Chinese exploiter out of Kansas City IP

Forum Moderators: open

Message Too Old, No Replies

Chinese exploiter out of Kansas City IP

slipkid

4:21 am on Nov 20, 2014 (gmt 0)

Here is an example I believe of a Chinese exploiter running out of a US-based IP.

United States Kansas City Zhou Pizhong
WholeSale Internet, Inc.
173.208.128.0 - 173.208.255.255
173.208.128.0/17

This what they wanted:
GET /kedit/upload_cgi/upload.php

EastTexas

10:40 pm on Jan 5, 2015 (gmt 0)

They are sending lots of bots to my site & trying to hack into a non-existent wp site ;}

deny from wholesaleinternet.com

# Don't Use This on a WP Site!
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} admin [NC,OR]
RewriteCond %{REQUEST_URI} administrator [NC,OR]
RewriteCond %{REQUEST_URI} applications/Install [NC,OR]
RewriteCond %{REQUEST_URI} backup [NC,OR]
RewriteCond %{REQUEST_URI} bitrix [NC,OR]
RewriteCond %{REQUEST_URI} catalog [NC,OR]
RewriteCond %{REQUEST_URI} configuration.php [NC,OR]
RewriteCond %{REQUEST_URI} ckeditor [NC,OR]
RewriteCond %{REQUEST_URI} editor [NC,OR]
RewriteCond %{REQUEST_URI} fckeditor [NC,OR]
RewriteCond %{REQUEST_URI} filemanager [NC,OR]
RewriteCond %{REQUEST_URI} news [NC,OR]
RewriteCond %{REQUEST_URI} oscommerce [NC,OR]
RewriteCond %{REQUEST_URI} ror.xml [NC,OR]
RewriteCond %{REQUEST_URI} shop [NC,OR]
RewriteCond %{REQUEST_URI} wp [NC,OR]
RewriteCond %{REQUEST_URI} wordpress [NC,OR]
RewriteCond %{REQUEST_URI} wp-admin [NC,OR]
RewriteCond %{REQUEST_URI} wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} urllist.txt [NC,OR]
RewriteCond %{REQUEST_URI} user [NC,OR]
RewriteCond %{REQUEST_URI} xmlrpc.php
RewriteRule ^(.*)$ [%{REMOTE_ADDR}...] [R,L]
</IfModule>

Angonasec

1:00 am on Jan 6, 2015 (gmt 0)

Q/
an example I believe of a Chinese exploiter running out of a US-based IP.
/Q

Nothing new in that observation.

Most Chinese bots/hackers are based outside mainland China, the US being their favourite dive.

keyplyr

2:34 am on Jan 6, 2015 (gmt 0)

Wholesale Internet is a server farm and has numerous ranges that have been listed at least a couple times in the ongoing Server Farms thread. As Angonasec says, nothing new :)

lucy24

3:48 am on Jan 6, 2015 (gmt 0)

RewriteCond %{REQUEST_URI} ckeditor [NC,OR]
RewriteCond %{REQUEST_URI} editor [NC,OR]
RewriteCond %{REQUEST_URI} fckeditor [NC,OR]
...
RewriteCond %{REQUEST_URI} wp [NC,OR]
RewriteCond %{REQUEST_URI} wp-admin [NC,OR]
RewriteCond %{REQUEST_URI} wp-login.php [NC,OR]

Oh, come on.

EastTexas

4:18 am on Jan 6, 2015 (gmt 0)

I say let them try & waste their time hacking a non-existent wp site ;}

keyplyr

4:52 am on Jan 6, 2015 (gmt 0)

East Texas, that novel you published can be condensed to:

RewriteCond %{REQUEST_URI} (admin|applica|backup|bitrix|catalog|commerce|config|editor|file|news|shop|wp|urllist|user)

Better yet, just block the range & forget about it.

EastTexas

5:16 am on Jan 6, 2015 (gmt 0)

Thanks for the tip 8)

Better yet, just block the range & forget about it.

I do that too, but some are from here (USA) too.

lucy24

6:01 am on Jan 6, 2015 (gmt 0)

that novel you published

Ah, there. That's what I was trying to say.

First time I ever saw "/fckeditor/" in an URL was a non-English-language site. I thought it was something hand-rolled that just came out slightly unfortunate in English. Little did I know...

EastTexas

6:34 am on Jan 6, 2015 (gmt 0)

however the kfceditor is finger licking good ;}