What is Apache Synapse?
My website keeps getting hit by odd requests with the following user-agent string:
Mozilla/4.0 (compatible; Synapse)
Using our friendly tool Google I was able to determine this is the hallmark calling-card of our friendly neighborhood Apache Synapse. A 'Lightweight ESB (Enterprise Service Bus)'.
Now, based on this information I was able to gather, I still have no clue what this tool is used for. All I can tell is that is has something to do with Web-Services, and supports a variety of protocols. The Info page only leads me to conclude it has something to do with proxies, and web-services.
The problem I've run into is that while normally I wouldn't care, we're getting hit quite a bit by Russian IPs (not that russian's are bad, but our site is pretty regionally specific), and when they do they're shoving wierd (not xss/malicious at least not yet) values into our query string parameters.
Things like &PageNum=-1
or &Brand=25/5/2010 9:04:52 PM
.
Before I go ahead and block these ips/useragent from our site, I'd like some help understanding just what is going on.
Any help would be greatly appreciated :)
Solution 1:
Are all the IPs from a specific range? Is that range assigned to a specific company? If it is, just lookup who the range is assigned to and contact the Technical Contact listed.
The most likely thing I can think of is that they are scraping content from your webpage or programming something which will scrape content (which explains the weird boundary conditions as arguments).
It could be something a little less innocent, I don't know what data you are trying to protect (it could be worth something). They could be trying to expose an error page which can dump sensative debug info. If that is the case then I would suggest setting up a web app firewall. They are made to prevent this kind of sensitive error messages and other abuses from happening.
You could just try banning the IP ranges and see who complains... although that's your last resort.
Solution 2:
I am pretty sure that this is not Apache Synapse, it's some tools built with Ararat Synapse, which is a Delphi TCP/IP library. I downloaded the source code from both projects, and as far I can see, Apache Synapse has a configurable user-agent, and the default is:
On the other hand, Ararat Synapse has this default user agent:
It's just like the one you have in your logs, and I have exactly the same user agent probing with various SQL injection attacks. Probably the attackers are using some tools built in Delphi with the Ararat Synapse library.
Since the bad guys didn't change the default user-agent, I think it's safe to block this one:
Mozilla/4.0 (compatible; Synapse)
not partially because you can block some legitimate tools running on Apache Synapse, and I believe that any legitimate bot or project would define a user-agent and not hide with default.
There is no point blocking IPs because it seems that the attack is coming from various IP addresses around the world, probably some botnets.
Solution 3:
Same person trying to inject -1 into the viewstate:
finder-query: -1'
It's probably an automated SQL injection tester tool.
Solution 4:
I have recently seen this User-Agent coming from one IP:
217.35.nn.nn - - [21/Feb/2012:07:01:22 +0000] "GET /view/pubcal.php?event=17' HTTP/1.0" 200 405 "-" "Mozilla/4.0 (compatible; Synapse)" 217.35.nn.nn - - [21/Feb/2012:08:06:31 +0000] "GET /view/pubcal.php?event=16' HTTP/1.0" 200 405 "-" "Mozilla/4.0 (compatible; Synapse)"
It was fairly shortly followed by a definitely malicious user agent (Havij):
217.35.nn.nn - - [21/Feb/2012:10:44:26 +0000] "GET /view/pubcal.php?event=1 HTTP/1.1" 200 6627 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij" 217.35.nn.nn - - [21/Feb/2012:10:44:26 +0000] "GET /view/pubcal.php?event=999999.9 HTTP/1.1" 200 2235 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij"
This was followed by several attempts at SQL injection.
Synapse isn't malicious in and of itself, but it does appear to be being used to probe data-driven websites. If your website does not offer an API to anyone, I'd block this User Agent. Maybe use the apache-badbots filter in fail2ban to block traffic from IP addresses which try to use this agent string. And stick 'Havij' in there, too while you're at it.