Home Page for Hunch

Introduction

"hunch" is nothing but a little package I wrote to help notify the admins of systems infected with viruses and trojans. In particular it looks for the probes such code will try to scan your HTTP server with. It identifies attempts to infect the machine with malicious code, attempts to relay mail through it (for spamming purposes), and attempts to use it as a HTTP proxy (for ad-revenue theft or for anonymization purposes). Once it finds a probe, it tracks down the "owner" of the IP address from which it was issued. It finds email addresses for the IP address from WHOIS data, and then mails the details of the attack.

Below, you can see a typical log of a distributed attack (really, this log just search-engine bait so you find this page if you search for the URIs). It is most likely run by spammers looking for vulnerable scripts to relay their mail through. Given this log, hunch will automatically notify the admins of the attacking machines.

[Tue Sep  7 19:43:56 2004] [error] [client 80.55.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/tellafriend.pl
[Tue Sep  7 19:44:35 2004] [error] [client 211.1.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/contactus.pl
[Tue Sep  7 19:45:01 2004] [error] [client 216.43.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/formtomail.pl
[Tue Sep  7 19:45:26 2004] [error] [client 206.27.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/mailto
[Tue Sep  7 19:45:27 2004] [error] [client 207.68.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/sendmail.cgi
[Tue Sep  7 19:45:36 2004] [error] [client 202.125.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/webmailer.exe
[Tue Sep  7 19:45:48 2004] [error] [client 168.143.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/formmail
[Tue Sep  7 19:46:01 2004] [error] [client 202.125.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/contact
[Tue Sep  7 19:46:10 2004] [error] [client 80.58.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/yform.cgi
[Tue Sep  7 19:46:14 2004] [error] [client 64.157.x.x] File does not exist: /usr/local/www/data/cgi/tell/tell.cgi
[Tue Sep  7 19:46:19 2004] [error] [client 195.144.x.x] File does not exist: /usr/local/www/data/cgi/formmail.cgi
[Tue Sep  7 19:46:24 2004] [error] [client 211.34.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/cgiemail
[Wed Sep  8 10:21:17 2004] [error] [client 210.5.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/formmail.pl
[Wed Sep  8 10:21:23 2004] [error] [client 200.48.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/contact.cgi
[Wed Sep  8 10:21:37 2004] [error] [client 80.55.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/FormMail.pl
[Wed Sep  8 10:35:17 2004] [error] [client 200.41.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/cgiemail
[Wed Sep  8 10:35:19 2004] [error] [client 216.43.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/formmail.pl
[Wed Sep  8 10:36:23 2004] [error] [client 195.38.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/FormMail.pl
[Wed Sep  8 10:36:29 2004] [error] [client 81.118.x.x] File does not exist: /usr/local/www/data/mail.cgi
[Wed Sep  8 10:36:32 2004] [error] [client 212.47.x.x] File does not exist: /usr/local/www/data/cgi/formmail
[Wed Sep  8 10:36:36 2004] [error] [client 206.163.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/mail.cgi
[Wed Sep  8 10:36:37 2004] [error] [client 80.58.x.x] File does not exist: /usr/local/www/data/formmail.pl
[Wed Sep  8 10:36:42 2004] [error] [client 80.58.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/feedback.cgi
[Wed Sep  8 10:37:04 2004] [error] [client 24.97.x.x] File does not exist: /usr/local/www/data/contact.cgi
[Wed Sep  8 10:40:19 2004] [error] [client 211.34.x.x] script not found or unable to stat: /usr/local/www/cgi-bin/contact.cgi

The bottom line is that if you keep hunch running on the logs of your web server, you automatically notify network administrators all over the web about hosts which in most cases violate their network acceptable use policy. You can expect to report anywhere from 5 to 20 hosts a week. Most of the replies you'll get (if you supply a valid reply-to address to the outgoing complaints) will be automated replies from request-tracking systems (policies in many ISPs forbid more detailed replies). But, you can expect to get at least one reply a week from someone thanking you for bringing the matter to their attention, and promising to disinfect the machine.

Release Notes

The current version is 1.1.8. You can download it. It is tested under FreeBSD but should run on any system that has Perl. On FreeBSD it is in the ports collection under security/hunch.

Changelog

1.1.8 (21 Dec 2005)
It's the age of blogging, and vulnerability scanners are using URLs that contain the words "/blog", "drupal", "wordpress", and so on.

1.1.7 (03 Sep 2004)
Lots of signatures added. I'm seeing distributed synchronized scans - 10 to 15 hosts will poke around at various CGI directories all within a 2-minute period. Oh well, it only makes gathering signatures easier.

1.1.6 (20 Aug 2004)
Signature additions.

1.1.5 (20 Apr 2004)
Added signature for a request starting with "SEARCH /\x90\x02\xb1\x02". A quick web search suggests it's some WebDAV exploit.

1.1.4 (24 Jan 2004)
Minor signature changes, perl 5.8 warning cleanup.

1.1.3 (29 Nov 2003)
Remove false positives that are just FrontPage extensions.

1.1.2 (15 Oct 2003)
Fix a regexp parsing WHOIS delegation messages.

1.1.1 (12 Oct 2003)
Cleanup warnings for modern Perl.

1.1 (04 Oct 2003)
Added signatures for nsiislog.dll.

1.0 - Initial release (December 2002)

To-Do

Extract the signature list to an external file.

Extract the complaint email template to an external file.

Contributions

Contact me if you have a piece of code you think will make hunch better.

Maintained by Dan Pelleg.