Observed In The Wild: HTTP PUT Anomalies Explained

UPDATE (2023-01-31): Added link to the QA'd Tag.

You may have noticed an anomalous uptick of PUT requests in the GreyNoise sensors these past couple of days (2023-01-22 → 2023-01-24). For those interested, we’ve put together a quick summary of the details for you to dive into.

The majority of PUT requests occurred from January 15, 2023, to January 26th, 2023. During this time period, 2,927 payloads were observed containing HTTP paths of randomly generated letters and either a “.txt” or “.jsp” file extension. Similarly, the body of the PUT requests contained a randomly generated string as text and another randomly generated string contained within the markdown of a Jakarta Server Page (JSP) comment field. We believe this to be a methodology attempting to insert a unique identifier into the target server to determine potential capabilities of further exploitation; such as the ability to upload arbitrary files, retrieve the contents of the uploaded file, and determine if the JSP page was rendered (indicative of possible remote code execution).

Sample of Decoded HTTP PUT Payload
Sample of Decoded HTTP PUT Payload

The remaining path counts can be seen here:

Table of path counts for anomalous PUT requests showing /api/v2/cmdb/system/admin/admin and /FxCodeShell… seeing the most hits
Table of HTTP PUT Path Counts Observed by GreyNoise Sensors

The most common being "/api/v2…", a path often found in FortiOS authentication bypass attempts. Check out our blog to learn more about tracking this exploit. We’ve also seen variations of "/FxCodeShell.jsp…", which is indicative of a Tomcat backdoor usage. Each has their respective packet example below:

HTTP PUT decoded packet example
FortiOS Authentication Bypass Attempt
Screen capture of FxCodeShell PUT headers and payload
Tomcat Backdoor CVE-2017-12615

Inquiring into these paths led to a discovery for us as well! Having been formally unfamiliar with the "/_users/org.couchdb.user:..." path, we did some digging, which led to a new signature for CVE-2017-12635.

Table of CouchDB Remote Priv Esc Attempts
Instances of Apache CouchDB Remote Priv Esc Attempts

This highlights novel ways attackers are attempting to fingerprint exposed services using known vulnerabilities, and is a starting point for hunting for additional malicious activity related to these requests.

If you want to do your own threat hunting, check out GreyNoise Trends (Anomalies)

Researcher Notes

When digging into these anomalies, GreyNoise researchers noticed a pattern of randomly generated JSP checking to see if they can upload, and then access their uploaded files.

The FortiOS authentication bypass used both the "/api/v2" HTTP PATH prefix along with a header of "User-Agent: Node.js"

"FxCodeShell.jsp" is associated with a well-known webshell.