Welcome to WebmasterWorld Guest from 54.162.226.212

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Hack attempt from a MS range

     
12:10 pm on Mar 8, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




Very interesting:

168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /engine/engine.php HTTP/1.1" 403 1369 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /index/40 HTTP/1.1" 403 15411 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /common.php HTTP/1.1" 403 15411 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"

There were a couple dozen similar attempts from the same Amsterdam Microsoft IP address, same UA, all blocked on several counts. I'm thinking part of this MS range is an open proxy and the culprit is Russian.
11:51 pm on Mar 8, 2014 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Why do you consider this a "hack attempt"?

It looks pretty tame to me.
12:28 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I agree with KeyP; plenty of signals in that snippet to indicate a hacker's fingerprints.

Let's be gracious and consider what scenarios may have precipitated this "accident"?

For example;
MS employee spoofing as a hacker to investigate typical server responses.
12:33 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Another example is that the links were deliberately placed for a spider to follow. There's been numerous reports of this technique and I'm not sure how savvy Bing is at avoiding them. I kinda agree with Incredibill though, no GET var injection and not obviously malicious.
12:47 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



True, no injection attempts but definitely malicious IMO.

I use the term "hack" because out of the 60 or so hits like this (all for documents that don't exist on my server, all at the same time stamp) most were the common probes to see if I used PHP or WordPress. Lots of "admin", "login", etc.
2:06 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Hmmm... last couple statements vanished. I'll post again.

Basically I said that I'm now convinced the hacker is Russian and was using a M$ proxy. Now seeing same UA, same hack probes and the same sequence coming from a Russian broadband range.
5:19 am on Mar 9, 2014 (gmt 0)



Looks like it's Microsoft Hosting:
[whatismyipaddress.com...]
6:19 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



@MickeyRoush - Ahhh thanks. Looking further it looks like M$ Hosting Hong Kong:

168.61.0.0 - 168.63.255.255
168.61.0.0/16
168.62.0.0/15

Since I see the same hits from other ranges, it may be a botnet.
8:50 pm on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



I block the complete 168.61.0.0 - 168.63.255.255 range.

Some time ago I made a note about 168.63.0.0/16: "hundreds of hits in minutes" and blocked it in the firewall - something I rarely do.

Probably not a botnet as such, just an ill-mannered lout who has rented space on an MS server.
11:30 pm on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Same UA requesting same sequence of same files (all blocked.) Here's the botnet:

168.63.20.162
59.52.95.118
62.76.40.80
62.157.51.138
84.135.124.15
88.75.60.97
92.231.197.5
110.78.152.162
121.52.71.23
193.34.81.39
208.96.227.68
212.107.116.234
77.12.172.229
1:13 am on Mar 10, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



In a recent access log check on one site I had two varieties of this rapid fire vulnerability check, some from one single IP, one like this with multiple hits in sequence from IPs all over the place.

Two of the first type each had different UAs, the second type as shown here had a different UA, but all IPs had the same UA.

The multi IP hits came in sequence with the same UA over the course of a minute:
37.45.176.81
46.53.193.35
46.118.107.17
91.197.6.143
109.200.137.148
119.147.146.189
119.147.207.158
147.30.76.182
159.224.57.168
178.121.179.169
178.124.206.26
185.24.218.20
212.66.57.155

UA: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"

165.132.100.76
(72 requests under a minute)
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

183.60.244.29
(68 requests in less than 10 seconds)
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

I consider these all "hacking attempts" because they are requesting (or POSTing) to means to upload or edit files. Examples (none of these plugins or editors or themes are on this site):
POST /wp-content/plugins/wpstorecart/php/upload.php
POST /wp-content/plugins/thecartpress/checkout/CheckoutEditor.php
HEAD /editor/filemanager/connectors/uploadtest.html
POST /wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
HEAD /editors/fckeditor/editor/filemanager/upload/test.html
POST /wp-content/themes/clockstone/theme/functions/upload.php
/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php
and on and on.

My point in adding this is just that in my experience it is not an isolated IP or UA that is running this program and I've seen it increasing in frequency.
3:10 am on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



@not2easy I agree.

I suspect there are venues where you can buy a list of infected machines to use.


Also, I've noticed "google.com/humans.txt" appended to a huge amount of hack attempts.

EXAMPLE: 67.222.18.49 - - [08/Mar/2014:14:34:40 -0800] "GET /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.0" 403 649 "-" "-"
12:08 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Bingo!

My experience dealing with MS's legal bods, requesting them to remove/shut-down 100's of copyright infringers, indicates that MS are far more efficient, and responsive, than Google.

So it may well be worth reporting this server abuse to MS hosting bods in Seattle and HK.
4:02 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



For example;
MS employee spoofing as a hacker to investigate typical server responses.

That employee is a very, very fast typist, if so.

Opera 10? Really? With freestanding browsers (that is, not OS-linked like Safari and MSIE) you hardly ever see antiquated versions.

Why a robot thinks it will have better luck pretending to be a Russian human is just one of those abiding mysteries.
8:02 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



keyplyr - it's possible to buy botnets of various sizes for varying prices, but small ones are apperently quite cheap. Botnets come with a "control panel" so any idiot (ie most botnet drivers) can manage them. Botnets are a commodity nowadays.

Angonasec - MS have a long history of legal wrangles and appear to have learnt from them. Certainly more so than G, who are still in the denial phase.
9:21 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Opera 10? Really? With freestanding browsers (that is, not OS-linked like Safari and MSIE) you hardly ever see antiquated versions.

Why a robot thinks it will have better luck pretending to be a Russian human is just one of those abiding mysteries.
Emphases added by me.


Believe or not, Russians do like Opera, a lot. :) Just ask some of us. You should hear us singing when the Bot Actually starts running on a hacked account! :)
9:38 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



As far as 'wp-../../.php'

1. If one does not run one(wp) >> we serve 400(16 bytes), put the IP on quarantine.
2. If one does, was it accessed from an allowed IP? if no >> GOBACK to 1.
3. Blame the ... dude in a funny pants.

@keyplyr, were the headers OK?
11:17 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month





@blend27

I send myself an email when headers are malformed. However in this case the hits were 403 blocked for at least two other reasons which I saw immediately, so I never viewed the headers for those attempts (deleted now.) And no, I do not use ANY out of the box software... especially WP!
2:26 am on Mar 11, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Russians do like Opera, a lot.

They're also said to be traditionalists at heart, which would explain why you see so many Opera <= 8 and "Bork-edition" floating around ;)

I don't have anything that's attractive to Russian humans, so I really have no idea what they typically look like. In, ahem, site logs. Real life is another matter.

However in this case the hits were 403 blocked for at least two other reasons

Once in a blue moon I fine-tooth-comb my logs and take a closer look at the 403s. I like to make sure their originating IPs are also blocked whenever possible; things like UA and referer tests are just insurance.
2:35 am on Mar 11, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




For the last 3 months, after changing hosts, I "fine-tooth-comb my logs" all day long, slowly looking for anything abnormal. I've caught quite a few things I've either changed my mind about, or discovered the culprit has developed a work-around to my initial defenses.
2:32 am on Mar 25, 2014 (gmt 0)



Opera user agent strings are very common for probe bots, in my experience. Particularly from Russia and the Ukraine.

And if these hits are coming from MS hosting IP space, that means there's a 0.01% chance someone has rented an Azure server to run their probe, and a 99.99% chance that someone's Azure-hosted webserver has been compromised and is now being used to run probes.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month