Welcome to WebmasterWorld Guest from 54.234.38.8

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Botnet Attempting Zen Cart Attack

Blank UAs Attacking

     
6:56 pm on Jul 15, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


The bots are all using blank UAs from a wide array of IPs.

They keep asking for the following:
"GET /admin/login.php"
"GET /extras/ipn_test_return.php"

Over and over and over, hundreds of times per IP in some cases.

This is apparently an old Zen cart vulnerability, about 6 months old best I can tell.

So why is a botnet hammering on my servers which don't have Zen cart, looking feverishly for this stuff at such a late date?

Anyone else?
7:41 pm on July 15, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member hobbs is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 19, 2004
posts:3054
votes: 3


Yes
222.76.218.a
10:15 pm on July 15, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3092
votes: 2


Can't say if I've received any hits with those credentials but I have the range 222.76.208.0-222.76.223.255 blocked as being a Chinese server farm "belonging" to Xiamen.
11:23 pm on July 15, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


It's coming from more than China, I'm seeing a world-wide botnet attack
7:05 pm on July 16, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Apr 30, 2007
posts:1394
votes: 0


Bill, do you have code in place recording the headers for each attempt apart of the logs that list just few items?

The general pattern of multiple attempts that I see in the logs (although the get request is identical) also makes me thinking if they change the headers to resend cookies etc.

It's a wild guess but I am thinking the multiple attempts could mean to force the server initialize a cookie send it back and receive it, in other words to be sure the server doesn't redirect or kick them out because of the headers or cookies.
7:09 pm on July 16, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


Sorry, on the site being attacked no headers are captured.
8:48 pm on July 16, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3092
votes: 2


Probably just another distributed attack similar to casper. Most of the "attacks" I'm seeing at the moment are from compromised server farms, with very few exceptions (which are probably servers on company/personal DSL).
12:31 am on July 24, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 20, 2008
posts:94
votes: 0


I'm getting multiple php attacks from cloaked bot on a compromised server host in Dana Point, CA, all 5 hits in two seconds. keeps attacking despite eating 403's

208.71.173.xx

"GET //phpMyAdmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //phpmyadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //pma/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //mysql/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //php-my-admin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //myadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"


If it comes from a non-banned address range, it will eat really large files. Inspired by this forum, I setup the attack directory and put huge nonsense files under those names.
12:32 am on July 24, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 20, 2008
posts:94
votes: 0


Woops, here's the whole range to deep-six
208.71.168.0/21
1:51 am on July 24, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1667
votes: 36


ws.arin.net/whois/?queryinput=Network+Data+Center+Host%2C+Inc.

while you at it.
1:58 am on July 24, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 20, 2008
posts:94
votes: 0


Neat - I was trying to figure out how to look up other ranges for banned hosts.

Like leftovers, they seem to come back later, often from different range same host.
3:02 am on July 24, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:6160
votes: 284


My solution to these particular attacks is not for everyone: I don't run php on my server so I 403 any php in the URI. Works a charm!
3:08 am on July 24, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:6160
votes: 284


(edit... realized revealing what I 403 might give the bot ghods a clue end edit) have been 403'd for the last year. Take a look at your logs and see if there is ANY human behind those. Think it will surprise you.

PM if you want my list of other things to 403...