3

I have been investigating a series of IP addresses that has been (ab)used by a technically skilled troll. One such IP has a lighttpd (1.4.28) server running on it. This server appears to be a generic install (in so far as I know). There is a folder called payload with files named for their exact size: 100KB.bin, 10MB.bin, 1MB.bin, 20MB.bin, 250KB.bin, 2MB.bin, 500KB.bin and 5MB.bin which is their exact size as well as name.

Now what I cannot figure out (I have not used lighttpd) is if there is a legitimate use for such a setup or, as my gut tells me, if this is part of a DDoS set up with differently sized packets. If DDoS then I need to speak to my hosting company and tell them to expect an attack if lagit then I need to expand my understanding so as to not worry about stuff that needs no worry.

The folder is here (at time of posting):

http://195.88.75.46/payload/

All insight greatly appreciated.

Matthew Brown aka Lord Matt
  • 2,298
  • 1
  • 27
  • 40
  • That folder itself has nothing wrong with it except files full of random data used by speed test applications. However what can be a potential attack vector is the http://195.88.75.46/upload/ directory which may contain an insecure file upload script. –  Mar 23 '14 at 02:19

1 Answers1

3

This kind of files is usually used for speed tests, the files simply contain some random garbage and are large enough to allow for a speed test without to much fluctuation:

[timwolla@~]wget -O /dev/null http://195.88.75.46/payload/20MB.bin
--2014-03-23 01:47:40--  http://195.88.75.46/payload/20MB.bin
Connecting to 195.88.75.46:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20971520 (20M) [application/octet-stream]
Saving to: ‘/dev/null’

100%[======================================>] 20,971,520   671KB/s   in 33s    

2014-03-23 01:48:13 (615 KB/s) - ‘/dev/null’ saved [20971520/20971520]

/dev/null is used as the output file to reduce the performance penalty introduced by the hard disk.

So: This is nothing specific to lighttpd, but the lighttpd is probably used to reduce the load on the machine as it performs pretty good when serving static files (at least it performs better than the Apache2).

Here are other examples of such pages, with similarly named files:

TimWolla
  • 31,849
  • 8
  • 63
  • 96