SUC019 : Suspicious Inbound AlphaServer UA

  • Use Case Reference : SUC019
  • Use Case Title : Suspicious Inbound AlphaServer UA
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Unknown
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

Web forums spam bot.

Source(s) :

Emerging Threats 2011517
Emerging Threats 2011518
Wikipedia Alphaserver
User-Agent Strings – MS IE – Full

Emerging Threats has release a two new SIGs 2011517“ET USER_AGENTS Suspicious Inbound AlphaServer UA” and 2011518“ET USER_AGENTS Suspicious Outbound AlphaServer UA” since 17 September 2010. These two new SIGs are focusing on suspicious user agents how shouldn’t being used by valid browsers today.

Emerging Threats SIG 2011517 create an alert if the user agent containing the string “Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)” is detected in an inbound destination of HTTP, or HTTPS. An alert will be sent on each occurrences.

Emerging Threats SIG 2011518 create an alert if the user agent containing the string “Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)” is detected in an outbound destination of HTTP, or HTTPS. An alert will be sent on each occurrences.

The sources are focusing web forums, doing registration and thread post attempt in short interval of time, this time interval is not humanly possible, it is clearly a bot.

Example :

74.118.193.13United States – 18 events in 20 seconds.

GET /forum/ HTTP/1.0
GET /forum/index.php HTTP/1.0
GET /forum/index.php?act=Reg&CODE=00&coppa_pass=1 HTTP/1.0
POST /forum/index.php?act=Reg&coppa_user=&termsread=1&coppa_pass=1 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
Members Display Name : Andreww3
PassWord : AEpRfH9415
PassWord Check: AEpRfH9415
Email Address : [email protected]
Email Address two : [email protected]
GET /forum/index.php?act=Login&CODE=00 HTTP/1.0
POST /forum/index.php?act=Login&CODE=01 HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?showforum=34 HTTP/1.0
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
GET /forum/index.php?showforum=7 HTTP/1.0
GET /forum/index.php?showforum=7 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?showforum=19 HTTP/1.0
GET /forum/index.php?act=post&do=new_post&f=19 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0

AlphaServer UA SIG 2011517 1 Week events activities
AlphaServer UA SIG 2011517 1 Week events activities
AlphaServer UA SIG 2011517 1 month events activities
AlphaServer UA SIG 2011517 1 month events activities
1 Month TOP 10 source IPs for SIG 2011517
1 Month TOP 10 source IPs for SIG 2011517