What is Apache Synapse?

39

4

My website keeps getting hit by odd requests with the following user-agent string:

Mozilla/4.0 (compatible; Synapse)

Using our friendly tool Google I was able to determine this is the hallmark calling-card of our friendly neighborhood Apache Synapse. A 'Lightweight ESB (Enterprise Service Bus)'.

Now, based on this information I was able to gather, I still have no clue what this tool is used for. All I can tell is that is has something to do with Web-Services, and supports a variety of protocols. The Info page only leads me to conclude it has something to do with proxies, and web-services.

The problem I've run into is that while normally I wouldn't care, we're getting hit quite a bit by Russian IPs (not that russian's are bad, but our site is pretty regionally specific), and when they do they're shoving wierd (not xss/malicious at least not yet) values into our query string parameters.

Things like &PageNum=-1 or &Brand=25/5/2010 9:04:52 PM.

Before I go ahead and block these ips/useragent from our site, I'd like some help understanding just what is going on.

Any help would be greatly appreciated :)

Aren B

Posted 2010-05-27T22:31:38.107

Reputation: 844

2

An enterprising user over here (http://goo.gl/baHJn) took a look at the source for Apache Synapse. The UA header it uses doesn't match what your logs show. Further digging on his part turned up Ararat Synapse which DOES use that header.

– Doug Wilson – 2013-03-12T14:35:13.717

See related question and commentary on this other stackexchange site, http://security.stackexchange.com/questions/18652/is-this-a-viewstate-attack

– Funka – 2013-04-18T19:02:56.773

Whenever I google on this user agent, I come across this post so thought I should share some of my findings in case someone is looking for it. http://www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/ This a mostly a botnet attack and has nothing (or very little) to do with Apache Synapse project.

– Imran Saeed – 2013-09-19T10:06:01.710

Answers

11

Are all the IPs from a specific range? Is that range assigned to a specific company? If it is, just lookup who the range is assigned to and contact the Technical Contact listed.

The most likely thing I can think of is that they are scraping content from your webpage or programming something which will scrape content (which explains the weird boundary conditions as arguments).

It could be something a little less innocent, I don't know what data you are trying to protect (it could be worth something). They could be trying to expose an error page which can dump sensative debug info. If that is the case then I would suggest setting up a web app firewall. They are made to prevent this kind of sensitive error messages and other abuses from happening.

You could just try banning the IP ranges and see who complains... although that's your last resort.

Daisetsu

Posted 2010-05-27T22:31:38.107

Reputation: 5 195

All site-errors are presented with a nice little "Site Error" page. If they're just scraping us, I don't care, it's that currently any time a user generates an exception that's unhanded it's logged to e-mail. I get 100+ a day from this guy alone. Of course the simple solution is to handle more errors, but this engine it seemed pretty fishy when i looked into it so i was concerned. – Aren B – 2010-05-27T23:10:20.650

25

I am pretty sure that this is not Apache Synapse, it's some tools built with Ararat Synapse, which is a Delphi TCP/IP library. I downloaded the source code from both projects, and as far I can see, Apache Synapse has a configurable user-agent, and the default is:

enter image description here

On the other hand, Ararat Synapse has this default user agent:

enter image description here

It's just like the one you have in your logs, and I have exactly the same user agent probing with various SQL injection attacks. Probably the attackers are using some tools built in Delphi with the Ararat Synapse library.

Since the bad guys didn't change the default user-agent, I think it's safe to block this one:

Mozilla/4.0 (compatible; Synapse)

not partially because you can block some legitimate tools running on Apache Synapse, and I believe that any legitimate bot or project would define a user-agent and not hide with default.

There is no point blocking IPs because it seems that the attack is coming from various IP addresses around the world, probably some botnets.

Antonio Bakula

Posted 2010-05-27T22:31:38.107

Reputation: 412

"any legitimate bot or project would define user-agent and not hide with default." There are no flaws in letting default user agent string as is !!! I would much more be suspicious to an unknown user agent, but you can't know each and every one. Your solution (safe to block user agent) is pure bad practice just like banning dynamic IPs. Bots use the most known or completely unknown agents. This one is definitely not. – Darkendorf – 2017-11-08T09:55:08.510

6

Same person trying to inject -1 into the viewstate:

finder-query: -1'

It's probably an automated SQL injection tester tool.

silent

Posted 2010-05-27T22:31:38.107

Reputation: 61

I'd even say, inject -1' (apostrophe is important) – billy – 2013-02-12T20:39:38.947

5

I have recently seen this User-Agent coming from one IP:

217.35.nn.nn - - [21/Feb/2012:07:01:22 +0000] "GET /view/pubcal.php?event=17' HTTP/1.0" 200 405 "-" "Mozilla/4.0 (compatible; Synapse)"
217.35.nn.nn - - [21/Feb/2012:08:06:31 +0000] "GET /view/pubcal.php?event=16' HTTP/1.0" 200 405 "-" "Mozilla/4.0 (compatible; Synapse)"

It was fairly shortly followed by a definitely malicious user agent (Havij):

217.35.nn.nn - - [21/Feb/2012:10:44:26 +0000] "GET /view/pubcal.php?event=1 HTTP/1.1" 200 6627 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij"
217.35.nn.nn - - [21/Feb/2012:10:44:26 +0000] "GET /view/pubcal.php?event=999999.9 HTTP/1.1" 200 2235 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij"

This was followed by several attempts at SQL injection.

Synapse isn't malicious in and of itself, but it does appear to be being used to probe data-driven websites. If your website does not offer an API to anyone, I'd block this User Agent. Maybe use the apache-badbots filter in fail2ban to block traffic from IP addresses which try to use this agent string. And stick 'Havij' in there, too while you're at it.

Adam Thompson

Posted 2010-05-27T22:31:38.107

Reputation: 1 954

3

I have checked my database with over 75 million requests gathered by our security application and only found that user agent without any referrer URL.

Also, I can see that they hit various subdomains within less then a minute and a normal visitor couldn't navigate so quickly.

I count only 23 requests for that user agent so I've blocked the guys. Here the IP addresses from my sites: 

189.250.204.153
190.31.58.52
113.23.76.219
94.142.131.77
190.86.161.245
186.2.144.165
189.170.129.68
188.84.39.160
92.131.184.129
189.12.36.143
94.110.73.38
189.162.86.23
94.43.231.90
217.77.28.170
190.138.185.135
188.169.196.13
200.153.252.1
41.235.79.86
186.129.128.94

Karl

Posted 2010-05-27T22:31:38.107

Reputation:

2It's probably using a botnet. I don't think banning those IPs would help anyone a whole lot. – Aren B – 2010-11-01T16:03:45.903

2Except that all the addresses are dynamic IPs and you are blocking eventually paying customers... – ZaB – 2012-03-09T12:18:50.683

1

I've come here after searching for this user agent. A different IP (91.127.90.220) but the same approach - every field from a form replaced in turn by -1[quote].

It's the only time I've ever seen it used, so I agree that banning it is the way forward.

Nick

Posted 2010-05-27T22:31:38.107

Reputation: 11

For what it's worth, 'Apache Synapse' doesn't to this behavior. The tool being used has a similar agent string. I suggest you read the other answers for more information. – Aren B – 2013-09-12T21:20:55.883

Asked: 2010-05-27T22:31:38.107

Viewed: 16 873 times

Active: 2018-04-04T08:54:34.137