Johannes wrote a diary entry “Increasing Searches for ZIP Files” where he analyzed the increase of requests for ZIP files (like backup.zip, web.zip, …) for our web honeypots.
I took a look at my logs, and noticed that too. But it’s not only ZIP files, but other archives too:
I even had requests for .tar.zip files.
And when it comes to backup files, the following non-archive types are also popular requests:
| Filename |
| backup.sql |
| backup.json |
| backup.bak |
| backup.sh |
Looking at the User Agent Strings for these requests, none indicated that these scans were performed by researchers.
And comparing the source IPs of these requests with our researchers list: not a single match.
So it’s safe to say that these scans are done with malicious intent, and that you should take Johannes’ advice and don’t have these types of files on your web servers, and even better, have some policy to avoid this.
Update: I also had request for a file with the IPv4 address of my server (like 12.34.56.78.zip).
Â
Didier Stevens
Senior handler
blog.DidierStevens.com
