Comments (11)
Hello ! It looks like your server answer with a status code of 200 when Chopchop asks for "/images/imgpaper.png" and others.
Can you please try this command to see if it still answer with a status_code of 200 :
"curl -D - https://xxxxxxxxx.xxxxxxxxx/ico/VidT6cErs"
Thanks !
hi,
thx for the reply, all the files are here, i ve downloded them and i ll do some forensic and get back to you in case they are false positiv or not
thxx a lot!
#asmpowa #mesbeauxparentshabitentennezat
from chopchop.
Hi nocomp, Hi Paul,
I've solved this issue by adding new settings in the rules
I've dowloaded sample of trickbot payload and I've tried on Apache, but I've not the same headers when Nginx. For more accuracy I've created 2 rules.
See my last pull request
from chopchop.
Hello ! It looks like your server answer with a status code of 200 when Chopchop asks for "/images/imgpaper.png" and others.
Can you please try this command to see if it still answer with a status_code of 200 :
"curl -D - https://xxxxxxxxx.xxxxxxxxx/ico/VidT6cErs"
Thanks !
from chopchop.
Those rules have been created by @woundride in order to test the presence of "Trickbot" trojan based on specific files (and in our case - images).
If you got this output, it means all those requests got a status_code
of 200
either because:
- the file is present (and might be benign)
- the webserver sent a 200 for some reasons.
Feel free to let us know in any case. Happy to help!
from chopchop.
ce qui est bizarre, is that if i http these files i get 404 but i can wget them.
can you explain pls? fellin confused
from chopchop.
Perfect!
You are more than welcome. I will close the ticket for the moment but feel free to re-open it if you think that those are false positives and see how we can tweak that.
#YellowArmyPowa :)
from chopchop.
hi paul, last question,
can you pls explain me howcome i can wget http://server.com/images/redcar.png but if i http it, i get a 404, and on the server there is no such file?
drives me nuts...
deobfuscating all js atm ... #whataday...
thxx for your time!
from chopchop.
i am just an abrutti, it s a user agent mater, désolé
thx for the great tool
#63powa
from chopchop.
hi paul,
a quick update regarding the detection:
from what i read, chopchop detect if such file exist, if yes (200) we get a detection warning.
for example, if you scan http://179.150.226.35.bc.googleusercontent.com:90/
you ll get
| http://179.150.226.35.bc.googleusercontent.com:90/ | /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp | High | F5 BIG-IP - CVE-2020-5902 | Apply patch - F5 K52145254 |
| http://179.150.226.35.bc.googleusercontent.com:90/ | /images/imgpaper.png | High | Possible Trickbot Trojan Payload hosting imgpaper.png | Make sure your system is'nt compromised |
| http://179.150.226.35.bc.googleusercontent.com:90/ | /images/cursor.png | High | Possible Trickbot Trojan Payload hosting cursor.png | Make sure your system is'nt compromised |
| http://179.150.226.35.bc.googleusercontent.com:90/ | /images/redcar.png | High | Possible Trickbot Trojan Payload hosting redcar.png | Make sure your system is'nt compromised |
| http://179.150.226.35.bc.googleusercontent.com:90/ | /ico/VidT6cErs | High | Possible Trickbot Trojan Payload hosting VidT6cErs | Make sure your system is'nt compromised |
Then i ve had a look to the source of the detection rule,
https://urlhaus.abuse.ch/browse.php?search=%2Fimages%2Fimgpaper.png
i ve downloaded imgpaper from one of these sites, and run it in a sandbox, it s a pe executable
when i inspect the same file on the link i gave you above, it s html inside, like you weget index.php
any idea what is happening????
thxx for your time
from chopchop.
Interesting, I guess that's because the webapp (and the underlying reverse proxy) mess up by sending other status code (we could expect a 404 for a resource not found) like a 200 for a non-existing resource.
from chopchop.
i agree paul, i ve pressed the red button due to warning kind, i had to take a decision, no regrets, but happy to see it was a false positive at the end
any way of imporving detection rules?
let me know if i can help
from chopchop.
Related Issues (18)
- Accept lists of URIs HOT 9
- Confusion: Azure VS Tomcat HOT 5
- Detect the non-presence of a HTTP header HOT 1
- Query String attribute for checks HOT 1
- Ability to control request method
- Set up an automated Docker build HOT 2
- Colors handling
- Generate a better documentation (and a website)
- Specify specific signatures to be checked by severity
- Specify specific signatures to be checked by signature name
- Integrate new signatures from nmap
- ChopChop not exiting properly
- Match binary HOT 4
- filepath of url file is not valid HOT 1
- socks5 option
- Output to file ?
- run first time - Error: Path of signatures file is not valid
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chopchop.