Welcome to WebmasterWorld Guest from 54.234.65.78

Forum Moderators: phranque

chinese "testing" link hacking attempt?

hacking attempt

     
11:21 pm on Dec 7, 2017 (gmt 0)

New User

joined:Dec 7, 2017
posts: 2
votes: 0


Hi there. I use Clicky to keep realtime tracking of visitors. I haven't been promoting my website recently and there are very very few visitors. But, I'm getting repeat visits from an ISP in China and they use this link:

&wd=test

So there is my domain name, a slash and then the ending, like this:

https://www.example.com/&wd=test

Can anyone understand what they are doing?

[edited by: phranque at 1:56 am (utc) on Dec 8, 2017]
[edit reason] exemplified domain [/edit]

2:59 am on Dec 8, 2017 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 211
votes: 13


Interesting discovery. I track Chinese bots, or at least I try to, and I have not noticed this before. These entries are from my 2017 Nov log.

Conclusion: They are going after javascript and CSS, and ignore all content. They are not trying to break into anything, only GETs. Suspicious activity, no doubt, but not malicious. I have banned a bunch of them before, as they show up as 403s, which means they have in the past scraped me, tested my security or posted spam. The docs they are reading contain English only and no Chinese. In summary, I have no clue what they are doing, but they are not malicious. For sure they are bots and not human.

Maybe someone else can tease out a meaning or intent?

The referral from Baidu has a ?WD=RAA or some other 3-4 letter combo I also have no clue. It might be some encoding from Chinese?

14.215.176.12 CHINANET Guangdong
14.215.176.4 CHINANET Guangdong
111.206.36.17 China Unicom Beijing
180.97.35.36 Chinanet Jiangsu
123.125.143.151 China Unicom Beijing
123.125.143.151
115.239.212.197 CHINANET-Zhejiang Hangzhou

All are referred from Baidu. I tried to replicate a referral from baidu but could not get a ?wd= result. All are going after my wordpress site. Three GETS are looking for a tag "developer.android.com". I have many documents that are findable with this criteria, but not as a tag. There are 3 GETs that are looking for the drug indometacin, which I do not have. The last GET is for "visaforchina.org", which I also have in a couple of documents, but my server returned a 404. All but one were rejected by my server.

All user agent names are "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0", which was used 155 times in my logs. It is pretty rare for a Chinese bot to have a proper bot UA.

Thanks for bringing this forward. I have an interest in the murky shadows of roaming Chinese bots.

14.215.176.12[22/Nov/2017:06:31:26GET /wp/tag/developer-android-com/&wd=test HTTP/1.140416905http://www.baidu.com/s?wd=RAAMozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
14.215.176.4[23/Nov/2017:09:21:29GET /wp/tag/developer-android-com/&wd=test HTTP/1.140416905http://www.baidu.com/s?wd=EEHMozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
111.206.36.17[23/Nov/2017:20:32:25GET /wp/tag/developer-android-com/&wd=test HTTP/1.140313http://www.baidu.com/s?wd=GISMozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
180.97.35.36[28/Nov/2017:23:14:10GET /wp/?p=4054&indometacin-over-the-counter&wd=test HTTP/1.140313http://www.baidu.com/s?wd=6CJMozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
123.125.143.151[30/Nov/2017:01:21:34GET /wp/?p=4054&indometacin-over-the-counter&wd=test HTTP/1.1301-http://www.baidu.com/s?wd=JVDWMozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
123.125.143.151[30/Nov/2017:01:21:35GET /wp/2011/12/01/my-wordpress-blog-hijacked-the-pharma-hack/?indometacin-over-the-counter&wd=test HTTP/1.120045657http://www.baidu.com/s?wd=JVDWMozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
115.239.212.197[30/Nov/2017:13:44:13GET /wp/tag/visaforchina-org/&wd=test HTTP/1.140416917http://www.baidu.com/s?wd=W9GMozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0


Here is the first IPs log entries. They are going after javascript and css but no content. It is odd that they are specifically targeting http/1.1404, but why?

GET /wp/tag/developer-android-com/&wd=test HTTP/1.1404
GET /wp/wp-includes/js/wp-emoji-release.min.js?ver=4.9 HTTP/1.1200
GET /wp/wp-content/plugins/yet-another-related-posts-plugin/style/widget.css?ver=4.9 HTTP/1.1200
GET /wp/wp-includes/js/jquery/jquery.js?ver=1.12.4 HTTP/1.1200
GET /wp/wp-includes/css/dashicons.min.css?ver=4.9 HTTP/1.1200
GET /wp/wp-content/themes/ribosome-child/style.css?ver=1.0.0 HTTP/1.1200
GET /wp/wp-content/themes/ribosome/css/font-awesome-4.7.0/css/font-awesome.min.css?ver=4.9 HTTP/1.1200
GET /wp/wp-content/themes/ribosome/style.css?ver=4.9 HTTP/1.1200
GET /wp/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 HTTP/1.1200


Similarly, only JS and CSS. Here they target HTTP/1.1200, except for the first GET which goes after HTTP/1.1301

GET /wp/?p=4054&indometacin-over-the-counter&wd=test HTTP/1.1301
GET /wp/2011/12/01/my-wordpress-blog-hijacked-the-pharma-hack/?indometacin-over-the-counter&wd=test HTTP/1.1200
GET /wp/wp-content/themes/ribosome/style.css?ver=4.9.1 HTTP/1.1200
GET /wp/wp-content/themes/ribosome-child/style.css?ver=1.0.0 HTTP/1.1200
GET /wp/wp-includes/css/dashicons.min.css?ver=4.9.1 HTTP/1.1200
GET /wp/wp-includes/js/wp-emoji-release.min.js?ver=4.9.1 HTTP/1.1200
GET /wp/wp-content/plugins/yet-another-related-posts-plugin/style/widget.css?ver=4.9.1 HTTP/1.1200
GET /wp/wp-includes/js/wp-embed.min.js?ver=4.9.1 HTTP/1.1200
GET /wp/wp-content/themes/ribosome/css/font-awesome-4.7.0/css/font-awesome.min.css?ver=4.9.1 HTTP/1.1200
GET /wp/wp-content/plugins/yet-another-related-posts-plugin/style/related.css?ver=4.9.1 HTTP/1.1200
GET /wp/wp-content/themes/ribosome/js/ribosome-scripts-functions.js?ver=1.0.0 HTTP/1.1200
GET /wp/?live-comment-preview.js HTTP/1.1200
GET /wp/wp-content/plugins/akismet/_inc/form.js?ver=4.0.1 HTTP/1.1200
GET /wp/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 HTTP/1.1200
GET /wp/wp-content/themes/ribosome/js/navigation.js?ver=20140711 HTTP/1.1200
GET /wp/wp-includes/js/jquery/jquery.js?ver=1.12.4 HTTP/1.1200
GET /wp/wp-content/themes/ribosome/css/font-awesome-4.7.0/fonts/fontawesome-webfont.woff?v=4.7.0 HTTP/1.1200
3:24 am on Dec 8, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14381
votes: 565


Here they target HTTP/1.1200, except for the first GET which goes after HTTP/1.1301
Seems like “HTTP/1\.\d\d” in and of itself would be grounds for denial. I’ve never seen multiple decimal places in my life. (I’m on shared hosting. Is it the kind of thing they would block at the gate?) Are those even legitimate numbers, or is it another bizarre kind of typo? Looking it up, I find it only as a response header. Which, in turn, explains “1.1404” and “1.1200”.

GET /wp/2011/12/01/my-wordpress-blog-hijacked-the-pharma-hack/?indometacin-over-the-counter&wd=test
Says it all, doesn’t it.

They are going after javascript and css but no content.
In the case of WP, aren’t these highly specialized script- or stylenames an indicator of exactly which plugins, addons, themes, skins and assorted software variations you’re using? It gives them information, but is liable to attract less attention than an up-front file request.
6:35 am on Dec 8, 2017 (gmt 0)

New User

joined:Dec 7, 2017
posts: 2
votes: 0


Seems like we might have a couple in common, not sure. For me both are the &wd=test:

ip: 111.206.36.9 - Beijing, China - Organization= China Unicom Beijing -- Platform: Firefox 43.0 / Windows 7 / 1024x768

ip: 14.215.176.16 - Guangzhou, China - Organization=China Telecom Guangdong -- Platform: Firefox 43.0 / Windows 7 / 1024x768
12:48 pm on Dec 8, 2017 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 211
votes: 13


"Seems like “HTTP/1\.\d\d” in and of itself would be grounds for denial."

This looks like a hook we could use. Thanks for that. I'll need to do more research and go back a couple of months to review their behaviour. Just a regular human read of any Wordpress post will return all these GETs as well as the content. There's no way for me to hide these js and css GETs. For now I will monitor.

I have been trying to encourage human Chinese access to my site for a number of years, so have been encouraging the Chinese search engines such as Baidu and Yisou to index my site, as well as adding more Chinese language to my posts. As long as anyone from China (or anywhere else) is not actively malicious I tend to leave them alone.

risusSardonicus+, are you using your raw access log to track these Chinese bots? The raw access log will give you much more info. After the initial "&wd=test" these IP addresses then have some interesting activity, but do not use the "&wd=test". It is this activity that I'd like to track.
1:22 pm on Dec 8, 2017 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 211
votes: 13


I did an IBM X-force lookup [exchange.xforce.ibmcloud.com] and found:

14.215.176.16 some reported bot activity, infected devices
111.206.36.9 some reported bot activity, infected devices
14.215.176.12 some reported bot activity, infected devices
14.215.176.4 some reported bot activity, infected devices
111.206.36.17 risk 4.3 some reported bot activity, infected devices
180.97.35.36 risk 7.1 scanning IPs for vulnerabilities
123.125.143.151 risk 4.3 some reported bot activity, infected devices, spam
115.239.212.197 risk 4.3 some reported bot activity, infected devices

Only 1 IP, 180.97.35.36, scans for vulnerabilities. The rest seem to be infected devices used in botnet attacks.
3:07 pm on Dec 16, 2017 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Oct 17, 2015
posts:111
votes: 32


I'm about to ban China, is it serious? I keep banning Chinese ips but the referrer now appears to continually be www.baidu.com so I'm guessing my site must be in their engine. Perhaps a site remove request, is that possible? I think it is possible to fake a referrer so may not be baidu.
4:03 pm on Dec 16, 2017 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 211
votes: 13


Go on baidu.com and search for your site. As China has banned Google search, baidu is the largest search engine. Chinese spammers are difficult to eradicate, and state sponsored entities hide in public IP ranges to do their work.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members