homepage Welcome to WebmasterWorld Guest from 54.234.2.88
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Botnet Attempting Zen Cart Attack
Blank UAs Attacking
incrediBILL




msg:4170962
 6:56 pm on Jul 15, 2010 (gmt 0)

The bots are all using blank UAs from a wide array of IPs.

They keep asking for the following:
"GET /admin/login.php"
"GET /extras/ipn_test_return.php"

Over and over and over, hundreds of times per IP in some cases.

This is apparently an old Zen cart vulnerability, about 6 months old best I can tell.

So why is a botnet hammering on my servers which don't have Zen cart, looking feverishly for this stuff at such a late date?

Anyone else?

 

Hobbs




msg:4171000
 7:41 pm on Jul 15, 2010 (gmt 0)

Yes
222.76.218.a

dstiles




msg:4171104
 10:15 pm on Jul 15, 2010 (gmt 0)

Can't say if I've received any hits with those credentials but I have the range 222.76.208.0-222.76.223.255 blocked as being a Chinese server farm "belonging" to Xiamen.

incrediBILL




msg:4171133
 11:23 pm on Jul 15, 2010 (gmt 0)

It's coming from more than China, I'm seeing a world-wide botnet attack

enigma1




msg:4171756
 7:05 pm on Jul 16, 2010 (gmt 0)

Bill, do you have code in place recording the headers for each attempt apart of the logs that list just few items?

The general pattern of multiple attempts that I see in the logs (although the get request is identical) also makes me thinking if they change the headers to resend cookies etc.

It's a wild guess but I am thinking the multiple attempts could mean to force the server initialize a cookie send it back and receive it, in other words to be sure the server doesn't redirect or kick them out because of the headers or cookies.

incrediBILL




msg:4171759
 7:09 pm on Jul 16, 2010 (gmt 0)

Sorry, on the site being attacked no headers are captured.

dstiles




msg:4171810
 8:48 pm on Jul 16, 2010 (gmt 0)

Probably just another distributed attack similar to casper. Most of the "attacks" I'm seeing at the moment are from compromised server farms, with very few exceptions (which are probably servers on company/personal DSL).

Megaclinium




msg:4175626
 12:31 am on Jul 24, 2010 (gmt 0)

I'm getting multiple php attacks from cloaked bot on a compromised server host in Dana Point, CA, all 5 hits in two seconds. keeps attacking despite eating 403's

208.71.173.xx

"GET //phpMyAdmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //phpmyadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //pma/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //mysql/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //php-my-admin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //myadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"


If it comes from a non-banned address range, it will eat really large files. Inspired by this forum, I setup the attack directory and put huge nonsense files under those names.

Megaclinium




msg:4175627
 12:32 am on Jul 24, 2010 (gmt 0)

Woops, here's the whole range to deep-six
208.71.168.0/21

blend27




msg:4175640
 1:51 am on Jul 24, 2010 (gmt 0)

ws.arin.net/whois/?queryinput=Network+Data+Center+Host%2C+Inc.

while you at it.

Megaclinium




msg:4175641
 1:58 am on Jul 24, 2010 (gmt 0)

Neat - I was trying to figure out how to look up other ranges for banned hosts.

Like leftovers, they seem to come back later, often from different range same host.

tangor




msg:4175659
 3:02 am on Jul 24, 2010 (gmt 0)

My solution to these particular attacks is not for everyone: I don't run php on my server so I 403 any php in the URI. Works a charm!

tangor




msg:4175660
 3:08 am on Jul 24, 2010 (gmt 0)

(edit... realized revealing what I 403 might give the bot ghods a clue end edit) have been 403'd for the last year. Take a look at your logs and see if there is ANY human behind those. Think it will surprise you.

PM if you want my list of other things to 403...

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved