Welcome to WebmasterWorld Guest from 54.198.46.95

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Botnet Attempting Zen Cart Attack

Blank UAs Attacking

     
6:56 pm on Jul 15, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The bots are all using blank UAs from a wide array of IPs.

They keep asking for the following:
"GET /admin/login.php"
"GET /extras/ipn_test_return.php"

Over and over and over, hundreds of times per IP in some cases.

This is apparently an old Zen cart vulnerability, about 6 months old best I can tell.

So why is a botnet hammering on my servers which don't have Zen cart, looking feverishly for this stuff at such a late date?

Anyone else?
7:41 pm on Jul 15, 2010 (gmt 0)

WebmasterWorld Senior Member hobbs is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Yes
222.76.218.a
10:15 pm on Jul 15, 2010 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Can't say if I've received any hits with those credentials but I have the range 222.76.208.0-222.76.223.255 blocked as being a Chinese server farm "belonging" to Xiamen.
11:23 pm on Jul 15, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



It's coming from more than China, I'm seeing a world-wide botnet attack
7:05 pm on Jul 16, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Bill, do you have code in place recording the headers for each attempt apart of the logs that list just few items?

The general pattern of multiple attempts that I see in the logs (although the get request is identical) also makes me thinking if they change the headers to resend cookies etc.

It's a wild guess but I am thinking the multiple attempts could mean to force the server initialize a cookie send it back and receive it, in other words to be sure the server doesn't redirect or kick them out because of the headers or cookies.
7:09 pm on Jul 16, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Sorry, on the site being attacked no headers are captured.
8:48 pm on Jul 16, 2010 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Probably just another distributed attack similar to casper. Most of the "attacks" I'm seeing at the moment are from compromised server farms, with very few exceptions (which are probably servers on company/personal DSL).
12:31 am on Jul 24, 2010 (gmt 0)

5+ Year Member



I'm getting multiple php attacks from cloaked bot on a compromised server host in Dana Point, CA, all 5 hits in two seconds. keeps attacking despite eating 403's

208.71.173.xx

"GET //phpMyAdmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //phpmyadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //pma/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //mysql/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //php-my-admin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //myadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"


If it comes from a non-banned address range, it will eat really large files. Inspired by this forum, I setup the attack directory and put huge nonsense files under those names.
12:32 am on Jul 24, 2010 (gmt 0)

5+ Year Member



Woops, here's the whole range to deep-six
208.71.168.0/21
1:51 am on Jul 24, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



ws.arin.net/whois/?queryinput=Network+Data+Center+Host%2C+Inc.

while you at it.
1:58 am on Jul 24, 2010 (gmt 0)

5+ Year Member



Neat - I was trying to figure out how to look up other ranges for banned hosts.

Like leftovers, they seem to come back later, often from different range same host.
3:02 am on Jul 24, 2010 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



My solution to these particular attacks is not for everyone: I don't run php on my server so I 403 any php in the URI. Works a charm!
3:08 am on Jul 24, 2010 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



(edit... realized revealing what I 403 might give the bot ghods a clue end edit) have been 403'd for the last year. Take a look at your logs and see if there is ANY human behind those. Think it will surprise you.

PM if you want my list of other things to 403...
 

Featured Threads

Hot Threads This Week

Hot Threads This Month