Welcome to WebmasterWorld Guest from 3.234.210.89

Forum Moderators: Ocean10000

Message Too Old, No Replies

Jorgee

     
3:53 pm on Jun 30, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


Seen last month and this. This UA amounts to a Denial of Service when it hits multiple IPs at once (as it did to the web IPs in our CIDR) simultaneously. I've seen it go by both --

Jorgee
Mozilla/5.0 Jorgee

-- and it hits 85 OR 102 known exploits -- example dirs: admin, db, php, sql, mysql -- in one swell foop. Plus it inserts your IP address IN every URI:

//[IP-address-here]:80/1phpmyadmin/

(That initial // is part of every URI.)

Have seen it three times from two sources, Austria (a1.net) and Italy (vdsti.it). Jorgee may also be connected to the even more obnoxious hits that begin with --

/Ringing.at.your.dorbell!

-- and include the Google REF:

http://google.com/search?q=2+guys+1+horse

For more observations, including an 85-URI set and Rewrite examples, see: [skepticism.us...]
5:33 pm on June 30, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15936
votes: 889


I suppose it's too much to hope that it literally says "http://google.com" since that's obviously bogus (real google referers use www.) and could then be globally blocked :(
7:55 pm on June 30, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


That is the exact referrer, precisely as it appeared all 861 times. Oy.

The UA was not Jorgee but rather all this: x00_-gawa.sa.pilipinas.2015!

(The URIs were every /cgi-bin/ script imaginable combined with "echo"-type commands, and including an IP address to a -- wait for it -- googleusercontent.com account.)

Compared to the massive Jorgee and pilipinas/2+guys+1+horse attacks, the current, single-hit "/xmlrpc.php" hits are gnats.
12:27 pm on July 2, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


2+guys+1+horse

How much damage could these guys really do? After all, they only have one horse between them.
12:40 pm on July 2, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10573
votes: 1125


Where's the riot?

Then again, I run a rather severe .htaccess.... lean toward whitelist, not blacklist. (remembering JD Morgan... miss that dude!)
1:17 pm on July 2, 2015 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 413


How much damage could these guys really do? After all, they only have one horse between them

I'm glad i wasn't drinking anything when I read that ;) ..Well played Sir, well played .. :))