Sunday, December 31, 2006

Complete Botnet List Used in PhotoCart Attack

This is probably a small botnet with only 174 IPs involved in currently trying to infect a single website using the PhotoCart vulnerability. I decided to show just far these people are willing to go in order to attempt bypassing possible firewall blocks just to make sure one of them is successful.

Here's the complete botnet list:

140.117.73.1 [finance.nsysu.edu.tw.] requested 379 pages as "libwww-perl/5.805"
147.202.41.61 [x.xhort.com.] requested 29 pages as "libwww-perl/5.805"
158.66.1.12 [service2.mg.gov.pl.] requested 178 pages as "libwww-perl/5.65"
163.178.79.2 [unknown] requested 41 pages as "libwww-perl/5.803"
164.77.213.115 [unknown] requested 1 pages as "libwww-perl/5.805"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 321 pages as "libwww-perl/5.803"
189.146.80.14 [dsl-189-146-80-14.prod-infinitum.com.mx.] requested 272 pages as "libwww-perl/5.803"
193.192.247.209 [209-sn-5-be.pchighway.com.] requested 1 pages as "libwww-perl/5.805"
194.108.42.38 [sip1.it-help.cz.] requested 7 pages as "libwww-perl/5.803"
194.152.183.230 [unknown] requested 19 pages as "libwww-perl/5.805"
194.177.97.82 [82-97-177-194.serverdedicati.seflow.net.] requested 87 pages as "libwww-perl/5.79"
195.10.193.5 [mailer.fastnetbg.com.] requested 36 pages as "libwww-perl/5.803"
195.206.96.40 [kabsieasy.aic.at.] requested 4 pages as "libwww-perl/5.63"
195.242.211.253 [faq.ecobike.de.] requested 64 pages as "libwww-perl/5.48"
195.242.98.223 [keurigonline07.nl.] requested 51 pages as "libwww-perl/5.79"
198.173.254.167 [sofsup.securesites.net.] requested 14 pages as "libwww-perl/5.65"
198.173.254.49 [gmotion.net.] requested 85 pages as "libwww-perl/5.65"
200.32.10.19 [200-32-10-19.prima.net.ar.] requested 29 pages as "libwww-perl/5.805"
200.73.10.171 [servidor2.icqnet.cl.] requested 39 pages as "libwww-perl/5.805"
200.75.49.133 [clientes_corpor_7549-133.etb.net.co.] requested 6 pages as "libwww-perl/5.64"
202.130.106.156 [unknown] requested 33 pages as "libwww-perl/5.79"
202.139.20.8 [nm8.shoalhaven.net.au.] requested 27 pages as "libwww-perl/5.805"
202.143.173.2 [unknown] requested 2 pages as "libwww-perl/5.65"
202.181.245.88 [unknown] requested 20 pages as "libwww-perl/5.805"
202.83.173.216 [ntc.net.pk.] requested 104 pages as "libwww-perl/5.65"
202.85.134.241 [mail.icreationasia.com.] requested 42 pages as "libwww-perl/5.65"
203.146.140.221 [besthost5.com.] requested 127 pages as "libwww-perl/5.64"
203.167.111.133 [133.111.167.203.assigned.static.eastern-tele.com.] requested 69 pages as "libwww-perl/5.79"
203.167.88.76 [unknown] requested 47 pages as "libwww-perl/5.65"
203.194.134.166 [unknown] requested 386 pages as "libwww-perl/5.65"
203.211.135.130 [130.203-211-135.static.qala.com.sg.] requested 5 pages as "libwww-perl/5.805"
203.223.133.18 [unknown] requested 41 pages as "libwww-perl/5.805"
203.88.121.128 [acr2.soho.aussiehq.net.au.] requested 43 pages as "libwww-perl/5.805"
204.11.234.28 [vn1133.fireboxhosting.com.] requested 159 pages as "libwww-perl/5.805"
204.157.36.20 [unknown20.36.157.204.defenderhosting.com.] requested 56 pages as "libwww-perl/5.805"
204.16.246.8 [gttcp18.30u.com.] requested 302 pages as "libwww-perl/5.805"
205.234.100.65 [unknown65.100.234.205.defenderhosting.com.] requested 64 pages as "libwww-perl/5.805"
205.234.223.229 [unknown.hostforweb.com.] requested 219 pages as "libwww-perl/5.805"
206.123.101.20 [server005.hostspectrum.com.] requested 84 pages as "libwww-perl/5.805"
206.222.19.42 [ns1.ultranetgroup.net.] requested 91 pages as "libwww-perl/5.79"
206.225.92.93 [206-225-92-93.dedicated.abac.net.] requested 330 pages as "libwww-perl/5.803"
207.158.61.3 [ns1.control8.com.] requested 160 pages as "libwww-perl/5.79"
207.99.63.90 [unknown] requested 31 pages as "libwww-perl/5.79"
208.101.29.107 [asprojectos.com.] requested 371 pages as "libwww-perl/5.805"
209.151.94.9 [poplar.vosn.net.] requested 337 pages as "libwww-perl/5.805"
209.172.35.53 [ip-209-172-35-53.reverse.privatedns.com.] requested 217 pages as "libwww-perl/5.79"
209.47.139.138 [server.privatelabelarticlesite.net.] requested 46 pages as "libwww-perl/5.805"
209.47.167.151 [server1.web-marketing-concepts.com.] requested 32 pages as "libwww-perl/5.805"
209.97.207.116 [cowboywebdesigns.com.] requested 48 pages as "libwww-perl/5.65"
210.172.116.244 [unknown] requested 59 pages as "libwww-perl/5.803"
212.12.121.43 [as01-14-212-12-121-43.ip.housing-manager.de.] requested 18 pages as "libwww-perl/5.803"
212.176.124.197 [PBOUL-Chumak2-gw.RoSprint.net.] requested 27 pages as "libwww-perl/5.805"
212.227.83.106 [p15188117.pureserver.info.] requested 130 pages as "libwww-perl/5.76"
212.25.170.80 [wnx-10.seeweb.it.] requested 41 pages as "libwww-perl/5.803"
213.186.116.86 [opel-club.colo.dc.utel.ua.] requested 31 pages as "libwww-perl/5.805"
213.228.142.27 [pal-213-228-142-27.netvisao.pt.] requested 18 pages as "libwww-perl/5.803"
213.234.229.221 [ns1.siriust.ru.] requested 33 pages as "libwww-perl/5.805"
216.16.246.154 [server154.ntouch.ca.] requested 35 pages as "libwww-perl/5.805"
216.17.109.39 [bo.phatservers.com.] requested 449 pages as "libwww-perl/5.805"
216.193.194.223 [abante.lunarpages.com.] requested 93 pages as "libwww-perl/5.805"
216.22.48.208 [216.22.48.208.servint.net.] requested 35 pages as "libwww-perl/5.805"
216.227.220.4 [xena.lunarpages.com.] requested 92 pages as "libwww-perl/5.805"
216.246.45.72 [unknown.scnet.net.] requested 38 pages as "libwww-perl/5.805"
216.55.166.52 [216-55-166-52.dedicated.abac.net.] requested 81 pages as "libwww-perl/5.803"
217.112.42.20 [unknown] requested 22 pages as "libwww-perl/5.79"
217.115.84.178 [mail.continentall.ru.] requested 26 pages as "libwww-perl/5.805"
217.128.167.99 [LPuteaux-151-42-8-99.w217-128.abo.wanadoo.fr.] requested 19 pages as "libwww-perl/5.803"
217.70.144.89 [serverclienti.com.] requested 25 pages as "libwww-perl/5.65"
218.38.14.205 [unknown] requested 93 pages as "libwww-perl/5.79"
219.93.90.33 [unknown] requested 36 pages as "libwww-perl/5.65"
219.94.128.150 [www910.sakura.ne.jp.] requested 150 pages as "libwww-perl/5.805"
220.134.22.185 [main.ethantw.tw.] requested 17 pages as "libwww-perl/5.805"
221.126.152.218 [unknown] requested 3 pages as "libwww-perl/5.65"
221.127.101.145 [unknown] requested 2 pages as "libwww-perl/5.65"
38.100.80.201 [spongebob.jewlzk.com.] requested 1 pages as "libwww-perl/5.805"
62.193.229.152 [host4.i-excom.net.] requested 158 pages as "libwww-perl/5.64"
62.221.213.68 [unknown] requested 34 pages as "libwww-perl/5.65"
62.4.70.180 [62.4.70.180.fantasyvirtual.com.] requested 153 pages as "libwww-perl/5.803"
62.94.87.159 [159reverse.gestinweb.it.] requested 17 pages as "libwww-perl/5.805"
63.246.154.22 [ukrainehosting.info.] requested 6 pages as "libwww-perl/5.805"
63.247.138.144 [excalibur.rtsdns.net.] requested 48 pages as "libwww-perl/5.805"
64.191.28.101 [brick5.hostnoc.net.] requested 140 pages as "libwww-perl/5.805"
64.191.56.190 [cricket.sulteia.com.] requested 4 pages as "libwww-perl/5.805"
64.235.234.128 [gemini.lunarpages.com.] requested 186 pages as "libwww-perl/5.805"
64.34.161.52 [img.iuploads.com.] requested 80 pages as "libwww-perl/5.805"
64.38.11.6 [managed.voipbiz.us.] requested 1 pages as "libwww-perl/5.79"
64.38.24.138 [server1.caribehost.com.] requested 62 pages as "libwww-perl/5.805"
64.8.114.12 [64-8-114-12.yourhostingprovider.net.] requested 142 pages as "libwww-perl/5.801"
64.8.114.14 [web-06.ihservers.com.] requested 238 pages as "libwww-perl/5.801"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 773 pages as "libwww-perl/5.801"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 1188 pages as "libwww-perl/5.801"
64.8.124.64 [64-8-124-64.yourethehost.net.] requested 82 pages as "libwww-perl/5.801"
65.38.168.212 [2yellow.veraserve.com.] requested 72 pages as "libwww-perl/5.805"
65.42.183.2 [walrus.bytehead.com.] requested 300 pages as "libwww-perl/5.79"
65.99.196.23 [unknown] requested 89 pages as "libwww-perl/5.805"
66.103.152.111 [server22.internet-hosting-services.com.] requested 281 pages as "libwww-perl/5.805"
66.151.255.65 [server.by016.net.] requested 3 pages as "libwww-perl/5.805"
66.159.142.166 [66-159-142-166.adsl.snet.net.] requested 1 pages as "libwww-perl/5.803"
66.234.10.177 [ns7.digicc.net.] requested 49 pages as "libwww-perl/5.65"
66.235.206.151 [host223.ipowerweb.com.] requested 66 pages as "libwww-perl/5.805"
66.235.221.231 [host131.ipowerweb.com.] requested 107 pages as "libwww-perl/5.805"
66.240.252.55 [su9325255.aspadmin.net.] requested 12 pages as "libwww-perl/5.803"
66.254.98.142 [angels.reflected.net.] requested 132 pages as "libwww-perl/5.803"
66.40.38.148 [host148.maxim.net.] requested 19 pages as "libwww-perl/5.65"
66.55.78.18 [66-55-78-18.yourhostingprovider.net.] requested 89 pages as "libwww-perl/5.801"
66.7.193.220 [interzone.shiftinteractive.net.] requested 170 pages as "libwww-perl/5.805"
66.70.121.80 [unknown] requested 96 pages as "libwww-perl/5.65"
67.159.26.45 [sanalsistem.net.] requested 7 pages as "libwww-perl/5.805"
67.159.26.99 [.] requested 62 pages as "libwww-perl/5.805"
67.18.16.82 [srv24.icx.pl.] requested 1 pages as "libwww-perl/5.805"
67.19.224.66 [lamda.asmallorange.com.] requested 84 pages as "libwww-perl/5.805"
67.19.65.132 [84.41.1343.static.theplanet.com.] requested 433 pages as "libwww-perl/5.805"
67.19.74.138 [www2.comradelycertitude.com.] requested 227 pages as "libwww-perl/5.805"
67.19.85.196 [c4.55.1343.static.theplanet.com.] requested 343 pages as "libwww-perl/5.805"
68.179.54.20 [static-68-179-54-20.ptr.terago.ca.] requested 123 pages as "libwww-perl/5.65"
68.186.32.50 [68-186-32-50.static.scrm.ca.charter.com.] requested 61 pages as "libwww-perl/5.79"
69.10.142.59 [unknown.rackforce.com.] requested 187 pages as "libwww-perl/5.805"
69.13.6.170 [unknown] requested 136 pages as "libwww-perl/5.53"
69.26.178.210 [iota.sitelutions.com.] requested 304 pages as "libwww-perl/5.805"
69.56.180.222 [de.b4.3845.static.theplanet.com.] requested 131 pages as "libwww-perl/5.805"
69.93.107.114 [72.6b.5d45.static.theplanet.com.] requested 5 pages as "libwww-perl/5.805"
70.84.122.194 [web1.titansolutions.net.] requested 267 pages as "libwww-perl/5.805"
70.84.220.210 [d2.dc.5446.static.theplanet.com.] requested 518 pages as "libwww-perl/5.805"
70.85.247.250 [fa.f7.5546.static.theplanet.com.] requested 35 pages as "libwww-perl/5.805"
70.85.66.162 [wobbuffet-202.pokemonpalace.net.] requested 205 pages as "libwww-perl/5.805"
70.86.151.130 [82.97.5646.static.theplanet.com.] requested 722 pages as "libwww-perl/5.65"
70.86.36.194 [titan.websiteactive.com.] requested 155 pages as "libwww-perl/5.805"
72.22.69.189 [host503.ipowerweb.com.] requested 63 pages as "libwww-perl/5.76"
72.232.141.146 [146.141.232.72.reverse.layeredtech.com.] requested 54 pages as "libwww-perl/5.805"
72.232.178.114 [bullfrog.frogee.com.] requested 27 pages as "libwww-perl/5.805"
72.232.233.170 [g1.eth4.colo1.cust3.fuzionservers.com.] requested 171 pages as "libwww-perl/5.805"
72.249.16.108 [actstwo.com.] requested 32 pages as "libwww-perl/5.805"
72.29.66.235 [bravo.dnshttp.com.] requested 31 pages as "libwww-perl/5.805"
72.29.71.74 [ggs-t.ggs-t.com.] requested 31 pages as "libwww-perl/5.805"
72.29.74.43 [deso.surpasshosting.com.] requested 61 pages as "libwww-perl/5.805"
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 445 pages as "libwww-perl/5.805"
72.29.82.174 [pass57.dizinc.com.] requested 4 pages as "libwww-perl/5.805"
72.29.83.98 [jet33.hasweb.com.] requested 254 pages as "libwww-perl/5.805"
72.3.249.214 [ashopsoftware.com.] requested 50 pages as "libwww-perl/5.65"
72.35.81.67 [www70.privatelabeldns.com.] requested 235 pages as "libwww-perl/5.79"
72.36.156.123 [osd1.myhostcenter.com.] requested 98 pages as "libwww-perl/5.805"
72.5.54.51 [web13.lx.host.inap.sea.dotster.net.] requested 149 pages as "libwww-perl/5.65"
72.51.34.179 [unknown] requested 11 pages as "libwww-perl/5.79"
72.51.35.81 [ssnakess.com.] requested 325 pages as "libwww-perl/5.805"
74.52.1.10 [buycheaperwebhosting.com.] requested 58 pages as "libwww-perl/5.805"
74.52.133.146 [92.85.344a.static.theplanet.com.] requested 115 pages as "libwww-perl/5.805"
74.52.208.138 [8a.d0.344a.static.theplanet.com.] requested 3 pages as "libwww-perl/5.805"
74.52.68.106 [theshire.caffeinepress.co.uk.] requested 213 pages as "libwww-perl/5.805"
74.52.84.138 [8a.54.344a.static.theplanet.com.] requested 16 pages as "libwww-perl/5.805"
76.169.115.66 [cpe-76-169-115-66.socal.res.rr.com.] requested 81 pages as "libwww-perl/5.65"
80.239.140.226 [megahost.pl.] requested 14 pages as "libwww-perl/5.803"
80.39.80.183 [183.Red-80-39-80.staticIP.rima-tde.net.] requested 12 pages as "libwww-perl/5.65"
80.77.86.243 [unknown] requested 104 pages as "libwww-perl/5.805"
81.169.186.195 [moncserver.de.] requested 557 pages as "libwww-perl/5.803"
81.181.15.6 [unknown] requested 96 pages as "libwww-perl/5.805"
81.181.89.42 [unknown] requested 208 pages as "libwww-perl/5.805"
81.183.219.157 [dsl51B7DB9D.fixip.t-online.hu.] requested 106 pages as "libwww-perl/5.803"
81.208.31.216 [81-208-31-216.ip.fastwebnet.it.] requested 8 pages as "libwww-perl/5.79"
82.165.231.16 [u15174557.onlinehome-server.com.] requested 122 pages as "libwww-perl/5.79"
82.165.27.174 [p15173001.pureserver.info.] requested 36 pages as "libwww-perl/5.76"
82.165.36.226 [russellgrantastrology.com.] requested 147 pages as "libwww-perl/5.65"
82.210.7.28 [82.210.7.28.rev.worldbone.de.] requested 29 pages as "libwww-perl/5.803"
83.138.166.13 [s79719.lovehorse.co.uk.] requested 41 pages as "libwww-perl/5.79"
83.15.63.115 [eih115.internetdsl.tpnet.pl.] requested 5 pages as "libwww-perl/5.803"
83.65.104.210 [83-65-104-210.klagenfurt-nord.xdsl-line.inode.at.] requested 55 pages as "libwww-perl/5.69"
85.214.19.18 [copyworld-kiel.de.] requested 294 pages as "libwww-perl/5.69"
85.25.134.185 [alpha961.server4you.de.] requested 23 pages as "libwww-perl/5.803"
87.236.194.104 [unassigned-87.236.194.104.coolhousing.net.] requested 55 pages as "libwww-perl/5.805"
88.149.156.142 [www.futurweb.info.] requested 24 pages as "libwww-perl/5.803"
89.108.80.229 [server2.vlr.ru.] requested 40 pages as "libwww-perl/5.805"
89.207.232.18 [unknown] requested 37 pages as "libwww-perl/5.79"
I haven't fully processed this list yet, but 17 of these IPs are in blocks assigned to theplanet.com.

The only thing I find most amusing here is we hear so much about compromised home computers being involved in botnets and this batch, for the most part, appears to be primarily dedicated servers in data centers.

This just verifies what I've been preaching about blocking access to your server from data centers as they are a source of many problems from scrapers to hackers.

3 comments:

Anonymous said...

I don't have a clue about these things but I have just changed my site's hosting servers and was just checking to see if the new dns servers are working and a reverse ip tool just came up with "server154.ntouch.ca" for my site. For the hell of it I looked it up in google and your page has this address in it, I have no clue what this means. My domain is http://www.ebookorama.com
Incidentally, when searching alexa for my domain it always brings up some unrelated site, regardless of where I am hosted. Well, I am not a spammer just someone who's been having a go at internet marketing, with some mixed results but that's life.

IncrediBILL said...

The reason "server154.ntouch.ca" is in the list above is because one account on that server, if not the entire server, was hacked (may still be) and was involved on an attack on one of my servers on 12/25/2006.

Someone on that box may have an outdated phpBB, Mambo, or something similar that let the hackers onto the server.

I would be very nervous if I were hosting there at the moment unless the host confirmed that the intrusion had been removed and the server secured.

iTs said...

Hi, what's the domain of:
66.235.221.231 [host131.ipowerweb.com.] requested 107 pages as "libwww-perl/5.805"

?