8 September 2021
Since late August 2021, the website of Gotham City (gothamcity.fr and gothamcity.ch), an online journal specializing in economic crime, has been receiving intermittent denial of service attacks. Gotham City deals with cases of corruption, fraud and civil litigation involving players in the Swiss economy.
Qurium has been investigating the attack signatures and these are our findings.
A booter service
The attacker is using a “booter service” to launch the attacks. During the floods, the attacker is using the service check-host.net to verify the success of the denial of service. When the webserver of the website is overloaded, Check-host returns the error code 500.
https://check-host.net/check-report/2dff29dkc38 200 [03/Sep/2021:01:xx] https://check-host.net/check-report/2dff2b9k4b5 200 [03/Sep/2021:01:xx] https://check-host.net/check-report/2dff313kab8 200 [03/Sep/2021:01:xx] https://check-host.net/check-report/2dff313kab8 500 [03/Sep/2021:01:xx] https://check-host.net/check-report/2dff315ke9 200 [03/Sep/2021:01:xx] https://check-host.net/check-report/2dff315ke9 500 [03/Sep/2021:01:xx] https://check-host.net/check-report/2dff3fek65b 200 [03/Sep/2021:01:xx] https://check-host.net/check-report/2e0418ekbfa 500 [03/Sep/2021:04:xx] https://check-host.net/check-report/2e0609dk55a 103 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e0609dk55a 500 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e063bckbd7 103 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e063bckbd7 200 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e063bckbd7 500 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e06998k322 103 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e06998k322 200 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e06998k322 500 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e06a56kfe7 103 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e06a56kfe7 200 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e06a56kfe7 500 [03/Sep/2021:05:xx] https://check-host.net/check-report/2e07fbfk579 103 [03/Sep/2021:06:xx] https://check-host.net/check-report/2e07fbfk579 200 [03/Sep/2021:06:xx] https://check-host.net/check-report/2e07fbfk579 500 [03/Sep/2021:06:xx] https://check-host.net/check-report/2e12631k611 103 [03/Sep/2021:12:xx] https://check-host.net/check-report/2e12631k611 200 [03/Sep/2021:12:xx] https://check-host.net/check-report/2e12631k611 500 [03/Sep/2021:12:xx] https://check-host.net/check-report/2e14550k9d3 103 [03/Sep/2021:13:xx] https://check-host.net/check-report/2e14550k9d3 200 [03/Sep/2021:13:xx] https://check-host.net/check-report/2e14550k9d3 500 [03/Sep/2021:13:xx] https://check-host.net/check-report/2e154f8kb21 103 [03/Sep/2021:13:xx] https://check-host.net/check-report/2e154f8kb21 200 [03/Sep/2021:13:xx] https://check-host.net/check-report/2e154f8kb21 500 [03/Sep/2021:13:xx] https://check-host.net/check-report/2e160c5kb36 500 [03/Sep/2021:13:xx] https://check-host.net/check-report/2e1b70ak1f2 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1b735kbfd 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1b7c2k73c 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1b8eak10e 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1b9cckdc2 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1cb88ke34 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1cc34ka6b 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1cc97k5bd 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1cd0ak18 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1ceb6kcfd 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1cfb4k507 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1d2abk671 200 [03/Sep/2021:16:xx] https://check-host.net/check-report/2e1da71k8f1 200 [03/Sep/2021:17:xx] https://check-host.net/check-report/2e2661ak86f 301 [03/Sep/2021:21:xx] https://check-host.net/check-report/2e26a7bk14a 500 [03/Sep/2021:21:xx] https://check-host.net/check-report/2e273cckca8 301 [03/Sep/2021:21:xx] https://check-host.net/check-report/2e2844fk384 301 [03/Sep/2021:22:xx] https://check-host.net/check-report/2e2855dk254 301 [03/Sep/2021:22:xx]
The attacker targeted the French and Swiss domains of Gotham City as well as the personal website of François Pilet, co-founder of the Gotham City. All three sites were flooded with requests to both port 80 and port 443.
Common requests in the attack included random search queries such as https://gothamcity.fr/?s=SI0B2q9Bjv4T and POST floods to xmlrpc.php. Both type of floods aim to bypass any Cache system and over-flood the backend server.
The attacks continue
During the 7th of September, the number of bots flooding the website reached close to 1000 machines, the majority of the machines are open proxies.
As of today (8th of September), the attacks are still active targeting other parts of the website that are not “cachable”. The bots flooding the site are mainly composed by open proxies.
During the 10th and 11th of September the attacks against the website intensified, the attacker targeted the admin area, the subscriber portal and random POST floods against the home page of the type: POST /zZPStqMjqcne During 24h the attacker flooded the website with more than 100 Million bogus requests.
Qurium’s investigation is still ongoing and this report will be updated with new findings.