Johannes wrote a diary entry “Increasing Searches for ZIP Files” where he analyzed the increase of requests for ZIP files (like backup.zip, web.zip, …) for our web honeypots.
Johannes wrote a diary entry “Increasing Searches for ZIP Files” where he analyzed the increase of requests for ZIP files (like backup.zip, web.zip, …) for our web honeypots.
I took a look at my logs, and noticed that too. But it’s not only ZIP files, but other archives too:
| Type |
| zip |
| rar |
| 7z |
| gz |
| tar |
I even had requests for .tar.zip files.
And when it comes to backup files, the following non-archive types are also popular requests:
| Filename |
| backup.sql |
| backup.json |
| backup.bak |
| backup.sh |
Looking at the User Agent Strings for these requests, none indicated that these scans were performed by researchers.
And comparing the source IPs of these requests with our researchers list: not a single match.
So it’s safe to say that these scans are done with malicious intent, and that you should take Johannes’ advice and don’t have these types of files on your web servers, and even better, have some policy to avoid this.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Leave A Reply