At the Internet Storm Center, we feature a poll on our home page. As part of the poll, you will find a comment field. Sadly, this comment field is frequently abused for spam. Not that it does any good. The spam is easily filtered and all comments have to be approved anyway. But just today, we had a large number of hosts trying to post spam at a rate of several posts a minute. The timing suggests that all these hosts are part of a single bot net. The "attack" is ongoing as I type this.
Here is a captured full sample request (note that the upper case header names are an artifact of the collection)
POST /poll.html HTTP/1.1
USER-AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
VIA: 1.1 hebergement.gratisim.fr
poll_comment: qYAV4f <a href="http://vjrimatpckvt.com/">vjrimatpckvt</a>, [url=http://zdzyzolzspzd.com/]zdzyzolzspzd[/url], [link=http://zloyarufkbun.com/]zloyarufkbun[/link], http://mlsorofkvzxa.com/
There are a couple of odd and interesting attributes to this request:
- The "ACCEPT" header looks very real. Many scripts and bot do not spoof it that well
- The request uses a correct "Referer" header.
- The User-Agent looks real too, but a bit "short". A windows XP host without .Net and anything else?
- The cookie is in particular interesting. A different session cookie is used for each request. But oddly, the (local) Google Analytics cookies are missing.
- Not sure what the Cookie2 is supposed to do... Maybe identifying the bot?
- the "Via:" header is only present in some of the requests, and probably incidental. Some of the infected systems appear to be housed behind a proxy server.
Finally, the content: The domains "advertised" do not appear to be exist. This may be a trial to figure out if these URLs are posted to the site or not. Note that the attack uses 4 different link styles:
- Standard HTML Link <a href="x">x</a>
- BBCode [url link
- BBCode [link link
- "naked" URL
Given that these URLs don't exist (and they change from request to request), I think this is just a test run.
If anybody knows what the Cookie2 header is supposed to do... please comment below or let me know directly.