Blacklist Candidate Number 2008-02-10

Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Bob Barker points a finger ] Scumbag number 2008-02-10, “COME ON DOWN!!” — you’re the next baboon to get banished from the site!

Like many bloggers, I like to spend a little quality time each week examining my site’s error logs. The data contained in Apache, 404, and even PHP error logs is always enlightening. In addition to suspicious behavior, spam nonsense, and cracker mischief, this site frequently endures automated and even manual attacks targeting various XSS exploits, WordPress vulnerabilities, and other potential security holes. Although the number of successful attacks remains relatively small, the very nature of some of the attacks serves to threaten site performance, security and stability. Such is the case of blacklist candidate number 2008-02-10: IP address 128.111.48.138.

Synopsis

On January 31st, 2008, IP address 128.111.48.138 attempted to access an apparently random array of legitimate URLs, each appended with either of the following cryptic character strings:

[permalink]/x%7b.//000Ooz,m4//000____::um,qymuxH%3bmJ.5G+D//001F00Dox%7b1rF9DrEtxmn7unwp%7dqDr/

[permalink]/1x2n6l6bx6nt//001mAFC(-~l-xAou6.oCqAjB4ukkmrntoz1A//0011C/uikqijg4InjxGu.k

Alternating these two appended strings, the attacker hit my site over 200 times, beginning at 06:33 and ending at 08:14. Around half of the requests referred from a matching-URL query-string, while the others were targeted via matching URL without a query string (see log below for details). To secure the site, the associated IP and offending character strings were blocked on February 3rd to prevent further attacks. No similar attacks have occurred since the blacklisting.

Identification

According to the reverse-lookup results returned via kloth.net’s free DNS utility, the identity of IP address 128.111.48.138 is as follows:

Host   48.111.128.in-addr.arpa
Type   NS
Value  ns1.ucsb.edu, ns2.ucsb.edu, funnies.cs.ucsb.edu

IP Address Contact Information

OrgName:    University of California, Santa Barbara 
OrgID:      UCSB
Address:    Office of Information Technology
Address:    North Hall 2124
City:       Santa Barbara
StateProv:  CA
PostalCode: 93106-3201
Country:    US

NetRange:   128.111.0.0 - 128.111.255.255 
CIDR:       128.111.0.0/16 
NetName:    UCSB
NetHandle:  NET-128-111-0-0-1
Parent:     NET-128-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.UCSB.EDU
NameServer: NS2.UCSB.EDU
NameServer: KNOT.BROWN.EDU

# ARIN WHOIS database, last updated 2008-02-09 19:10

Further, here is the user agent recorded for every entry in the access log:

Mozilla/5.0 (compatible; heritrix/1.12.1 +http://www.cs.ucsb.edu/)

Discussion

What on earth was the attacker trying to achieve using these alternating character strings? I honestly have no idea. Frankly, I don’t have the time to research every cryptic cracker technique that crosses my logs. One thing is certain, however, the attack was deliberate, automated, and hostile. Fortunately, my server endured the onslaught and infiltration was prevented. If you have information regarding the nature or purpose of this increasingly common type of attack, please share your insights with the community. I would love to know more about the mysterious character strings.

Details

Here are the first and last log entries for attack. The entire set of excluded entries 1 is very similar to either of the following:

TIME: January 31st 2008, 06:33am
404: *http://perishablepress.com/press/tag/poetry/1x2n6l6bx6nt//001mAFC(-~l-xAou6.oCqAjB4ukkmrntoz1A//0011C/uikqijg4InjxGu.k
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: http://perishablepress.com/press/tag/poetry/
QUERY STRING: 
REMOTE ADDRESS: 128.111.48.138
USER AGENT: Mozilla/5.0 (compatible; heritrix/1.12.1 +http://www.cs.ucsb.edu/)
REMOTE IDENTITY:
.
.
.
[~200 similar records omitted for clarity]
.
.
.
TIME: January 31st 2008, 08:12am
404: *http://perishablepress.com/press/tag/metadata/x%7b.//000Ooz,m4//000____::um,qymuxH%3bmJ.5G+D//001F00Dox%7b1rF9DrEtxmn7unwp%7dqDr/
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: http://perishablepress.com/press/tag/metadata/x%7B.//000Ooz,m4//000____::um,qymuxH;mJ.5G%20D//001F00Dox%7B1rF9DrEtxmn7unwp%7DqDr
QUERY STRING: 
REMOTE ADDRESS: 128.111.48.138
USER AGENT: Mozilla/5.0 (compatible; heritrix/1.12.1 +http://www.cs.ucsb.edu/)
REMOTE IDENTITY:

1 The entire log for this attack is available here.

Blacklist

Candidate #2008-02-10, come on down — you’re the next contestant on the htaccess blacklist!

Blacklist via htaccess:

Here are two easy ways to blacklist this scumbag. The first method (and my preferred choice) is to block select portions of the URL character-string appendages:

# blacklist candidate 2008-02-10 = block cryptic character string attacks
<IfModule mod_alias.c>
 redirectmatch 403 xAou6
 redirectmatch 403 qymux
</IfModule>

And of course, the second blocking method is to simply deny the attacker’s unique IP address:

deny from 128.111.48.138 "# blacklist candidate 2008-02-10 = cryptic character strings"

Or, to block via PHP:

<?php // blacklist candidate 2008-02-10 = cryptic character strings
$deny = array("128.111.48.138");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

Thanks for playing, #2008-02-10 — we wouldn’t have done it without you!