Blacklist Candidate Number 2008-01-02

Come one, come all — today we officially begin a new series of posts here at Perishable Press: the public exposure, humiliation, and banishment of spammers, crackers, and other site attackers. Kicking things off for 2008: blacklist candidate number 2008-01-02!

[ Photo: Bob Barker makes a fist ] Every Wednesday, I take a little time to investigate my 404 error logs. In addition to spam, crack attacks, and other deliberate mischief, the 404 logs for Perishable Press contain errors due to missing resources, mistyped URLs, and the occasional bizarre or even suspicious behavior of the search-engine robots. Whenever possible, I attempt to resolve a majority of the “fixable” errors, either by restoring missing resources, adding an htaccess redirect, or by any other means available.

Having exercised this rigorous maintenance practice for well over a year now, my 404 error logs are almost completely devoid of all “fixable” 404 errors, and are filled almost exclusively with spam attacks, XSS attempts, and other miscellaneous cracker nonsense. Fortunately, my site has only fallen victim to such espionage on one occasion, and on a different server.

These days, I go through great lengths to ensure the stability and security of my site, banning all scum-infested IP addresses via my htaccess blacklist. Most of the meatsacks I encounter are small-time, piddly-wink candy-apples, but occasionally a more serious disease-bag will stumble along. So, inspired by the helpful notices posted by A Daily Rant, I have decided to share some of the more depraved neanderthals with my audience (so kind, I know). Thus, in addition to the blacklist and blackhole data that I share with you, I am now also focusing on individual and small-group candidates for blacklisting. And so, in the philanthropic spirit of A Daily Rant, I am proud to expose blacklist candidate number 2008-01-02: IP address 75.126.85.215!

Synopsis

According to my 404 error log, IP address 75.126.85.215 attempted to access the non-existent resource, “/wp-admin/admin-ajax.php” 312 times on September 30th, 2007 and another 312 times on October 1st, 2007. During each attack, half of the access attempts were targeted at “/press/2007/wp-admin/admin-ajax.php” and the other half at “/press/wp-admin/admin-ajax.php”. The IP was blocked early October 2nd to prevent further attempts. Update: blocking this specific IP address seems to be effective — it is now January of 2008 and no similar attacks have yet occurred.

Identification

According to the reverse-lookup results returned via kloth.net’s free DNS utility, the identity of IP address 75.126.85.215 is as follows:

Host   215.85.126.75.in-addr.arpa	
Type   PTR	
Value  75.126.85.215.infomart.reverse.dnska.com.

IP Address Contact Information

SoftLayer Technologies Inc. SOFTLAYER-4-3 (NET-75-126-0-0-1)
75.126.0.0 - 75.126.255.255

Innovation IT Solutions Corp. NET-75-126-85-192 (NET-75-126-85-192-1)
75.126.85.192 - 75.126.85.223

# ARIN WHOIS database, last updated 2008-01-01 19:10

Discussion

Apparently, certain versions of WordPress suffer a potential security vulnerability related to an admin-related file named admin-ajax.php. Fortunately, at the time of the attack, I was running a version of WordPress that had fixed the vulnerability, however, that didn’t seem to stop our first official blacklist candidate from executing 624 access attempts. Candidate 2008-01-02’s attacks each lasted a duration of around 2 minutes, which translates to around 2.6 hits per second.

Details

Here are the first and last 404-log entries for both attacks. Here is the excerpt from September 30th 1:

// SEPTEMBER 30th, 2007 (first and last 404 entries):

September 30th 2007, 07:50am   >>   http://perishablepress.com/press/2007/wp-admin/admin-ajax.php
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY: 
.
.
.
[310 similar records omitted for clarity]
.
.
.
September 30th 2007, 07:52am   >>   http://perishablepress.com/press/wp-admin/admin-ajax.php
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:

And here is the excerpt from the subsequent attack on October 1st:

// OCTOBER 1st, 2007 (first and last 404 entries):

October 1st 2007, 08:58pm   >>   http://perishablepress.com/press/2007/wp-admin/admin-ajax.php
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY: 
.
.
.
[310 similar records omitted for clarity]
.
.
.
October 1st 2007, 09:00pm   >>   http://perishablepress.com/press/wp-admin/admin-ajax.php
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:

1 The entire log for this attack is available here.

Blacklist

Candidate #2008-01-02, come on down — you’re the next contestant on the htaccess blacklist!

Blacklist via htaccess:

deny from 75.126.85.215 "# blacklist candidate 2008-01-02 = admin-ajax.php attack"

Or, to block via PHP:

<?php // blacklist candidate 2008-01-02 = admin-ajax.php attack
$deny = array("75.126.85.215");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

Thanks for playing, #2008-01-02 — we couldn’t have done it without you!