GXHLGSL.txt file uploader botnet –Discovered by BitNinja FtpCaptcha
Eniko Toth

GXHLGSL.txt file uploader botnet –Discovered by BitNinja FtpCaptcha

At the beginning of the year we released our brand-new FtpCaptcha module, and of course, we were so excited about receiving the first incidents. However, we didn’t think that the very first logs will be such eye-catching. We detected a not so well-known botnet, and we didn’t find an article about it (only a few forum topics), so we summarized everything that you need to know about it.

Test the ability to upload a file

This botnet is trying to upload a file named GXHLGSL.txt, which contains only this: TEST. If it was a vulnerability scanner, there would provide some description about it on the internet, but no result… So, it’s obvious that it isn’t made by a human either as the FTP CAPTCHA would be challenged successfully.

Let’s look closely to file uploading attempt from this botnet:

This request was captured by our brand-new FTP CAPTCHA. Do you want to learn more about how this feature works? Read more about the FTP CAPTCHA in our blog post or our documentation site.

Scanning on HTTP too

We dug deeper in the data, and we found that after trying to upload the file GXHLGSL.txt, this botnet scans on HTTP too to check whether the file upload was successful or not. Here is an example from  one of our clients’ server:

Interesting fact: Not only was the GXHLGSL.txt the only one that was attempted to be uploaded and then scanned on HTTP. A similar file is the ftpchk3.txt, but this botnet isn’t so intense.

GXHLGSL.txt file uploader botnet statistics

Since the FTP CAPTCHA release, we stopped almost 700,000 attacks from this botnet; 57% were file uploading attempt (caught by BitNinja FtpCaptcha), and 43% were scanning the file on HTTP (caught by BitNinja Web Honeypots).

In this graph you can see the distribution of these attacks:

You can see that the number of captured attacks was significantly started to increase on 15th February. That was the point when the FTP CAPTCHA was enabled by default on all servers. It looks like if there wouldn't be any catch in January, but that's not true. In the first month of the year, we stopped more than 4,000 attacks from this botnet, when only a few servers were testing this brand-new module. Here you can find a chart about that period:

China is responsible for 99,4% of these attempts, but there are Sri Lanka and Brazil in the Top 3 too.

Already in the Top List

As we could see from the chart above, enabling the FTP CAPTCHA on every BitNinja protected server was highly increased the number of stopped attacks by the GXHLGSL botnet. And guess what! It was already listed in the Top 15 attack types between the XML-RPC scan, WP User Enumeration Attack, WP Brute Force and other common attack types since then. The GXHLGSL botnet is taking the 10th and 11th place of the Top List with the FTP and the HTTP scans. Let's take a look at how the Top 15 List looks like now:

1. BNVL-2018-0014: WordPress XML-RPC Scan
2. BNVL-2018-0009: Wordpress Brute-force Login Attempt
3. BNVL-2018-0012: WordPress username enumeration
4. BNVL-2018-0007: Automated WordPress Registration
5. BNVL-2018-0003: Testing for open form
6. BNVL-2018-0008: Redirect Vulnerability in WordPress's WP Login Plugin (wp-login.php) (CVE-2014-2229)
7. BNVL-2018-0051: Backdoor testing
8. BNVL-2019-0003: SSH bruteforce
9. BNVL-2018-0024: BitNinja CAPTCHA request
10. BNVL-2019-0010: GXHLGSL botnet FTP scan
11. BNVL-2019-0009: GXHLGSL botnet HTTP scan
12. BNVL-2018-0049: Backdoor testing
13. BNVL-2019-0008: SQL injection attempt
14. BNVL-2018-0016: Testing for User Enumeration and Guessable User Account (OWASP-AT-002)
15. BNVL-2019-0004: SSH brute-force attempt

With BitNinja Pro you don’t have to worry!

The FTP CAPTCHA debuted well by capturing this very intensive botnet, so this module is enabled by default on your servers from the version 1.27.2. We talked a lot about this module in this article but don’t forget there are 9 BitNinja Pro modules which protect your servers in every phase of the attack cycle.

Haven’t tested BitNinja yet? Book a demo, and we’ll show you that stopping the cyber attacks on your servers is child’s play with BitNinja. It’s time to start kicking the hackers’ ass right now!

Share your ideas with us about this article

Previous posts

Botnet renewal – Here is the February botnet
Do you remember the new version of the Hello Peppa botnet? At the end of 2018, it was welcomed into 2019 slightly early, and the January botnet started to spread. Well, it wouldn’t be funny, if the botnet would still send the „J4nur4ry” in the Post Data when we are already over January… So, here is the February botnet! Despite the January botnet, this one was accurate and started on 1st February. The pike was on the next day, as you can see it from the chart below.   After that, it looked like it moved back, but on 17th Feb there was another pike. Let’s look closely to o...
News from Threat Lab: 4+1 New SenseLog rules have been created
The new year inspired us and brought new vibes to our office. Our tech ninjas are developing several new badass features. Besides the new features, we are also improving our existing modules as well. Last week, the SenseLog module became enriched with 4 new rules and another rule has been updated. Here is a list of them: 1. Apache Magento Downloader (Rule ID: 80_1_021) 2. Apache WP Login Deprecated Firefox User Agents (Rule ID: 80_1_022) 3. Plesk Login Fail (Rule ID: 8443_1_001) 4. LFD Blocked (Rule ID: lfd_1_001) +1  Updated rule: Apache WP XML-RPC Suspicious User Agent (Rule...