SUC027 : Muieblackcat setup.php Web Scanner/Robot

  • Use Case Reference : SUC027
  • Use Case Title : Muieblackcat setup.php Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : N.D.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Regarding the logs, this scanner is looking for “setup.php” files.

Source(s) :

Emerging Threats SIG 2013115 triggers are :

  • The HTTP header should contain “GET /muieblackcat HTTP/1.1“. A complete set of logs is available here.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2013115 1 Week events activity
SIG 2013115 1 Week events activity
SIG 2013115 1 month events activity
SIG 2013115 1 month events activity
1 Month TOP 10 source IPs for SIG 2013115
1 Month TOP 10 source IPs for SIG 2013115
TOP 20 source countries for SIG 2013115
TOP 20 source countries for SIG 2013115

6 thoughts on “SUC027 : Muieblackcat setup.php Web Scanner/Robot

  1. We just got scanned by muieblackcat a couple hours ago too. It was on our analytics stats and in the server stats as well – 80 entries, same as the log files above, from a French IP, which is clean (never reported for suspicious activity before) according to the web statistics.

    Other than getting me in here, Google also shows about 200 000 websites infected by this hack: what it does is creates a page http://www.domain.com/muieblackcat which has adult content and links for more stuff. The websites seem to function normally otherwise, which makes me think that this is the only thing this hack does so the admins don’t even see the extra page added in order to remove it?! I didn’t click the links on them pages to check what this muieblackcat really does, and I can’t find information about it either, so maybe it’s just an ingenious way to advertize XXL?

  2. I noticed this in my analytics, but fortunately not in my logs. This was thwarted by CloudFlare thankfully. Was wondering, “WTF is this? No referrer? awfully suspicious.” Google the keyword for the directory it attempted to hit “muieblackcat” and turned a few results involving some hacker attempting brute force attacks.

    If you’re not already doing so, try out CloudFlare, it prevented this attack on my network. Only Google Analytics (set up as an app through CL) recorded it. Scared the hell out of me for a while there.

    I did suspect that the attacker was randomizing the IP through IP Spoofing. I resolved the IP Address that attempted to hack my site for the heck of it and turned out to be some bike shop in Japan.

Comments are closed.