SUC016 : User-Agent “Toata dragostea mea pentru diavola” scanner

  • Use Case Reference : SUC016
  • Use Case Title : User-Agent “Toata dragostea mea pentru diavola” Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Toata Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • Toata scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET /e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:16 +0200] "GET /db/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:17 +0200] "GET /e107/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /site/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /web/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:19 +0200] "GET /forum/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
...

Theses patterns are related to Toata Scanner, an Web scanner specialized in Web applications discovery. Originally this Web scanner was targeting Roundcube Webmail installation files in order to exploit CVE-2008-5619. You can see with theses logs samples that Toata is no more only targeting Roundcube, but is also used to detect installation of e107, for example. We have publish yesterday (24 Mai 2010) an security alert regarding e107, toata is surely using a google dorking feature to find his target.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009159SCAN Toata Scanner User-Agent Detected“.

Here under you can find the latest statistics for Toata scanner activities.

1 Month SIG 2009159 events activities
1 Month SIG 2009159 events activities
One year SIG 2009159 events activities
One year SIG 2009159 events activities
1 Month TOP 10 source IPs for SIG 2009159
1 Month TOP 10 source IPs for SIG 2009159
TOP 20 source countries for SIG 2009159
TOP 20 source countries for SIG 2009159