March 2009

Guess who?

Look who ignored robots.txt again after a couple of weeks.

#: 479 @: Mon, 30 Mar 2009 09:20:47 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/

So it's obviously not caching robots.txt, and having problems with it propogating to the scanners as they have claimed in an e-mail.

So now they are permanently §Hîtlisted as being part of the Russian Business Network. I have no doubts now... Oh wait, they might say that one was before they pulled robots.txt... but explain this one you a§§holes, over 2 hours later, and FAKING a http_referer from a protected page no less...

#: 482 @: Mon, 30 Mar 2009 11:42:48 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/zbblock.php

Oh, and btw, the same group of nogoodniks just slammed my friend's site for 100s of page pulls, in violation of robots.txt too. She's P.O.ed! Hell hath no wrath like a woman's robots.txt scorned.

Welcome to being labled as pure RBN trash in my blocklists.

EDIT: I might also mention here, that laycat, kyklo, aceleo, and dedibox are now all blocked by ZB Block which can be downloaded for free here.

Zaphod "Some Heads are Gonna Roll" Breeblebrox

Deffinate New MySQL attack through phpBB2 and possibly other CMS. ZB Block defends.

Well, just when you think life is boring, some aspiring skript kiddie tries a new attack! This one affects MySQL and was attempted against a phpBB2 board. I feel that this attack is probably damaging to any board, and perhaps even CMS systems.

This is a serious situation, and did require an update to the signatures in ZB Block. Here is what the new attack looked like...

#: 5437 @: Tue, 24 Mar 2009 21:10:16 -0600
Host: mail.tmanshost.com
IP: 207.44.178.47
Score: 2
Why blocked: MySQL attack. Mail server, usually infected. Please access from a regular domain name.
File: removed for security
Post:
Query: p=-1/**/AND/**/1=0/**/UNION/**/ALL/**/SELECT/**/0x30653763326137383538643038336566366365353233373433305317531753175317/*
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http://zaphodb777.dyndns.org/forum/viewtopic.php?p=-1/**/AND/**/1=0/**/UNION/**/ALL/**/SELECT/**/0x30653763326137383538643038336566366365353233373433305317531753175317/*

Don't worry, that version has been neutered. It appears to be a self propogating worm, with several attack sequences, most much longer, attempting multiple injections into your MySQL db. ZB Block caught it on just 1 variable, and in smarter hands, would have missed it, and I would have been exploited.

Things the new attack has in common...

1. Uses a negative page number (probably to pop execution at a specified/known/expected place in the script.)
2. Uses "/**/" for blind concatenation of strings. The older attacks used "+".
3. Has a "/*" trailing at the end of query.

ZB Block's signatures have been updated to adapt to this new threat, and updating them is critical!

Zap.

Possible new kind of attack on your website, and revenue stream... Defamation by HTTP Referer!

I am not going to pretend I know ALL the inner workings of google adsense, but if bots are hitting your page, and dropping fake icky referrers like...

http://www.cigarclub.tld

http://cigarettes.cheap-24h.tld

http://www.pillthrills.tld

and

http://slimy-tentacle-hentai.pornshop.tld

They must be trying to convince something that actually sees the referrer of the visit, that you are linked from their crap pages... something perhaps like - - - Google Ad Sense?

That is my best guess, and now ZB Block has rules designed to block connections that contain reputation damaging HTTP_REFERERs. Included in Signature Update #24. Sure am glad I wrote it from the beginning to be extensible, as this only needed a signature update.

Now I just wonder how much damage they've done to my reputation allready.

UPDATE: It's amazing how often the word sex pops up in referers. One of my most important ones, NOAA/NWS, has the word in their site exit page URL. It's buried in the string "nwsexit". OOPS ON ME.

Removed that one detection...  

UPDATE 2: I think I am going to mothball these detections till I can find a narrower way to detect these problem fake linkers. Let us just pray that Google is smart enough to ignore crap referrers.

Laycat continues it's stupidity...

Well, first customer of Friday the 13th... GUESS WHO?!?

#: 292 @: Fri, 13 Mar 2009 01:42:01 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/forum/

GRRRRR! Now one of their ploys before was, they claim they don't pull robots .txt more than once in awhile, and it was desynchronized the first time. They claim this is to reduce load on the server, yeah whatever, it doesn't take any time at all to send a short robots.txt . It's been awhile. You didn't care, and started your crap again, getting into my site.

If this isn't a common 'sploit scanning probe with some fairly good sugar on top, I have no clue what it is. Every time it touches, the more I am sure of it.

Zap.

Laycat and it's ilk are finally machina non grata here.

Okay, a few months ago, I had some chit-chat with the people running this service, they actually seemed to be on the up and up about it, and claimed several things, that turned out not to be true. Here's some of what I found at fault with them.

1. Their robot does NOT pay attention to robots.txt and has caused what amounts to a DoS attack on a friend's website. (Site got shut down due to excessive use spike).
2. Their registrar is also a favorite of the RBN.
3. They claim they use 3 domain names, aceleo.com, laycat.com, and kyklo.com to supposedly detect if a site is masquerading as something different to them, but this is also a lie as they also probe from many points in the dedibox.fr domain!
4. They ignore 403 FORBIDDENs and continue to slam them. More on that in a bit.
5. It fakes http: referers to seem like it's allready "in session". (Where have we seen THAT before?)
6. Their bot masquerades as a browser. (Gee, ya reckon we've seen that too perhaps?)
7. No word outside of their own that anything will come of them.

Whoo, that's a lot of black to say about anyone online, but, I got logs to share with you!

#: 263 @: Wed, 11 Mar 2009 17:47:41 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://spambotsecurity.com/

That was the first rejection, Laycat has received it's first 403. It should not continue to try to go where it's not welcome, but...

#: 264 @: Wed, 11 Mar 2009 17:57:37 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://spambotsecurity.com/advice.php

Please note, it was never allowed to access the root in the first place, but somehow, it now has a referer saying it was sent to this page from the root! (BULLS**T!) It's scraping Google or some other search for these URLs.

#: 265 @: Wed, 11 Mar 2009 19:37:11 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/about.php

It tries 2 more URLs, both giving 403s, with the reason they were blocked. Then to be crafty, they pull the ace out of their sleeve, but I was waiting for it. (Remember, ZB Block doesn't like a lot of server farms, as they usually have no business surfing other sites.)

#: 266 @: Wed, 11 Mar 2009 19:44:56 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/anti-spyware.php

THROUGH

#: 271 @: Wed, 11 Mar 2009 20:24:13 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/contact.php

And then right back into laycat, and dedibox again for 10 more connects up to:

#: 281 @: Wed, 11 Mar 2009 22:00:24 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/tos.php

GAWD! How stupid can a bot be? Each connection resulted in a 403, each connection ignored robots.txt, each connection did not announce itself via user agent as a search engine robot.

My thoughts on this? Well, they aren't nice. To put it blunt and succinctly, I smell a rat.

To go into detail on my thoughts, I honestly think this is the "innocent" (cough) arm of the Russian Business Network.

One of the Ruskies favorite things to do is name their network something "<something>box.tld". Well, dedibox.fr fits the mold. Why would they have a scan-only network? Because, no one ever really catches the thief casing the joint he's going to rob. It's only during the burglary that they get noticed. Problem is, the burglar is locked up on the internet (blacklisted) and is not able to snoop elsewhere. If you split your surveillance, and attack portions, no one ever expects the snoop, well, no one who isn't into security at least. I will keep investigating. And as for now I am NOT SURE this is RBN, but it feels that way, and shall be blocked in ZB Block's signature update #21.

Zap.