Fun way to read a book
Anita Batari

Fun way to read a book

What do you think about SPAMs?

Most of us think they are useless and heavily annoying, but not for everybody. There are some geeks, who totally understand the background and find it rubbish, but sometimes they read them to “entertain themselves” and learn more about the recent patterns hacker tactics.

Have you ever found a hidden gem among spams, worth showing to your friend?

‘Cus we have! We captured a spam attack causing some funny moments and now we’ll show it.


Contact form spams - nightmare for a sysadmin

Yesterday, while one of our talented administrators analyzed the latest attacks, found a vulnerable form on a hosted site which was under heavy attack. BitNinja was able to successfully prevent the attacks but with the logs, we could follow the whole process.

The attacker tried to exhaust a vulnerability in a contact form of a German subdomain. They started running a POST request in the form to spread the word of a doubtful finance product. The attack had been committed by 71 different, mainly Chinese IPs, which didn't stop at one attempt. They continued the contact form SPAM attack despite the unsuccessful requests, too.


Why there is English text in a Chinese SPAM?

All system administrators would like to spare their users from SPAM and some of them create custom rules to promote it. For example, they set a simple pattern-based rule in their mailing system to flag everything as SPAM which contains only Chinese characters, especially if their clients are mainly located in Europe/America.

To avoid from being banned, some prepared Chinese hackers started to add English text to their emails.

For example, in our latest capture, each spam emails contained a line of text from a novel called ‘The Jungle’. As you can see below, the English lines are coherent and we could read the whole novel (with some typos) if we check the logs in chronological order.


The Jungle is a 1906 novel written by the American journalist and novelist Upton Sinclair (1878–1968). Sinclair wrote the novel to portray the harsh conditions and exploited lives of immigrants in the United States in Chicago and similar industrialized cities. His primary purpose in describing the meat industry and its working conditions was to advance socialism in the United States. However, most readers were more concerned with his exposure of health violations and unsanitary practices in the American meatpacking industry during the early 20th century, greatly contributing to a public outcry which led to reforms including the Meat Inspection Act. Sinclair famously said of the public reaction, "I aimed at the public's heart, and by accident I hit it in the stomach."  - Wikipedia

Our WAF 2.0 logs:

Date: 2018-01-18 08:52:52
Victim domain: www.######.hu          
Attacker ip: 117.70.173.46
Url: [www.#####.hu/de/kontact]
Remote connection  [117.70.173.46:51668]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
    [jform[contact_name]] => 鲁牛贲
    [jform[contact_email]] => ###635271@qq.com
    [jform[contact_subject]] => [Shared Post] Glory In The Mountains of WV!! ###635271@qq.com
    [jform[contact_message]] => 注册就送28【太阳城集团】大赛车,巨资打造最具力娱乐平台:www.601204.com/?
彩种超多,超高赔率,永不降倍“续”彩票投注“大冲关”周周派送155555元,1元即可投注,入款即享1.0%红利,存取30秒火速到账,
小金额博大款“重磅升级”一存款10即送18元,二存款50元再送28元.
------------------------------------------
o’me wouldn’t be let hear’em.Not but what I did hear,as how could I help it?There’ll be no good come of it.Who’s to be axed to the wake,I’d like to
    [jform[contact_email_copy]] => 1
    [option] => com_contact
    [task] => contact.submit
    [return] =>
    [id] => 1:mast-shake-shingle-information
    [] => 1
)
]                              
Date: 2018-01-18 08:51:47
Victim domain: www.#####.hu          
Attacker ip: 60.174.17.29
Url: [www.#####.hu/de/kontact]
Remote connection  [60.174.17.29:59218]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
    [jform[contact_name]] => 山怀聂
    [jform[contact_email]] => ###80474@qq.com
    [jform[contact_subject]] => ACT - Campanha Trabalho em Espa?os Confinados!!! ###80474@qq.com
    [jform[contact_message]] => 大满贯【太阳城集团】注册送28:www.601641.com/?
全新开启捕鱼时代,玩“赚”捕鱼王,畅意彩金天天领。1元自由存取,30秒火速到账,全网最佳口碑,+V信:love9191love 了解跟多优惠.
------------------------------------------
boys annoyed me.Finally Dan said musingly:“Some gentlemen don’t know how to put on kid gloves at all,but some do.”And the doctor said(to the moon,I
    [jform[contact_email_copy]] => 1
    [option] => com_contact
    [task] => contact.submit
    [return] =>
    [id] => 1:mast-shake-shingle-information
    [] => 1
)
]                              
Date: 2018-01-18 08:51:16
Victim domain: www.#####.hu          
Attacker ip: 60.174.17.29
Url: [www.#####.hu/de/kontact]
Remote connection  [60.174.17.29:58943]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
    [jform[contact_name]] => 娄利晁
    [jform[contact_email]] => ###3579@qq.com
    [jform[contact_subject]] => ACT - Campanha Trabalho em Espa?os Confinados!!! ###3579@qq.com
    [jform[contact_message]] => 大满贯【太阳城集团】注册送28:www.601641.com/?
全新开启捕鱼时代,玩“赚”捕鱼王,畅意彩金天天领。1元自由存取,30秒火速到账,全网最佳口碑,+V信:love9191love 了解跟多优惠.
------------------------------------------
still that sound of lonely weeping came from over the hill.Listening,but looking at those wild,mourning eyes that never moved from him,he lay.Once he
    [jform[contact_email_copy]] => 1
    [option] => com_contact
    [task] => contact.submit
    [return] =>
    [id] => 1:mast-shake-shingle-information
    [] => 1
)
]     


                          

Solution

Our WAF 2.0 (alpha) module proved its effectiveness by eliminating this annoying but funny attack. We're working on our new module's soonest public beta release to all of our users.

Stay tuned! :)

Until then, you can test our other modules, thanks to out 7-day free trial.


Share your ideas with us about this article

Previous posts

Bugs discovered in ModSecurity and MongoDB PHP extension
Bugs are always hunting us.  Recently we found some bugs during our work, but keep calm, they're not in the BitNinja agent. ;) Let’s see what we explored: ModSecurity bug: empty comment line In our WAF2.0 (beta will come soon) we implemented ModSecurity as well as the OWASP’s core ruleset. Recently, our developers found a strange bug in them. The crs’ 913100 rule has always caught the Chinese search engine, because of suspicious user agent:spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm#07); After checking the code , we didn’t understand why it has been trigger...
Server security on point – 5 +1 best practices for Linux sysadmins
No matter if you’re a Linux security veteran or you’re just about to get your feet wet, you’ll face the same security threats and upcoming attacks forms. Here we come with a security cheat sheet with ultimate checkpoints that no sysadmins should miss. When meeting new company, usually the very first thing I’m asked about is „How should I get rid of hackers? Show me the silver bullet.” But it’s a little bit like asking an economist on „Where to invest my money?”. It depends. To get a grip in the jungle of security recommendations, here I collected some guidelines...