx.xxxxxxxxx/ico/VidT6cErs" Thanks !
PaulSec
commented
4 years ago Those rules have been created by @woundride in order to test the presence of "Trickbot" trojan based on specific files (and in our case - images).
If you got this output, it means all those requests got a status_code of 200 either because:
Feel free to let us know in any case. Happy to help!
nocomp
commented
4 years ago Hello ! It looks like your server answer with a status code of 200 when Chopchop asks for "/images/imgpaper.png" and others. Can you please try this command to see if it still answer with a status_code of 200 : "curl -D - https://xxxxxxxxx.xxxxxxxxx/ico/VidT6cErs" Thanks !
hi, thx for the reply, all the files are here, i ve downloded them and i ll do some forensic and get back to you in case they are false positiv or not thxx a lot!
nocomp
commented
4 years ago ce qui est bizarre, is that if i http these files i get 404 but i can wget them. can you explain pls? fellin confused
PaulSec
commented
4 years ago Perfect!
You are more than welcome. I will close the ticket for the moment but feel free to re-open it if you think that those are false positives and see how we can tweak that.
nocomp
commented
4 years ago hi paul, last question, can you pls explain me howcome i can wget http://server.com/images/redcar.png but if i http it, i get a 404, and on the server there is no such file? drives me nuts... deobfuscating all js atm ... #whataday...
thxx for your time!
nocomp
commented
4 years ago i am just an abrutti, it s a user agent mater, désolé thx for the great tool
nocomp
commented
4 years ago hi paul, a quick update regarding the detection:
from what i read, chopchop detect if such file exist, if yes (200) we get a detection warning.
for example, if you scan http://179.150.226.35.bc.googleusercontent.com:90/ you ll get
| http://179.150.226.35.bc.googleusercontent.com:90/ | /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp | High | F5 BIG-IP - CVE-2020-5902 | Apply patch - F5 K52145254 | | http://179.150.226.35.bc.googleusercontent.com:90/ | /images/imgpaper.png | High | Possible Trickbot Trojan Payload hosting imgpaper.png | Make sure your system is'nt compromised | | http://179.150.226.35.bc.googleusercontent.com:90/ | /images/cursor.png | High | Possible Trickbot Trojan Payload hosting cursor.png | Make sure your system is'nt compromised | | http://179.150.226.35.bc.googleusercontent.com:90/ | /images/redcar.png | High | Possible Trickbot Trojan Payload hosting redcar.png | Make sure your system is'nt compromised | | http://179.150.226.35.bc.googleusercontent.com:90/ | /ico/VidT6cErs | High | Possible Trickbot Trojan Payload hosting VidT6cErs | Make sure your system is'nt compromised |
Then i ve had a look to the source of the detection rule, https://urlhaus.abuse.ch/browse.php?search=%2Fimages%2Fimgpaper.png
i ve downloaded imgpaper from one of these sites, and run it in a sandbox, it s a pe executable when i inspect the same file on the link i gave you above, it s html inside, like you weget index.php
any idea what is happening????
thxx for your time
PaulSec
commented
4 years ago Interesting, I guess that's because the webapp (and the underlying reverse proxy) mess up by sending other status code (we could expect a 404 for a resource not found) like a 200 for a non-existing resource.
nocomp
commented
4 years ago i agree paul, i ve pressed the red button due to warning kind, i had to take a decision, no regrets, but happy to see it was a false positive at the end any way of imporving detection rules? let me know if i can help
woundride
commented
4 years ago Hi nocomp, Hi Paul, I've solved this issue by adding new settings in the rules I've dowloaded sample of trickbot payload and I've tried on Apache, but I've not the same headers when Nginx. For more accuracy I've created 2 rules. See my last pull request
hi, thx a lot to the clermont ferrand dream team for this tool, i just used it on one of our website, and i am surprised with the response. i get logs for files that are not present on the server:
| https://xxxxx.xxxxxxx.fr/ | /images/imgpaper.png | High | Possible Trickbot Trojan Payload hosting imgpaper.png | Make sure your system is'nt compromised | | https:/xxxxxx-xxxxxxxxxx.fr/ | /images/cursor.png | High | Possible Trickbot Trojan Payload hosting cursor.png | Make sure your system is'nt compromised | | https://xxxxxxxxxx.xxxxxxxxx/ | /images/redcar.png | High | Possible Trickbot Trojan Payload hosting redcar.png | Make sure your system is'nt compromised | | https://xxxxxxxxx.xxxxxxxxx/ | /ico/VidT6cErs | High | Possible Trickbot Trojan Payload hosting VidT6cErs | Make sure your system is'nt compromised |
any idea what it means? thxx for your time