homepage Welcome to WebmasterWorld Guest from 54.163.72.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Hack attempt from a MS range
keyplyr




msg:4652262
 12:10 pm on Mar 8, 2014 (gmt 0)


Very interesting:

168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /engine/engine.php HTTP/1.1" 403 1369 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /index/40 HTTP/1.1" 403 15411 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /common.php HTTP/1.1" 403 15411 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"

There were a couple dozen similar attempts from the same Amsterdam Microsoft IP address, same UA, all blocked on several counts. I'm thinking part of this MS range is an open proxy and the culprit is Russian.

 

incrediBILL




msg:4652374
 11:51 pm on Mar 8, 2014 (gmt 0)

Why do you consider this a "hack attempt"?

It looks pretty tame to me.

Angonasec




msg:4652375
 12:28 am on Mar 9, 2014 (gmt 0)

I agree with KeyP; plenty of signals in that snippet to indicate a hacker's fingerprints.

Let's be gracious and consider what scenarios may have precipitated this "accident"?

For example;
MS employee spoofing as a hacker to investigate typical server responses.

brotherhood of LAN




msg:4652376
 12:33 am on Mar 9, 2014 (gmt 0)

Another example is that the links were deliberately placed for a spider to follow. There's been numerous reports of this technique and I'm not sure how savvy Bing is at avoiding them. I kinda agree with Incredibill though, no GET var injection and not obviously malicious.

keyplyr




msg:4652377
 12:47 am on Mar 9, 2014 (gmt 0)

True, no injection attempts but definitely malicious IMO.

I use the term "hack" because out of the 60 or so hits like this (all for documents that don't exist on my server, all at the same time stamp) most were the common probes to see if I used PHP or WordPress. Lots of "admin", "login", etc.

keyplyr




msg:4652383
 2:06 am on Mar 9, 2014 (gmt 0)

Hmmm... last couple statements vanished. I'll post again.

Basically I said that I'm now convinced the hacker is Russian and was using a M$ proxy. Now seeing same UA, same hack probes and the same sequence coming from a Russian broadband range.

MickeyRoush




msg:4652408
 5:19 am on Mar 9, 2014 (gmt 0)

Looks like it's Microsoft Hosting:
[whatismyipaddress.com...]

keyplyr




msg:4652416
 6:19 am on Mar 9, 2014 (gmt 0)

@MickeyRoush - Ahhh thanks. Looking further it looks like M$ Hosting Hong Kong:

168.61.0.0 - 168.63.255.255
168.61.0.0/16
168.62.0.0/15

Since I see the same hits from other ranges, it may be a botnet.

dstiles




msg:4652527
 8:50 pm on Mar 9, 2014 (gmt 0)

I block the complete 168.61.0.0 - 168.63.255.255 range.

Some time ago I made a note about 168.63.0.0/16: "hundreds of hits in minutes" and blocked it in the firewall - something I rarely do.

Probably not a botnet as such, just an ill-mannered lout who has rented space on an MS server.

keyplyr




msg:4652552
 11:30 pm on Mar 9, 2014 (gmt 0)

Same UA requesting same sequence of same files (all blocked.) Here's the botnet:

168.63.20.162
59.52.95.118
62.76.40.80
62.157.51.138
84.135.124.15
88.75.60.97
92.231.197.5
110.78.152.162
121.52.71.23
193.34.81.39
208.96.227.68
212.107.116.234
77.12.172.229

not2easy




msg:4652567
 1:13 am on Mar 10, 2014 (gmt 0)

In a recent access log check on one site I had two varieties of this rapid fire vulnerability check, some from one single IP, one like this with multiple hits in sequence from IPs all over the place.

Two of the first type each had different UAs, the second type as shown here had a different UA, but all IPs had the same UA.

The multi IP hits came in sequence with the same UA over the course of a minute:
37.45.176.81
46.53.193.35
46.118.107.17
91.197.6.143
109.200.137.148
119.147.146.189
119.147.207.158
147.30.76.182
159.224.57.168
178.121.179.169
178.124.206.26
185.24.218.20
212.66.57.155

UA: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"

165.132.100.76
(72 requests under a minute)
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

183.60.244.29
(68 requests in less than 10 seconds)
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

I consider these all "hacking attempts" because they are requesting (or POSTing) to means to upload or edit files. Examples (none of these plugins or editors or themes are on this site):
POST /wp-content/plugins/wpstorecart/php/upload.php
POST /wp-content/plugins/thecartpress/checkout/CheckoutEditor.php
HEAD /editor/filemanager/connectors/uploadtest.html
POST /wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
HEAD /editors/fckeditor/editor/filemanager/upload/test.html
POST /wp-content/themes/clockstone/theme/functions/upload.php
/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php
and on and on.

My point in adding this is just that in my experience it is not an isolated IP or UA that is running this program and I've seen it increasing in frequency.

keyplyr




msg:4652580
 3:10 am on Mar 10, 2014 (gmt 0)

@not2easy I agree.

I suspect there are venues where you can buy a list of infected machines to use.


Also, I've noticed "google.com/humans.txt" appended to a huge amount of hack attempts.

EXAMPLE: 67.222.18.49 - - [08/Mar/2014:14:34:40 -0800] "GET /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.0" 403 649 "-" "-"

Angonasec




msg:4652676
 12:08 pm on Mar 10, 2014 (gmt 0)

Bingo!

My experience dealing with MS's legal bods, requesting them to remove/shut-down 100's of copyright infringers, indicates that MS are far more efficient, and responsive, than Google.

So it may well be worth reporting this server abuse to MS hosting bods in Seattle and HK.

lucy24




msg:4652757
 4:02 pm on Mar 10, 2014 (gmt 0)

For example;
MS employee spoofing as a hacker to investigate typical server responses.

That employee is a very, very fast typist, if so.

Opera 10? Really? With freestanding browsers (that is, not OS-linked like Safari and MSIE) you hardly ever see antiquated versions.

Why a robot thinks it will have better luck pretending to be a Russian human is just one of those abiding mysteries.

dstiles




msg:4652802
 8:02 pm on Mar 10, 2014 (gmt 0)

keyplyr - it's possible to buy botnets of various sizes for varying prices, but small ones are apperently quite cheap. Botnets come with a "control panel" so any idiot (ie most botnet drivers) can manage them. Botnets are a commodity nowadays.

Angonasec - MS have a long history of legal wrangles and appear to have learnt from them. Certainly more so than G, who are still in the denial phase.

blend27




msg:4652834
 9:21 pm on Mar 10, 2014 (gmt 0)

Opera 10? Really? With freestanding browsers (that is, not OS-linked like Safari and MSIE) you hardly ever see antiquated versions.

Why a robot thinks it will have better luck pretending to be a Russian human is just one of those abiding mysteries.
Emphases added by me.


Believe or not, Russians do like Opera, a lot. :) Just ask some of us. You should hear us singing when the Bot Actually starts running on a hacked account! :)

blend27




msg:4652838
 9:38 pm on Mar 10, 2014 (gmt 0)

As far as 'wp-../../.php'

1. If one does not run one(wp) >> we serve 400(16 bytes), put the IP on quarantine.
2. If one does, was it accessed from an allowed IP? if no >> GOBACK to 1.
3. Blame the ... dude in a funny pants.

@keyplyr, were the headers OK?

keyplyr




msg:4652858
 11:17 pm on Mar 10, 2014 (gmt 0)



@blend27

I send myself an email when headers are malformed. However in this case the hits were 403 blocked for at least two other reasons which I saw immediately, so I never viewed the headers for those attempts (deleted now.) And no, I do not use ANY out of the box software... especially WP!

lucy24




msg:4652885
 2:26 am on Mar 11, 2014 (gmt 0)

Russians do like Opera, a lot.

They're also said to be traditionalists at heart, which would explain why you see so many Opera <= 8 and "Bork-edition" floating around ;)

I don't have anything that's attractive to Russian humans, so I really have no idea what they typically look like. In, ahem, site logs. Real life is another matter.

However in this case the hits were 403 blocked for at least two other reasons

Once in a blue moon I fine-tooth-comb my logs and take a closer look at the 403s. I like to make sure their originating IPs are also blocked whenever possible; things like UA and referer tests are just insurance.

keyplyr




msg:4652887
 2:35 am on Mar 11, 2014 (gmt 0)


For the last 3 months, after changing hosts, I "fine-tooth-comb my logs" all day long, slowly looking for anything abnormal. I've caught quite a few things I've either changed my mind about, or discovered the culprit has developed a work-around to my initial defenses.

carson63000




msg:4656928
 2:32 am on Mar 25, 2014 (gmt 0)

Opera user agent strings are very common for probe bots, in my experience. Particularly from Russia and the Ukraine.

And if these hits are coming from MS hosting IP space, that means there's a 0.01% chance someone has rented an Azure server to run their probe, and a 99.99% chance that someone's Azure-hosted webserver has been compromised and is now being used to run probes.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved