Blacklist Candidate 2008-10-19

Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Television Flashback ] From time to time on the show, a contestant places a bid that is so absurd and so asinine that you literally laugh out loud, point at the monitor, and openly ridicule the pathetic loser. On such occasions, even the host of the show will laugh and mock the idiocy. Of course, this same situation happens frequently here at Perishable Press, where the scumbags that manage to escape the 3G Blacklist are proving themselves to be increasingly desperate and pathetic. Such is the case with this month’s official Blacklist Candidate Number 2008-10-19:

Come on down — you’re the next cracker whore to get banished from the site!

Synopsis

On June 10th, 2008 IP address 66.74.199.125 demonstrates its brilliance with 223 unresolved URL requests. The first recorded request occurs at 11:59 pm and the final recorded request occurs at 12:23 am. Over the course of this 24-minute period, the rate of attack fluctuates significantly. The average rate of attack is approximately 9.3 hits per minute — or 1 hit every 6.5 seconds — however, the maximum attack rate is 1 hit per 1.6 seconds. The user agent recorded throughout the attack is the ubiquitous Mozilla/4.0. Although it is not clear whether this attack was automated (i.e., bot) or manually executed (i.e., loser), its maliciousness is plainly observed in the recorded data. Note that this attack was stopped during its execution — 24 minutes into the game. Surely the number of ill hits would have skyrocketed without blacklist intervention.

Discussion

As mentioned, the recorded duration of this attack is about 24 minutes, but the number of hits per minute fluctuates considerably:

[ Chart: Attack Frequency ]
Attack frequency of Blacklist Candidate 2008-10-19

Or, numerically speaking:

Time - Hits
11:59pm - 11
12:00am - 31
12:01am - 9
12:02am - 9
12:03am - 6
12:04am - 0
12:05am - 1
12:06am - 0
12:07am - 0
12:08am - 4
12:09am - 0
12:10am - 4
12:11am - 0
12:12am - 0
12:13am - 0
12:14am - 0
12:15am - 14
12:16am - 5
12:17am - 14
12:18am - 13
12:19am - 37
12:20am - 14
12:21am - 18
12:22am - 31
12:23am - 2

While the rate of attack may or may not be significant in this admittedly non-critical situation, it should definitely be considered while diagnosing larger, more significant attacks. The interesting aspect of this particular attack are the various URLs that were targeted. Each of the 223 unresolved requests targets a legitimate (valid) URL. “Aha!” I hear you say, “sounds like some sort of DoS” attack, perhaps with only a relatively small number of requests failing to respond. Then again, the IP address, 66.74.199.125, remains consistent throughout the attack. I am no expert, but most DoS attacks involve decentralized networks of compromised (“zombie”) machines, each with its own unique IP address. But then again, perhaps this was some sort of “pseudo”-DoS attack, executed manually or via script by some lone-ranger script-nobody out there sucking air in cyberspace. But wait, there’s more..

Looking closer at the collection of targeted URLs, we notice another interesting clue. Every one of the 223 hits requests a page-specific anchor, such as #content, #comments, and #search. Here is a list showing some of the anchors targeted during the attack:

#
#top
#explore
#discuss
#search
#content
#comment-form
#comment-56626
#comment-65403
#comment-65428
#comment-65457
#comment-65497
.
.
.
[ + many more ]

Each of these anchors were appended to an apparently random collection of valid URLs, indicative of a search-engine spider crawl or other automated bot-like behavior. For whatever reason, similar 404 errors are frequently recorded during spidering. Also, the main URLs themselves seem to all stem from the site’s common footer area — recent articles, popular posts, recent changes, etc. Further, the IP address associated with the attack resolves to Road Runner HoldCo LLC, a well known ISP that is supposedly well-known for harboring a healthy number of spider runners.

So, at this point, all clues point to some pathetic spidering attempt from somewhere in the seedy Road Runner neighborhood. One final note about the behavior of our little raid-sprayed spider friend is that it somehow managed to change the site’s theme from the previous default theme, Perishable (opens new window), to one of my older themes, Garbage (opens new window). This theme switch is observed after around 48 log entries, and persists throughout the remaining 175 logged requests. To see this behavior in the complete log file, check out the fourth line (“SOURCE”) in each entry, as demonstrated below:

>> PERISHABLE THEME >>

TIME: June 11th 2008, 12:01am
404: *http://perishablepress.com/press/2006/08/28/spamless-email-address-via-javascript/#content
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable          << PERISHABLE THEME
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 66.74.199.125
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
REMOTE IDENTITY: 

.
.
.

>> SWITCH TO GARBAGE THEME >>

TIME: June 11th 2008, 12:01am
404: *http://perishablepress.com/press/tag/javascript/#top
SITE: http://perishablepress.com/
SOURCE: Perishable/Garbage             << GARBAGE THEME
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 66.74.199.125
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
REMOTE IDENTITY:

Identification

Here is what we know about the identity of this month’s candidate:

IP Address: 66.74.199.125
Reverse IP Lookup (provided via kloth.net):

Reverse Lookup Results

Host	125.199.74.66.in-addr.arpa
Type	PTR
Value	cpe-66-74-199-125.san.res.rr.com

IP Address Contact Information

OrgName:    Road Runner HoldCo LLC 
OrgID:      RRWE
Address:    13241 Woodland Park Road
City:       Herndon
StateProv:  VA
PostalCode: 20171
Country:    US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange:   66.74.0.0 - 66.75.255.255 
CIDR:       66.74.0.0/15 
NetName:    RR-WEST-2BLK
NetHandle:  NET-66-74-0-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS4.RR.COM
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2001-01-30
Updated:    2003-02-11

RTechHandle: ZS30-ARIN
RTechName:   ServiceCo LLC 
RTechPhone:  +1-703-345-3416
RTechEmail:  abuse@rr.com 

OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName:   Abuse 
OrgAbusePhone:  +1-703-345-3416
OrgAbuseEmail:  abuse@rr.com

OrgTechHandle: IPTEC-ARIN
OrgTechName:   IP Tech 
OrgTechPhone:  +1-703-345-3416
OrgTechEmail:  abuse@rr.com

# ARIN WHOIS database, last updated 2008-06-10 19:10

Blacklist

This month’s candidate is either malicious, amateurish, or both. Whatever the reason — spider running, test crawls, email harvesting, exploit scanning, whatever — the final verdict is the same: blacklist the idiot. You just don’t need this type of instable, unpredictable, resource-hogging agent hanging around. Block it out via HTAccess:

deny from 66.74.199.125  "# blacklist candidate 2008-10-19 = block mindless spider running "

..or via PHP:

<?php // blacklist candidate 2008-10-19 = block mindless spider running
$deny = array("66.74.199.125");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

Done.

This concludes another blood-pumping edition of the Blacklist Candidate. Thanks for playing, #2008-10-19 — we wouldn’t have done it without you!

Resources