Wading through the chaos and confusion of cybersecurity attacks can sometimes feel reminiscent of old-school detective crime shows. Often, you need more than one viewpoint to successfully crack a case. Just look at Starsky and Hutch—this duo’s problem-solving skills became unmatched when they successfully combined Starsky’s streetwise, brash manner with Hutch’s quiet intellect. For internet-related cases in particular, we can call on the unique strengths of Rapid7 Labs’ Project Sonar and Project Heisenberg.

Heisenberg is a collection of low- to medium-level honeypots distributed both geographically and in the cloud-oriented IPv4 space. The honeypots allow us to passively collect data that helps us understand attackers’ methods and patterns. Project Sonar, on the other hand, allows us to conduct internet-wide scans to investigate the global exposure of vulnerabilities.

In this post, we will explore how data from both projects can be combined to offer a clearer picture of attackers’ activities. Specifically, we will look into TCP Port 2004, which was chosen after observing scan and probe attempts using Rapid7’s Early Warning System. We discovered the patterns on 2004 are related to Webuzo, which is a software application used for the deployment of web services.

Hutch and Heisenberg

Heisenberg passively records metadata related to all requests, including source IP address, destination port, and protocol, among other data. With this honeypot data, we can look at the set of ports a single IP address tried to access during an arbitrary timespan.

This investigation looks at data grouped together by day. If we treat the set of ports as a fingerprint, we can then get statistics on groups of different fingerprints. One analysis we can perform is looking at the number of IP addresses per fingerprint for a given day.

The top 25 fingerprints on July 17 are shown below in Figure 1. Unsurprisingly, SMB, Telnet, and HTTP ports are at the top of the list. Something interesting that pops out, though, is the fingerprint [80, 81, 2004, 8080, 8888]. Ports 80, 81, 8080, and 8888 are most likely HTTP-related, but what is Port 2004?

num_src fingerprint
33387 [445]
33208 [80]
15564 [23]
11347 [5555]
4930 [22]
3881 [8080]
1915 [23, 2323]
1469 [1433]
1466 [18183]
1143 [0]
1056 [81]
763 [3389]
598 [2323]
495 [53]
381 [9000]
331 [1, 445]
321 [137, 1433]
311 [14801]
292 [443]
271 [80, 81, 2004, 8080, 8888]
207 [8088]
191 [80, 445]
164 [21]
164 [80, 8080]
150 [25]

Figure 1: The number of IPs probing for a specific fingerprint on July 17, 2018.

Looking a little deeper at all fingerprints with 2004 in them, we see that 2004 is queried either with sequential port scanners or along with HTTP ports.

num_src fingerprint
271 [80, 81, 2004, 8080, 8888]
3 [80, 81, 2004, 8888]
1 [80, 2004]
1 [1000, 1001, 1002, 1003, 1004, 1005, 1006,....]
1 [80, 81, 2004, 8080]
1 [81, 2004, 8080, 8888]
1 [81, 2004]
1 [1000, 1001, 1002, 1003, 1004, 1005, 1006, ...]

Figure 2: Number of IPs for fingerprints with Port 2004 in them.

The honeypots save the data that was sent with initial requests. Looking at this data, we see these probes seem to be searching for install.php.

Figure 3: Data being sent to Heisenberg on Port 2004.

GET=20/install.php=20HTTP/1.1 Connection:=20Keep-Alive Keep-Alive:=20300 User-Agent:=20Mozilla/5.0=20(Windows=20NT=2010.0;=20Win64;=20x64)=20AppleWe= bKit/537.36=20(KHTML,=20like=20Gecko)=20Chrome/63.0.3239.132=20Safari/537.3= 6 Host:=2035.199.41.164
GET=20/=20HTTP/1.1 Host:=2054.169.210.117:2004 Connection:=20close Accept-Encoding:=20gzip User-Agent:=20Mozilla/5.0=20(Macintosh;=20Intel=20Mac=20OS=20X=2010_11_5)= =20AppleWebKit/537.36=20(KHTML,=20like=20Gecko)=20Chrome/50.0.2661.102=20Sa= fari/537.36

Figure 4: Some of the Heisenberg results shown in greater detail.

Starsky and Sonar

This is the picture that emerges with the Heisenberg data. Let’s see what we can now discover with Project Sonar, which luckily lets us run studies for specific reports. We ran a HTTP GET study for Port 2004 to see whether that produced any leads.

Project Sonar produces json.gz files for its GET studies. For examples, you can look at the latest Sonar HTTPS GET public datasets, available here. With this data, we can use something such as Apache Drill to get the table below, which is a count of the different “server” header fields returned in the response area.

count server
6292 Webuzo
4854
904 Apache/2.2.15 (CentOS)
787 nginx
668 Apache
517 A2B Webserver
415 Microsoft-IIS/7.5
382 Apache-Coyote/1.1
270 Microsoft-HTTPAPI/2.0
269 lighttpd/1.4.39
259 lighttpd/1.4.31
240 WebSphere Application Server/7.0
237 DNVRS-Webs
229 App-webs/
218 GoAhead-Webs
204 Boa/0.94.14rc21
195 Microsoft-IIS/8.5
189 Apache/2.2.22 (Debian)
161 Linux/2.x UPnP/1.0 Avtech/1.0
153 Boa/0.94.13
149 lighttpd/1.4.35
149 mini_httpd/1.19 19dec2003
135 nginx/1.2.6
127 lighttpd
119 uc-httpd 1.0.0

Figure 5: Count of IPs that responded on Port 2004 by the "server" header field.

Here, we see that Webuzo seems to have the highest count. It turns out that Webuzo is software from Softaculous that allows you to deploy web apps such as WordPress, Drupal, and web app stacks (i.e., LAMP) on the cloud or virtual machines. Looking at its documentation, it appears its admin panel runs on Port 2004. Looking deeper, it seems its admin panel has a launch API that allows users to install and configure these machines remotely. Here is a snippet of the commands the API uses:

curl 'http://1.1.1.1:2004/install.php?prepareapps=lamp&license=WEBUZO-0000-0000-0000-0000'

curl 'http://1.1.1.1:2004/install.php?prepareinstall=26&license=WEBUZO-0000-0000-0000-0000'

curl 'http://1.1.1.1:2004/install.php?onlyone=26'
	
curl --data "uname=soft&email=admin@example.com&pass=password&rpass=password&domain=example.com&ns1=ns1.example.com&ns2=ns2.example.com&lic=WEBUZO-0000-0000-0000-0000&admin_email=admin@example.com&submit=1&api=serialize" http://1.1.1.1:2004/install.php

Notice that the URL is similar to the data seen in Heisenberg honeypot data! It looks like the scanners are trying to figure out which IPs on the internet are running Webuzo’s admin panel. Attackers could use this information to then try to access the API with a list of default usernames and passwords in an attempt at remote execution.

It is interesting to note that Webuzo has been named in remote execution CVEs in the past. It has also been one of the ports the Muhstik botnet scanner targets, according to BleepingComputer.

Figure 6: A world tile map based on the IP’s geographical information shows that the majority of the Webuzo apps exist in the United States and Europe.

In conclusion, we’ve shown how Project Heisenberg and Project Sonar data can be used together. By observing attackers’ access patterns on the Heisenberg honeypots, we were able to notice behavior on a strange port. Using that data, we could recognize its behavior is related to other HTTP ports and the data that was being sent. We then used Project Sonar to further inform our investigation by looking at global HTTP exposure on the specific port. With this, we were able to fully realize what the attackers were up to in the first place.

For more information on these projects and datasets, visit Rapid7 Open Data.