More Pie Charts & Fingerprinting
by Jose NazarioI’ve been fingerprinting a lot of malicious servers the past couple of days and improving my approach. I focused on phishing servers because they represent a class of boxes I can interrogate in a few ways. Sure enough, when I run the original tests based on p0f2 and xprobe2, I get similar results as I did with the botnet fingerprinting stuff from earlier. Who knew that phishing sites are hosted on Foundry switches and HP printers …
Like I anticipated I would have to, I got a parallelized version of nmap -O working for my needs, and I went ahead and fingerprinted a bunch of phishing servers and also looked at their server strings. The results line up pretty well with what I expected: nmap reports mostly Linux and FreeBSD boxes, which jives with the banners from the servers. I also get the usual stray OS lists, like an F5 BigIP box (which is probably in front of the server), a Symantec device, etc … some of the perils of the approach.
Also worth noting is that that about 2/3 of the servers examined for this study (about 750 servers from yesterday and today) have some form of PHP installed. What we usually see when we look at the servers involved in phishing attacks is that they got in through one of a million PHP holes that you see every day and often ignore.
Figure 1: Phishing server banner strings reported
Figure 2: Apache platforms inferred from server strings.
Not surprisingly, lots of Apache servers out there. When you compare it to recent Netcraft numbers, phishing servers see more Apache servers than IIS, probably due to the attack toolkits the phishers have. The relative quantities of Apache releases, however, I don’t know when you compare it to the world at large. And the second graph shows that, just like you would expect, it’s mostly Apache on Linux or UNIX (ie those FreeBSD boxes).
Popularity: 9% [?]
You note that 2/3 of phishing servers have PHP installed. Do you have any idea how that compares with a random set of Apache servers out there?