A Blackhat’s Diary
Search
The archives run deep. Feel free to search older content using topic keywords.
Browse by Category
A Blackhat’s Diary and everything else here © 2012. if not i'll tell you.
This page is for firefox only. i don't care about those weird IE CSS problems. - eof
This page is for firefox only. i don't care about those weird IE CSS problems. - eof
Jan 26th 2008
Hi, today 2 my servers attacked to. 10-30 query per second. Identicy browser. I think we can get autoarin whois and shall send email back to whois address about ddos.
Jan 29th 2008
I have the same problem. I put all your addresses in .htaccess
Jan 31st 2008
I am experiencing suspicious activity from the following IPs that are included in your list:-
66.38.130.200 - 18th jan
68.178.167.222 - 29th jan
221.252.192.51 - 29th jan
64.79.216.165 - 29th jan
211.43.212.23 - 18th jan
193.109.24.1 - 22nd jan
74.52.86.42 - 29th jan
They seem to messing around with paremters on the request URLs, looks almost specific to the web application in question.
I googled the ips I had found, all of them were in your list. I have since run your entire list against the web logs for this server. And I got one extra match:-
80.65.51.164
Strangely the request was different to the others…. different user agent and HTTP 1.0. I’d be interested in talking to other ppl facing these ips.
Jan 31st 2008
I also am getting some of those hitting my site. I have the exact same thing as James has where the parameters are being messed with on the request producing the error reports.
Nothing to worry about on my side, but they are annoying.
Jan 31st 2008
Reassuring to know it’s not just my client being targetted. But I am still concerned as to why these requests are being made, especially with the DDOS style activity described in this post.
If you are getting these as well feel free to add me on msn uuuppz at hotmail dot com.
Feb 1st 2008
My PhpBB system was attacked twice form the ip 212.102.225.8 on the 26th of january.
The useragent was Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322).
viewtopic.php?t=507&view=http%3A%2F%2Fwww.ce-enterprise.com%2Fmambo%2Fadministrator%2Fcomponents%2Fcom_phpshop%2Fclasses%2Fapel%2Fxoc%2F&sid=967cc55fc78ed4bee7706daf6f00335f
I as far as i can understand someone tried to use my phpBB as a proxy to attack a mambo cms at http://www.ce-enterprise.com.
Not very smart since there is no manbo installed at that server.
He was caught by my modified version of the cback crackertracker and his ip was blocked after the second attemp.
After googling the ip I found this page ;).
Sebastian
Feb 1st 2008
I found this via Google as well after searching for some unknown IPs that are showing up in my logs. I’ve only been getting two or three hits a day, but this is on a server where even that is unusual.
Thus far all the hits have been standard GET / requests with a useragent of Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
I think that exact useragent string may be unique to this botnet. Searching Google for the exact string only brings up a lot of very recent server logs. There are plenty of similar useragent strings, but the order of this one seems to be unique. I could be wrong though.
PS: I also got a hit from 78.47.143.35 which appears to be part of the botnet. Same request, same useragent.
Feb 1st 2008
‘91.121.1.42′
‘87.122.8.37′
‘67.19.126.146′
‘83.68.239.133′
‘212.83.193.196′
‘85.214.114.156′
‘88.151.100.136′
‘210.89.71.34′
‘80.74.149.100′
‘193.111.95.212′
‘91.184.52.10′
‘212.79.251.2′
‘62.146.68.19′
‘195.20.207.180′
‘75.126.157.170′
‘62.153.231.71′
‘195.202.144.5′
‘67.219.68.16′
‘77.245.149.21′
‘217.28.255.20′
‘213.217.149.59′
‘72.36.237.114′
‘194.177.98.170′
‘202.125.40.48′
‘83.98.145.127′
‘77.79.12.5′
‘208.109.222.156′
‘64.34.161.174′
‘80.250.12.201′
‘213.239.210.106′
‘85.17.40.243′
‘88.198.176.204′
‘213.173.177.13′
‘66.98.226.4′
‘74.54.45.130′
‘193.227.165.66′
‘78.47.143.35′
‘200.3.154.89′
‘66.117.3.211′
‘65.182.191.54′
‘193.174.120.1′
‘72.52.131.193′
‘91.121.12.176′
‘69.72.228.162′
‘194.109.91.146′
‘195.226.112.5′
‘81.4.66.75′
‘72.52.150.34′
‘82.119.241.4′
‘217.23.159.184′
‘91.142.210.195′
‘75.125.244.50′
‘211.113.83.126′
‘89.149.244.123′
‘66.118.142.60′
‘190.144.11.30′
‘91.121.4.156′
‘209.85.63.176′
‘69.141.18.64′
‘217.174.203.83′
‘88.198.1.51′
‘202.222.18.241′
Feb 2nd 2008
I have the same ip’s on my webserver. I’m thinking, it gives a system,programm or server
someone can say, that hi want to spider a server. Now the system ist running for killing
the target webserver. I’ve this correct, the people is close by.
Feb 5th 2008
I have 207.190.241.114, with user agent MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322 again.
This is on a website with custom built code, not a forum.
The bot seems to go through the site page by page until it finds a page containing a form with GET parameters.
It then plants specific webpages into one of these parameters in a vain attempt at some kind of reflection attack on those addresses. It does this 3 times, then starts crawling again until it finds another form.
Presumably this would make more sense to the bot if my website was running some kind of compromisable forum software. It gave up after about 50 attempts.
Feb 5th 2008
Since end of january I have the same problem and it is getting more by the day. It is not extreme, yesterday 10 IP’s, but it is annoying since it messes with my statistics which i follow to see “real” traffic on my website.
But I have not much computer knowledge. Can anyone explain in “normal” language what is going on and if it can do any harm? cause I do not really understand everything that is said here.
Ingrid
Feb 5th 2008
I noticed recently that in my WordPress stats I was getting a lot of page-hits from IPs that were slightly suspicious, and after Googling them, I’m brought here.
Glad to hear that I’m not the only one being affected. Right now they are trying to utilise my Gallery2 installation to do whatever it is they’re up to.
I’ve only seen 2 IP’s attempt this. 209.200.229.55 is the more recent one which is on your list, but you might want to add 201.8.43.204. It’s an IP that originates from Brazil.
Feb 5th 2008
I have a website firewall that has been updated for this attack.
I use a PHP script to add the ip address to a ban list in the htaccess file.
Feb 6th 2008
I traced this to a site in Japan:
http://www.cj-c.com
It there are over 2000 sites linked to it.
It may be a game of some sort.
Blatant references to REVERSE-ACCESS
The site above provides software to set up a your site.
Some of the following URLs show regional variations on the same tools with a list of the DOMAIN NAMES that they are inserting into any link that they find on our sites with GET parameters.
http://swlf.jp/access/swlf/a_link.cgi?count
http://kozukai.rankings.jp/rev/access2.cgi?count+0+all
http://mikimasa.com/cgi-bin/ftlink/ftlink.cgi?count
Some of the domains that I found in their list had directories that I suspect are getting established by these guys. If you click on links from the above 3 examples. Quite a few of them have similar garbage sounding names and the following php code appears on your browser screen:
To see for yourself. (Don’t really know if this is dangerous but I have tried it and my IP is not showing up on their victims list yet.) These are some examples. (these were Domain names that I found inserted in URLs harvested from my site and resubmitted.) They all appeared on several of the above “game” boards.
http://www.marsbook.co.kr/main/created/product/2/upu/ohoqoh/
http://www.thoseguysfilms.com/forums/templates/subSilver/images/uza/laqipu/
http://www.elettrodataservice.it/foto_articoli/onoda/iyegimi/
Not knowing what to do I am currently adding a checksum to any link that uses GETs and if if fails (for lack of a better plan) I’m redirecting them to the INTERNET CRIMES REPORT site associated with the FBI. Their robots are getting 302 errors which I don’t really understand enough in this context.
It doesn’t stop the attack though but perhaps gets them out of there so they don’t find any weaknesses to exploit.
Last word. Possible ownership of cj-c.com. might be determined at
http://whois.domaintools.com/cj-c.com
but I’m tired of this.
more last words. The sites linked to cj-c.com can be accessed via.
http://www.alexa.com/data/ds/linksin/cj-c.com?q=link:cj-c.com/
Feb 6th 2008
Is there a solution to preventing this? What is the main harm in getting all these requests to my site?
I am getting a lot of hits from this “botnet” as you called it all with modified querystrings. I can’t seem to find too much on the web about it though.
I am checking my input variables to make sure they are in the right format (good practice one way or another) and if they are not in the right format (expecting an int but getting a URL) then I redirect them to my homepage. Is there anything wrong with this?
Feb 17th 2008
Is this still happening to others?
Since I started trapping for changes to my GET parameters and redirecting them to the doorstep of the FBI it has stopped. I don’t want to assume that this was actually the fix. But if other people are still getting hits from the clowns while I’m not then maybe…
As to what they are up to, I’m told that the are probably looking for unprotected ports to exploit. Firewall should work for this I suppose.
I didn’t trap for the specific IP’s because many of them are the addresses of major hosting services. This made me think that I would be excluding many completely benign guests.
Also, a lot seem to be what I’ve heard called “ghost” IPs. They don’t actually exist or so it seems. I’m wondering how and WHY! such a thing would be possible?
Feb 28th 2008
i have a moron with user agent info trying from several ip’s,both ip’s are block banned and i have several morons coming from a suppossed like from stockleaf.com,owned by rackspace.com.These people refuse to tell me what is going on.i have heard that stockleaf.com has a trojan on the site
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1
Feb 28th 2008
hey site owner,why should i “get essential software with Google Pack.” half the reason why people ARE getting these morons going to their sites is because of the google lowlife.i BLOCK BAN search bots.In my opinion their owners must be brainless because they keep trying even tho they are banned
Feb 29th 2008
You could block because of the User-Agent…
SetEnvIfNoCase User-Agent ^Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) bad_bot
Order Allow,Deny
Allow from all
Deny from env=bad_bot
Or could this User-Agent be a good one?
Feb 29th 2008
I started to get the same thing. fortunately I have added some code that checks how fast any one IP browses my site. IF they browse too fast they are instantly blacklisted and sent off to google. I am getting 2-3 on these IPs a day. What I found interesting was the hostname they used. Here is an example log from my blacklist.
The Following Visitor has been banned from DesirousParty.com
Date of Event: Feb 28, 2008 8:13 PM
IP Address: 69.73.188.225
Hostname: server.worldslastchance.com
reason: Hacker: IP Address has made more than xx views within xx seconds
Headers:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*en-us
Mar 1st 2008
You guys can add this ip too 207.45.185.194
This is getting pretty annoying…
Mar 1st 2008
I’ve had all these attacks the last month of so and they have been getting worse and worse. I found out it’s called Cross-site scripting.
Here is a link to a site that tells you all about it, and it even shows the hackers that are doing it and points they get for crashing sites….? http://www.xssed.com/
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued.
Mar 1st 2008
two more
200.132.74.7 magneto.fsg.br
210.188.240.4 sv17.futurismworks.jp
Mar 1st 2008
i have been having a series of guestbook spammer attempts but the entries don’t go in fortunately.I have also renamed the guestbook folder so the morons get a rather nasty F off message
Mar 1st 2008
I would like to know what the hell this live link is doing here http://www.enlargeyourpenis.de ?? What kind of loozer would put that sort of bullshit here??
Mar 4th 2008
Hi, I do not know how most of this works. Would contacting a security company to protect my website be a smart idea or a waste of money?
Thanks
Mar 4th 2008
My site is getting attacked daily by a series of these requests.
I have started logging them and banning the IPs as they come. Anyone found any info about this? Today I was attacked by a server that belongs to a webhosting company and I emailed them. Of course a support guy replied with not even the slightest clue as to what I was talking about.
Anyway, is this a caused by a trojan?
Mar 4th 2008
This is happening on my websites also. All of them it seems.
Mar 4th 2008
hello,
i’m an italian webmaster.
Same ips, same user agents.
20-20 querys GET per second….
it’s very boring… i’d like to kill by my hands, without weapons only hands, the stupid little gay boy/girl/emo/authistic/teenager/lamer that controls these infected computers…
pure hate….
Mar 4th 2008
This is still going on. I’m not getting a huge amount of hits, but I am getting hits from this ips that definitely aren’t legitimate browsers and I’ve also had hits that claim to be from stockleaf
Mar 4th 2008
Its getting pretty bad. So I took drastic measures and started blocking IPs in IIS. for those of you running IIS on your server. I found an awesome way to do this. Checkout my block for details
Stop Hackers and Spam Bots in IIS
Thus far I have over 6000 IPs blocked.
Mar 4th 2008
hi,
i’m an austrian webmaster and i have the same problem on my site.
same user agent different ip’s:
82.165.39.88 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
83.64.161.170 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
but the record has this ip:
217.6.190.186 (not on your list)
it was near 700 times online, but with 3 different user-agents, and this in 5 minutes:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
greets
Mar 4th 2008
Mar 5th 2008
Same problem here (servers in Amsterdam, the Netherlands) many requests per sec, very annoying.
Mar 5th 2008
Australian webmaster here and getting hit as well. Bloody annoying.
Mar 5th 2008
Did any one find a solution? i am getting those hits to but, from what i understood there is no effect, it is only annoying. so why do they do this?
Mar 18th 2008
Seems this is still going on!
Is it coming from a game or software infected with some malicious code?
Mar 20th 2008
I am glad to see I’m not the only one suffering. I started keeping track of the IPs after I started getting hit with 300+ per day, as with others, it was trying to do a redirect to a another site. The IP keeps switching around on me and doesn’t seem to repeat but it does seem to come from the list above.
Mar 22nd 2008
Based on what I learned as outlined in my message of Feb. 6th above. I first trapped these hits and sent the to the doorstep of the FBI but now I’m just re-directing them to who I’m pretty sure is initially responsible for most of this. i.e. http://www.cj-c.com.
Doesn’t really stop anything but at least I’m turning it back on the mothership. Imagine if everybody who is enduring this drain on bandwidth sent it back to them as well.
Apr 2nd 2008
my site’s getting hit by these guys - found you by google searching the ips. I wanted to block by user agent, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322), but seems like it legit name for IE7. don’t want to block valid users. Blocking by ip via htaccess - wouldn’t that place a heavy load on the site?? Any other ideas out there? This is messing up stats for sure!
Apr 2nd 2008
I’ve received the same XSS attack. Add the following PHP code the run at the top of all pages:
function check_vars( $var_val = '',$var_name = '',$req_type = '' ){$FLAG_XSS_ATTACK = strpos( $var_val,'http' ) !== FALSE || strpos( $var_val,'www.' ) !== FALSE ? TRUE : FALSE;
if( $FLAG_XSS_ATTACK === TRUE ){
echo 'Sorry';
exit;
}
}
array_walk($_GET, 'check_vars','g');
array_walk($_POST, 'check_vars','p');
Apr 12th 2008
Hey one of those listed IPs is MINE!!!
I am having problems with my Linux server since december. Problems increased in january and are still annoying me. I am suspecting my linux is trojaned or so. I run several webs and sometimes my mailq is filled witho about 8000 outgoing mails which have the owner as www-data (as if someone hacked my apache to send spam via my server).
Mine is the one listed with IP 213.97.61.xxx at the top list.
This server is at my home, and I run 4 companies from this DSL line. eth0 is the WAN adn eth1 the LAN. Yesterday and today I am monitoring the traffic with tshark over eth0 and while I amb NOT browsing nor doing anything else, my server gets traffinc from and to the internet at a speed “several packets per second”, while should be completely shutup if I don’t browse and nobody is looking to my webs.
I found this page looking for MY IP in google to see if someone listed me as a “bad” IP.
Please if someone could check if my IP appears in recent logs, I would appreciate, so I can better track what is going in my machine.
I have thought in a reinstall but I am running 4 companies here and this is a production computer. To reinstall means a major issue and I am not sure if I can do in a “short time”. Well reinstall yes (3 or 4 hours) but having all the services perfectly reconfigured again may take days or even weeks.
Please, help in stopping all this mess!!!!
Xavi.
May 4th 2008
89.149.244.123
87.106.76.232
Okay, I’m glad I found this as I’m having the same trouble and not a clue what it is or how to stop it. I’m not techie at all, so if anyone can give me advice in ‘english’ please as opposed to computer speak, it would be much appreciated.
Thanks.
Jun 6th 2008
At the top of each page, check the query string being passed in the url, using the CGI.QUERY_STRING variable.
If it contains “http” then prevent the page from loading or redirect the page.
Jun 6th 2008
Xavi: Thank you for spamming us all. Now please cut your cable or learn at least the simple things in security.
To others: I also get ALOT of hits from some of those IPs in one of my ASP sites. I just do an IP check and sends the bad IPs to hell.com
Jun 18th 2008
Add 212.130.44.130 to the blacklist.