This report identifies hosts that have been observed performing HTTP-based scanning activity.
Description
HTTP scanning may be a benign activity — for example, it may be a search engine indexing the web, a research project, or an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.
Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack. The scan itself may also perform an attack, such as an SQL injection, a Remote File Inclusion or Local File Inclusion attack, or the specific exploit of a vulnerability. Quite often, scanning activity may come from a botnet that is actively looking to infect new sites or devices.
Below is a description of a report based on data collected by SISSDEN HTTP-aware honeypots. In addition to registering the source of the scan, it logs the request of the scan in raw form and attempts to match a pattern to it. In cases where a malicious artifact was collected by the honeypot, its MD5 and SHA256 hash are also recorded. This information may be used to support an investigation by a CSIRT into an incident and determine its true nature.
Fields
Field | Description |
timestamp | Time that the scan was performed in UTC+0 |
ip | The IP address performing the scan |
port | The source port used in the scan |
asn | ASN announcing the scanning IP |
geo | Country where the scanning IP resides |
region | State / Province / Administrative region where the scanning IP resides |
city | ASN of where the scanning IP resides |
hostname | PTR record of the scanning IP |
type | Type of activity observed ie. http-scan |
dst_ip | The IP address of the target device |
dst_port | Destination port used in the scan |
dst_asn | ASN announcing the target IP |
dst_geo | Country where the target IP resides |
dst_dns | FQDN of the target, if applicable and recorded |
naics | North American Industry Classification System Code of the scanning IP |
sic | Standard Industrial Classification System Code of the scanning IP |
sector | Sector the attacking IP belongs to |
dst_sector | Sector the target IP belongs to |
public_source | Source of the data, for cases where the source accepts being credited |
sensorid | ID of sensor target device |
pattern | Request pattern if recognized by target sensor (eg, does it match an RFI, LFI, SQLi …) |
url | URL being requested by the scanning IP |
file_md5 | MD5 hash of file downloaded, if any |
file_sha256 | SHA256 hash of file downloaded, if any |
request_raw | Raw request sent by the scanning IP |
Delivery Mechanism
The report is sent out daily via The Shadowserver Foundation’s free victim remediation reporting service. All events coming from SISSDEN are clearly marked as “SISSDEN” for every event reported.
Sample Report
timestamp,ip,port,asn,geo,region,city,hostname,type,dst_ip,dst_port,dst_asn,dst_geo,dst_dns,naics,sic,sector,dst_sector,public_source,sensorid,pattern,url,file_md5,file_sha256,request_raw "2018-08-29 00:00:05",198.51.100.5,52513,27668,EC,AZUAY,CUENCA,198-51-100-5.example.net,http-scan,203.0.113.6,80,17169,AT,,0,0,,,SISSDEN,53c1549f-f806-4b82-8b3a-6673456cd40f,unknown,/,,,"GET / HTTP/1.1rnHost: 203.0.113.6rnUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" "2018-08-29 00:04:08",198.51.100.3,33418,23033,US,WASHINGTON,EVERETT,,http-scan,203.0.113.217,80,56630,RU,,0,0,Communications,,SISSDEN,5800ff5d-277e-48aa-b904-0997a00c6a37,unknown,/axis-cgi/aol%2A/_do/rss_popup?blogID=,,,"GET /axis-cgi/aol%2A/_do/rss_popup?blogID= HTTP/1.1rnAccept: */*rnAccept-Charset: utf-8;q=0.7,iso-8859-1;q=0.2,*;q=0.1rnHost: 203.0.113.217rnUser-Agent: Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help@moz.com)" "2018-08-29 01:27:53”,198.51.100.100,62868,36903,MA,SOUSS-MASSA-DRAA,AGADIR,,http-scan,203.0.113.200,80,203525,RO,,0,0,,,SISSDEN,2447a8e1-237d-4d37-b09f-23f6f30e58c2,sqli,/cgi-bin/perl/index3.php?destino=%22%20and%20%22x%22%3D%22y,,,"GET /cgi-bin/perl/index3.php?destino=%22%20and%20%22x%22%3D%22y HTTP/1.1rnAccept: */*rnConnection: ClosernHost: 203.0.113.200rnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "2018-08-29 16:23:32”,198.51.100.105,32886,29238,AL,DURRES,DURRES,host105.example.com,http-scan,203.0.113.215,80,16276,EG,,0,0,,Other,SISSDEN,12b9d177-0eb5-4324-8e48-5ed5b868b9f4,lfi,/jaf/index.php?show=../../../etc/passwd,,,"GET /jaf/index.php?show=../../../etc/passwd HTTP/1.1rnAccept-Encoding: identityrnConnection: closernHost: recitepoke.daternUser-Agent: fimap.googlecode.com/v1.00_svn (My life for Aiur)" "2018-08-29 23:58:40”,198.51.100.170,20563,37963,CN,,HANGZHOU,,http-scan,203.0.113.217,80,55720,MY,,0,0,Communications,Communications,SISSDEN,112ded91-f0be-447f-b93d-5a18522b84ea,unknown,/wpo.php,,,"GET /wpo.php HTTP/1.1rnCache-Control: no-cachernConnection: Keep-AlivernHost: 203.0.113.217rnUser-Agent: Mozilla/5.0"