Botnet Attempting Zen Cart Attack

Forum Moderators: open

Message Too Old, No Replies

Botnet Attempting Zen Cart Attack

Blank UAs Attacking

incrediBILL

6:56 pm on Jul 15, 2010 (gmt 0)

The bots are all using blank UAs from a wide array of IPs.

They keep asking for the following:
"GET /admin/login.php"
"GET /extras/ipn_test_return.php"

Over and over and over, hundreds of times per IP in some cases.

This is apparently an old Zen cart vulnerability, about 6 months old best I can tell.

So why is a botnet hammering on my servers which don't have Zen cart, looking feverishly for this stuff at such a late date?

Anyone else?

Hobbs

7:41 pm on Jul 15, 2010 (gmt 0)

Yes
222.76.218.a

dstiles

10:15 pm on Jul 15, 2010 (gmt 0)

Can't say if I've received any hits with those credentials but I have the range 222.76.208.0-222.76.223.255 blocked as being a Chinese server farm "belonging" to Xiamen.

incrediBILL

11:23 pm on Jul 15, 2010 (gmt 0)

It's coming from more than China, I'm seeing a world-wide botnet attack

enigma1

7:05 pm on Jul 16, 2010 (gmt 0)

Bill, do you have code in place recording the headers for each attempt apart of the logs that list just few items?

The general pattern of multiple attempts that I see in the logs (although the get request is identical) also makes me thinking if they change the headers to resend cookies etc.

It's a wild guess but I am thinking the multiple attempts could mean to force the server initialize a cookie send it back and receive it, in other words to be sure the server doesn't redirect or kick them out because of the headers or cookies.

incrediBILL

7:09 pm on Jul 16, 2010 (gmt 0)

Sorry, on the site being attacked no headers are captured.

dstiles

8:48 pm on Jul 16, 2010 (gmt 0)

Probably just another distributed attack similar to casper. Most of the "attacks" I'm seeing at the moment are from compromised server farms, with very few exceptions (which are probably servers on company/personal DSL).

Megaclinium

12:31 am on Jul 24, 2010 (gmt 0)

I'm getting multiple php attacks from cloaked bot on a compromised server host in Dana Point, CA, all 5 hits in two seconds. keeps attacking despite eating 403's

208.71.173.xx

"GET //phpMyAdmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //phpmyadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //pma/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //mysql/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //php-my-admin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //myadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

If it comes from a non-banned address range, it will eat really large files. Inspired by this forum, I setup the attack directory and put huge nonsense files under those names.

Megaclinium

12:32 am on Jul 24, 2010 (gmt 0)

Woops, here's the whole range to deep-six
208.71.168.0/21

blend27

1:51 am on Jul 24, 2010 (gmt 0)

ws.arin.net/whois/?queryinput=Network+Data+Center+Host%2C+Inc.

while you at it.

Megaclinium

1:58 am on Jul 24, 2010 (gmt 0)

Neat - I was trying to figure out how to look up other ranges for banned hosts.

Like leftovers, they seem to come back later, often from different range same host.

tangor

3:02 am on Jul 24, 2010 (gmt 0)

My solution to these particular attacks is not for everyone: I don't run php on my server so I 403 any php in the URI. Works a charm!

tangor

3:08 am on Jul 24, 2010 (gmt 0)

(edit... realized revealing what I 403 might give the bot ghods a clue end edit) have been 403'd for the last year. Take a look at your logs and see if there is ANY human behind those. Think it will surprise you.

PM if you want my list of other things to 403...