Welcome to WebmasterWorld Guest from 54.211.121.63

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

Hack attempt from a MS range

     
12:10 pm on Mar 8, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7000
votes: 170



Very interesting:

168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /engine/engine.php HTTP/1.1" 403 1369 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /index/40 HTTP/1.1" 403 15411 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
168.63.20.162 - - [08/Mar/2014:02:50:29 -0800] "GET /common.php HTTP/1.1" 403 15411 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"

There were a couple dozen similar attempts from the same Amsterdam Microsoft IP address, same UA, all blocked on several counts. I'm thinking part of this MS range is an open proxy and the culprit is Russian.
11:51 pm on Mar 8, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14650
votes: 94


Why do you consider this a "hack attempt"?

It looks pretty tame to me.
12:28 am on Mar 9, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 13, 2003
posts:701
votes: 0


I agree with KeyP; plenty of signals in that snippet to indicate a hacker's fingerprints.

Let's be gracious and consider what scenarios may have precipitated this "accident"?

For example;
MS employee spoofing as a hacker to investigate typical server responses.
12:33 am on Mar 9, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4845
votes: 4


Another example is that the links were deliberately placed for a spider to follow. There's been numerous reports of this technique and I'm not sure how savvy Bing is at avoiding them. I kinda agree with Incredibill though, no GET var injection and not obviously malicious.
12:47 am on Mar 9, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7000
votes: 170


True, no injection attempts but definitely malicious IMO.

I use the term "hack" because out of the 60 or so hits like this (all for documents that don't exist on my server, all at the same time stamp) most were the common probes to see if I used PHP or WordPress. Lots of "admin", "login", etc.
2:06 am on Mar 9, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7000
votes: 170


Hmmm... last couple statements vanished. I'll post again.

Basically I said that I'm now convinced the hacker is Russian and was using a M$ proxy. Now seeing same UA, same hack probes and the same sequence coming from a Russian broadband range.
5:19 am on Mar 9, 2014 (gmt 0)

Junior Member

5+ Year Member

joined:May 3, 2011
posts:75
votes: 0


Looks like it's Microsoft Hosting:
[whatismyipaddress.com...]
6:19 am on Mar 9, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7000
votes: 170


@MickeyRoush - Ahhh thanks. Looking further it looks like M$ Hosting Hong Kong:

168.61.0.0 - 168.63.255.255
168.61.0.0/16
168.62.0.0/15

Since I see the same hits from other ranges, it may be a botnet.
8:50 pm on Mar 9, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3134
votes: 4


I block the complete 168.61.0.0 - 168.63.255.255 range.

Some time ago I made a note about 168.63.0.0/16: "hundreds of hits in minutes" and blocked it in the firewall - something I rarely do.

Probably not a botnet as such, just an ill-mannered lout who has rented space on an MS server.
11:30 pm on Mar 9, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7000
votes: 170


Same UA requesting same sequence of same files (all blocked.) Here's the botnet:

168.63.20.162
59.52.95.118
62.76.40.80
62.157.51.138
84.135.124.15
88.75.60.97
92.231.197.5
110.78.152.162
121.52.71.23
193.34.81.39
208.96.227.68
212.107.116.234
77.12.172.229
1:13 am on Mar 10, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:2930
votes: 93


In a recent access log check on one site I had two varieties of this rapid fire vulnerability check, some from one single IP, one like this with multiple hits in sequence from IPs all over the place.

Two of the first type each had different UAs, the second type as shown here had a different UA, but all IPs had the same UA.

The multi IP hits came in sequence with the same UA over the course of a minute:
37.45.176.81
46.53.193.35
46.118.107.17
91.197.6.143
109.200.137.148
119.147.146.189
119.147.207.158
147.30.76.182
159.224.57.168
178.121.179.169
178.124.206.26
185.24.218.20
212.66.57.155

UA: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"

165.132.100.76
(72 requests under a minute)
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

183.60.244.29
(68 requests in less than 10 seconds)
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

I consider these all "hacking attempts" because they are requesting (or POSTing) to means to upload or edit files. Examples (none of these plugins or editors or themes are on this site):
POST /wp-content/plugins/wpstorecart/php/upload.php
POST /wp-content/plugins/thecartpress/checkout/CheckoutEditor.php
HEAD /editor/filemanager/connectors/uploadtest.html
POST /wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
HEAD /editors/fckeditor/editor/filemanager/upload/test.html
POST /wp-content/themes/clockstone/theme/functions/upload.php
/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php
and on and on.

My point in adding this is just that in my experience it is not an isolated IP or UA that is running this program and I've seen it increasing in frequency.
3:10 am on Mar 10, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7000
votes: 170


@not2easy I agree.

I suspect there are venues where you can buy a list of infected machines to use.


Also, I've noticed "google.com/humans.txt" appended to a huge amount of hack attempts.

EXAMPLE: 67.222.18.49 - - [08/Mar/2014:14:34:40 -0800] "GET /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.0" 403 649 "-" "-"
12:08 pm on Mar 10, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 13, 2003
posts:701
votes: 0


Bingo!

My experience dealing with MS's legal bods, requesting them to remove/shut-down 100's of copyright infringers, indicates that MS are far more efficient, and responsive, than Google.

So it may well be worth reporting this server abuse to MS hosting bods in Seattle and HK.
4:02 pm on Mar 10, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13256
votes: 359


For example;
MS employee spoofing as a hacker to investigate typical server responses.

That employee is a very, very fast typist, if so.

Opera 10? Really? With freestanding browsers (that is, not OS-linked like Safari and MSIE) you hardly ever see antiquated versions.

Why a robot thinks it will have better luck pretending to be a Russian human is just one of those abiding mysteries.
8:02 pm on Mar 10, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3134
votes: 4


keyplyr - it's possible to buy botnets of various sizes for varying prices, but small ones are apperently quite cheap. Botnets come with a "control panel" so any idiot (ie most botnet drivers) can manage them. Botnets are a commodity nowadays.

Angonasec - MS have a long history of legal wrangles and appear to have learnt from them. Certainly more so than G, who are still in the denial phase.
9:21 pm on Mar 10, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1872
votes: 52


Opera 10? Really? With freestanding browsers (that is, not OS-linked like Safari and MSIE) you hardly ever see antiquated versions.

Why a robot thinks it will have better luck pretending to be a Russian human is just one of those abiding mysteries.
Emphases added by me.


Believe or not, Russians do like Opera, a lot. :) Just ask some of us. You should hear us singing when the Bot Actually starts running on a hacked account! :)
9:38 pm on Mar 10, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1872
votes: 52


As far as 'wp-../../.php'

1. If one does not run one(wp) >> we serve 400(16 bytes), put the IP on quarantine.
2. If one does, was it accessed from an allowed IP? if no >> GOBACK to 1.
3. Blame the ... dude in a funny pants.

@keyplyr, were the headers OK?
11:17 pm on Mar 10, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7000
votes: 170




@blend27

I send myself an email when headers are malformed. However in this case the hits were 403 blocked for at least two other reasons which I saw immediately, so I never viewed the headers for those attempts (deleted now.) And no, I do not use ANY out of the box software... especially WP!
2:26 am on Mar 11, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13256
votes: 359


Russians do like Opera, a lot.

They're also said to be traditionalists at heart, which would explain why you see so many Opera <= 8 and "Bork-edition" floating around ;)

I don't have anything that's attractive to Russian humans, so I really have no idea what they typically look like. In, ahem, site logs. Real life is another matter.

However in this case the hits were 403 blocked for at least two other reasons

Once in a blue moon I fine-tooth-comb my logs and take a closer look at the 403s. I like to make sure their originating IPs are also blocked whenever possible; things like UA and referer tests are just insurance.
2:35 am on Mar 11, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7000
votes: 170



For the last 3 months, after changing hosts, I "fine-tooth-comb my logs" all day long, slowly looking for anything abnormal. I've caught quite a few things I've either changed my mind about, or discovered the culprit has developed a work-around to my initial defenses.
2:32 am on Mar 25, 2014 (gmt 0)

New User

joined:Mar 2, 2014
posts: 5
votes: 0


Opera user agent strings are very common for probe bots, in my experience. Particularly from Russia and the Ukraine.

And if these hits are coming from MS hosting IP space, that means there's a 0.01% chance someone has rented an Azure server to run their probe, and a 99.99% chance that someone's Azure-hosted webserver has been compromised and is now being used to run probes.