Xanda's Blog !~!

Fingerprinting (potential) Sinkhole Server


A short update, a note for myself

Last May, while discussing with a friend, we’ve concluded that these 2 header (HTTP header) example indicate that those servers are sinkhole servers:

HTTP/1.0 200 OK
Server: Apache 1.0/SinkSoft
Date: Tue, 27 May 2014 06:11:29 GMT
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
Date: Mon, 26 May 2014 07:26:20 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html

So we can look for:

  • Apache 1.0/SinkSoft
  • X-Sinkhole:

Today, I’ve found “Server: TornadoServer” is another indicator. But i’m not yet 100% sure. Comments are welcome

Installing Compact Language Detection 2 (CLD2) on Ubuntu


I’ve been using chromium-compact-language-detector before, and when they moved to v2.0, chromium-compact-language-detector has been renamed in to Compact Language Detection 2 (CLD2). I’ve read blog post on the performance review and i’m really impressed. So let give them a try.

Install the dependencies:

sudo apt-get install mercurial gcc-multilib python-dev build-essential

Download CLD2 and the python binding:

cd /tmp/
svn checkout http://cld2.googlecode.com/svn/trunk/ cld2
hg clone https://code.google.com/p/chromium-compact-language-detector/

Compile CLD2 and install the lib (for 32bit) :

cd /tmp/cld2/internal/
cat compile_libs.sh | sed 's/\ \-m64\ //g' > compile_me.sh
chmod +x compile_me.sh
sudo cp *.so /usr/lib/

Compile CLD2 and install the lib (for 64bit) :

cd /tmp/cld2/internal/
sudo cp *.so /usr/lib64/

Compile the python binding:

cd /tmp/chromium-compact-language-detector/
python setup.py build
python setup_full.py build
sudo python setup.py install
sudo python setup_full.py install

Give the library a test:

python test.py

For documentation:

python -c "import cld2; help(cld2.detect)"

Done! Thanks

Macports on Mavericks


Quick update for those who found something buggy with their Macports after upgraded their OSX to Mavericks

  1. Download and install Xcode 5.0.1
  2. Install Command Line Tool
    xcode-select --install
  3. Accept Xcode license agreement
    sudo xcodebuild -license
  4. Download Macports source
    cd /tmp
    wget https://distfiles.macports.org/MacPorts/MacPorts-2.2.0.tar.gz
  5. Extract and compile
    tar xvfz MacPorts-2.2.0.tar.gz
    cd MacPorts-2.2.0
    sudo make install
  6. Update your Macports
    sudo port -v selfupdate


In response to ISC Diary’s “an epidemic of typo squatting”


I’ve been monitoring placeholder and typo squatting domains for few months now, and I’ve read a write-up on ISC diary on “Is there an epidemic of typo squatting?”. There are a few conclusions that I can make and share:

  1. Most of typo squatting domains are parked on two /24 network, and by default, they are serving placeholder on the main page
  2. The page (content) is detected by McAfee asĀ JS/Redirector.ar or JS/Blacole-Redirect
  3. There are a lot of domains (typo squatting some famous big websites) have been bought/rent, and used in Scam (win an iPad, win a voucher) activities.
  4. Beside of Scam activities as in No 3, I’ve also seen domains that have been used in serving malicious content/redirection.
  5. Speaking about item no 4, one interesting point to share is, after serving the malicious content/redirection for some time (mostly 1 or 2 weeks), the domain will be pointed back to the placeholder server and serving the placeholder again
  6. Item 4, and 5 also applicable for Phishing activities
  7. In the last couple of days (or week), they’ve started to ‘hide’ themself behind CloudFlare IPs.
  8. Today (or maybe itĀ happened in the weekend), a few IPs have changed their default interface (of the placeholder) into some plain page with something like “what are you looking for?” message.

Seeing something similar or totally different? Feel free to share your points in the comment section.


Detecting counter.php – The BlackHole Redirector


Have you ever came across the following line of code injected to your (or you visited) website

If I get it correctly, it is the BlackHole Exploit Kit redirector.

The pattern for this “counter.php” injected script will always be the same, so for system administrator or webmasters, you can use the following yara rule for your detection

rule counterPHPredirectBHEK
		author = "adnan.shukor@gmail.com"
		description = "Detection rule to detect compromised page injected with invisible counter.php redirector"
		ref = "http://blog.xanda.org/2013/04/05/detecting-counter-php-the-blackhole-redirector"
		cve = "NA"
		version = "1"
		impact = 4
		hide = false
		$counterPHP = /\<iframe\ src\=\"https?\:\/\/[a-zA-Z0-9\-\.]{4,260}\/counter\.php\"\ style\=\"visibility\:\ hidden\;\ position\:\ absolute\;\ left\:\ 0px\;\ top\:\ 0px\"\ width\=\"10\"\ height\=\"10\"\/\>$/
		all of them


P/S: MyYaraSIG guys, my Macbook is not able to be boot right now, will commit to the repo later