atechdad make it so

Finding Hacked Pages With Passive Scanning via Project Sonar

Recently, Shodan’s blog featured instructions on finding hacked paged by searching for the phrase “Hacked By”.  Here’s how to do this yourself using the scans provided by Project Sonar. This information can be used for all kinds of passive scans.

sudo apt-get update
sudo apt-get install libgeoip-dev ruby1.9.1-dev git build-essential
git clone https://github.com/rapid7/dap.git
cd dap
sudo gem install bundler
bundle install

This installs the geoIP library in case you’re wanting to do other things with dap.

sudo mkdir -p /var/lib/geoip
cd /var/lib/geoip
sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
sudo gunzip GeoLiteCity.dat.gz
sudo mv GeoLiteCity.dat geoip.dat

This command downloads the scan file which is pretty big and does the searching inline:

curl -s https://scans.io/data/rapid7/sonar.http/20150217-http.gz | zcat | bin/dap json + select data + transform data=base64decode + include data='Hacked By' + decode_http_reply data + lines | grep "Hacked By"

Then you could use some command-line parsing to clean it up even more!.

Happy research!

 

 

 

(ignore this below. This is just me playing and saving my notes…)

curl -s https://scans.io/data/rapid7/sonar.http/20141209-http.gz |   zcat |   bin/dap json + select ip data + transform data=base64decode + include data=’Hacked By’ + decode_http_reply data + lines | stdbuf -o0 grep -iPo ‘(?<=HTTP/1.1 200\s|Hacked By\s)[^\s]*’ | stdbuf -o0 grep OK -A1 | stdbuf -o0 grep -Ev “OK|–” » test.txt