Welcome to WebmasterWorld Guest from 54.144.48.252

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Firefox 6 attack

testing my site?

     
7:32 am on Feb 13, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Here's a sample of some little attack that hit my radar which I found quite amusing.

All the same UA, all had the same flaw that caused them to get caught, most came from consecutive IPs in Germany, Sweden and a few other countries. The one I found most interesting was the Georgia IP was from a university, compromised or the source of the bombardment?

And it all happened quickly, within a minute, stress testing my scripts perhaps?

2012-02-12,00:38:09,83.140.95.58,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:11,83.140.95.53,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:22,83.140.95.64,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:31,83.140.95.65,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:35,83.140.95.40,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:35,186.153.181.226,Argentina,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:37,80.248.233.152,Sweden,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:40,80.248.233.136,Sweden,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:42,46.59.93.205,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:43,46.59.93.209,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:44,46.59.93.208,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:45,46.59.93.201,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:46,46.59.93.203,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:48,46.59.93.210,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:49,46.59.93.204,Germany,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:50,80.248.238.152,Sweden,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:51,217.147.231.50,Georgia,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:52,80.248.239.130,Sweden,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:53,80.248.239.133,Sweden,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:54,80.248.239.126,Sweden,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html
2012-02-12,00:38:59,218.189.26.158,Hong Kong,"Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0",/index.html


Anyone tracking anything like this?
8:30 am on Feb 13, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Bill,
Nothing like that, however I've something unique.
Since not having any logs to work with, I've been a bit less active.

I deplore browser changes on my own machines and stuck with FF 3.6 despite many newer versions.
Recently I upgraded to 7.01.
I only use a few piug-ins.

Had automated requests in my logs from ASK (using my own IP) and I wasn't aware that I had any Ask tool bar installed.

My FF UA
"Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"

The requests (four minutes after exiting the page and my own IP)
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AskTbFXTV5/5.12.2.16749; .NET CLR 1.1.4322)"

After some poking around on the WWW. There are some suggestions that this toolbar is related to the Avira AV, which I use. It seems Avira is installing this TB in the FREE version of their software automatically and without notification.

There are some Ask references in the FF about:config, however nothing I could see to warrant change.

However, and to be fair, I've been editing loads of web pages with an older html software, and likely should be doing so offline, so that absolute links would not function.

Still, who'd ever thought ;)
8:41 am on Feb 16, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Speaking of compromised machines:

205.188.116.zzz - - [16/Feb/2012:07:56:17 +0000] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 403 533 "http:/example.com/smf/index.php?topic=00000.0" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.5401; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; ShopperReports 3.0.497.0; SRS_IT_E8790571B5765E543FAD97; BRI/1; BRI/2; FunWebProducts; AskTbORJ/5.13.1.18107)"
 

Featured Threads

Hot Threads This Week

Hot Threads This Month