12

I recently found this request in the event log:

Client IP: 193.203.XX.XX
Port: 53080
User-Agent: Mozilla/4.0 (compatible; Synapse)
ViewState: -1'
Referer: 

Now, the ViewState: -1' part combined with the origin of the IP address (Ukraine, we don't have clients there) makes it look suspicious to me. Is this a new kind of attack and should I be worried?

Update

Here's the log:

2012-08-14 10:13:17 GET /Gesloten.aspx - 80 - 193.203.XX.XX Mozilla/4.0+(compatible;+Synapse) 200 0 0 546
2012-08-14 10:13:17 POST /gesloten.aspx - 80 - 193.203.XX.XX Mozilla/4.0+(compatible;+Synapse) 500 0 0 218
Luc
  • 31,973
  • 8
  • 71
  • 135
jao
  • 223
  • 2
  • 7
  • 4
    Is this the only occurrence from this IP? For me the suspicious part is the " ' " character, which is often used for probing SQL injection vulnerabilities. – efr4k Aug 14 '12 at 11:57
  • I have the same thing in my logs. In the past 30 days I have hits from 40 different IPs with that User Agent. They range from a minimum of 6 hits to over 30. To me it seems like it's a naive probing attempt looking for some specific type of vulnerability. It's annoying as hell. More info here: http://goo.gl/baHJn – Doug Wilson Mar 12 '13 at 14:39
  • I see a lot of traffic with this user-agent and it's all POSTing to forms with `-1'` in one of the form fields. Clearly either a tool or a botnet scanning for potential SQL injection vulnerabilities. – Carson63000 Jul 19 '13 at 02:43

6 Answers6

8

I am pretty sure that this is not Apache Synapse, it's some tool built with Ararat Synapse, this is a TCP/IP library built with Delphi . I downloaded source code from both projects, and as far I can see Apache Synapse has a configurable user-agent, and default is :

Synapse-HttpComponents-NIO

On the other hand, Ararat Synapse has default user agent :

enter image description here

Just like one you have in your logs, and I have exactly same user agent probing various SQL Injection attacks, probably attackers are using some tool build in Delphi with Ararat Synapse.

Since bad guys didn't change default user-agent I think it's safe to block user agent:

Mozilla/4.0 (compatible; Synapse)

not partially because you can block some legitimate tool running on Apache Synapse.

mgkrebbs
  • 410
  • 5
  • 13
Antonio Bakula
  • 181
  • 2
  • 5
7

Synapse is an Apache server designed for managing XML documents. It's highly unusual to see it in a user agent. The -1 doesn't look like a real attack, it's more likely a probe to work out what version of IIS you're using.

I found a similar question on ServerFault that mentioned the Synapse header, which resulted in a consensus that the traffic was not legitimate.

To be safe, I suggest blacklisting the IP address.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • I would also disable `Synapse` if you are not using it. At the very least change the default configuration. – Ramhound Aug 14 '12 at 11:27
  • It's IIS and I guess Synapse is something Apache. – jao Aug 14 '12 at 12:48
  • 1
    @Ramhound The `Synapse` text is in the request header, i.e. it's coming *from* the client. This is highly unusual. – Polynomial Aug 14 '12 at 12:50
  • 2
    I would not blacklist it. If you have a security leak, some day someone is going to find it. Blacklisting a possible bad IP you happen to notice is not patching the leak, it's security through obscurity. The only reason to ever blacklist an IP is when they attempt to disrupt the service by overloading. – Luc Aug 14 '12 at 15:27
  • 1
    @Luc Patching takes time. In the meantime, a proactive block is worth doing. Then you can remove the block after it's all patched up. – Polynomial Aug 14 '12 at 15:49
  • @Polynomial Patching what? I don't see any hint that there is a leak, just some requests showing that someone is scanning for something (whatever that may be). – Luc Aug 14 '12 at 15:55
  • @Luc I misunderstood your previous comment. My bad. The advice still holds though - it's worth blocking IPs that aim to harm you, as a pre-emptive strike. Even if it only buys you a little time, it gives you chance to make a full security review based on the requests they sent. – Polynomial Aug 14 '12 at 17:51
  • 1
    One potential issue with blacklisting IP addresses is that, if those are dynamic IP addresses, your block may end up blocking other benign users. (There's also the configuration complexity of managing a blacklist.) – D.W. Aug 15 '12 at 01:51
  • This is not from Apache Synapse. The user agent "Mozilla/4.0 (compatible; Synapse)" is the _default_ user agent string in the _Ararat_ Synapse software, which is a TCP/IP library. – mgkrebbs Jul 04 '15 at 23:00
6

As long as you have taken all the usual security precautions, this isn't anything to worry about.

On a website I maintain, I have set it up so any uncaught errors are logged and emailed to me. I often open my inbox to find similar requests. The usual pattern in my experience is for the crawler to scan for all <input> tag names and set the value of each to -1' in turn.

This is normally accompanied by a poor attempt at spoofing the ViewState, which invariably fails because not only do they have no chance of generating a valid ViewState to match their fake request, they also seem to just put a load of random alphanumerics (rather than actually construct a valid Base-64 encoded string).

Widor
  • 311
  • 2
  • 8
  • 1
    I too have been seeing these attempts at probing by setting different query parameters to -1, but here's the strange part: one of the query params being sent is the session GUID of another legitimate user surfing the site at the exact same time. (From a different IP.) The probes seem to come from a rotating set of IPs, no more than 5 or 6 requests from each, then a new IP with the same signature. The entire site is encrypted over HTTPS so I'm not sure how this attack-bot (or whatever we want to call it) is obtaining this. My guess? Malware on legitimate user's computer transmitting somewhere? – Funka Apr 18 '13 at 18:58
3

According to user-agents.org it is Apache web service for processing XML documents.

The apache documentation can be found here. An excerpt of the documentation sais:

Synapse: A Web service Mediation Framework project

Synapse will be a robust, lightweight implementation of a highly scalable and distributed >service mediation framework on Web services specifications.

I have only seen this user-agent once over 10 years. I would pay extra attention to that IP address, but I would not neccessarily block it. Often there is a whole lot of wierd user-agents hitting public IP addresses, so this will probably not be the first. I would not treat it as an attack, but maybe as an intial probe in an reconnaissance.

Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • In this case I believe user-agents.org is wrong. The UA header Apach Synapse sets is "Synapse-HttpComponents-NIO". There is more information here: http://www.webmasterworld.com/search_engine_spiders/4532904.htm – Doug Wilson Mar 12 '13 at 14:32
3

Providing a ViewState of -1' will cause an exception on some systems. Based on the exception message I don't believe this issue is exploitable. However the attacker may be profiling your server for other attacks. I am almost certain other requests where sent by this IP address, without logs of these requests it will be very difficult (impossible) to figure out what the attacker is doing.

rook
  • 46,916
  • 10
  • 92
  • 181
3

Had an similar attack performed on my Web Server recently. Here is some information for those who encounter the scoundrel attacking their machines.

  1. Attack seems to be done in two phases, scanning with an automated benign tool followed by malicious requests from a different IP.
  2. The scanning bot will usually use the following User Agent "Mozilla/4.0 (compatible; Synapse)".
  3. Bot seems to target Windows Servers running an ASP.NET website. All requests I have seen logs for contain .aspx files.
  4. Attack is definitely being done on a botnet. Here is a IP by Country list of all of the zombie machines I have encountered on our server as of 09/04/2013:

Argentina (AR)

  • 190.114.70.209

Bulgaria (BG)

  • 178.75.221.101
  • 46.55.153.74

Belarus (BY)

  • 178.123.107.58
  • 178.123.183.9
  • 178.124.241.55
  • 178.127.154.20
  • 37.45.49.245
  • 82.209.223.166
  • 86.57.186.135
  • 91.187.19.38
  • 93.84.243.246
  • 93.85.12.94
  • 93.85.157.19

China (CN)

  • 14.109.132.174
  • 175.44.13.11
  • 222.182.200.23
  • 27.154.203.73

Czech Republic (CZ)

  • 188.120.211.30

Ecuador (EC)

  • 186.5.91.178
  • 190.214.112.254

Egypt (EG)

  • 105.200.65.80

Indonesia (ID)

  • 103.28.114.188
  • 118.97.108.90
  • 36.76.54.17
  • 36.83.114.190
  • 39.224.153.181

India (IN)

  • 112.79.43.244
  • 116.203.241.135
  • 122.170.116.58

Iraq (IQ)

  • 109.127.81.124

Iran, Islamic Republic of (IR)

  • 2.181.85.207
  • 91.98.216.77

Japan (JP)

  • 116.254.35.37
  • 117.18.194.211
  • 42.124.17.116

Kazakhstan (KZ)

  • 2.133.205.0
  • 2.135.1.203
  • 37.150.29.72

Mexico (MX)

  • 187.135.100.62

Philippines (PH)

  • 112.198.64.40
  • 49.144.213.238

Russian Federation (RU)

  • 213.87.120.10
  • 91.205.160.3

Saudi Arabia (SA)

  • 46.235.91.185

Thailand (TH)

  • 183.88.247.70

Tunisia (TN)

  • 41.227.150.182

Taiwan (TW)

  • 111.251.168.52
  • 114.44.181.250
  • 114.44.8.189

Ukraine (UA)

  • 109.251.144.46
  • 109.87.24.178
  • 176.107.192.2
  • 176.108.98.8
  • 178.93.69.165
  • 188.231.129.151
  • 193.106.162.74
  • 193.203.48.46
  • 195.200.245.115
  • 31.131.138.32
  • 46.118.147.64
  • 79.171.125.163

Vietnam (VN)

  • 171.255.4.195
  • 171.255.8.245
  • 27.78.121.197

South Africa (ZA)

  • 105.225.125.72
  • 41.177.29.18

Some suggested countermeasures:

  1. Logging traffic on the targeted website.
  2. Block the User Agent string of the automated scanning tool. The "(compatible; Synapse)" part makes it very unique from regular website visitors.
  3. Turn off the .NET code interpreter for websites that don't require it, such as PHP only websites. This narrows the attack surface as the vulnerability being exploited is clearly related to .NET or MSSQL.
  4. GEO IP blocking countries in which need no access to your site or service. Most of the traffic seems to be coming from non-English speaking countries.
Chaoix
  • 131
  • 4
  • Matches my experience. I have blocked 224,000 attempted SQL injection probes in the last few months - more than 20,000 from just one of those IP addresses (193.203.48.46)! My implementation was to log and return a 403 Forbidden for any request with a `Synapse` in the User-Agent which sent `-1'` in any query string or form post field. – Carson63000 Nov 14 '13 at 03:41
  • I am still fighting this battle with the script kiddies. I started forwarding all of my traffic to a tarpit php file I wrote to waste the attackers time and resources. https://github.com/msigley/PHP-HTTP-Tarpit – Chaoix May 06 '14 at 15:24