Blacklist Candidate Number 2008-03-09

Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Bob Barker Looking Sharp ] Imagine, if you will, an overly caffeinated Bob Barker, hunched over his favorite laptop, feverishly scanning his server access files. Like some underpaid factory worker pruning defective bobble heads from a Taiwanese assembly line, Bob rapidly identifies and isolates suspicious log entries with laser focus. Upon further investigation, affirmed spammers, scrapers and crackers are swiftly blacklisted from future access. For the most heinous offenders, we suddenly hear Rod Roddy’s guzzling voice echo throughout the room:

Candidate number 2008-03-09, COME ON DOWN!! — you’re the next contestant to get blacklisted from the site!”

Every week, I dig through my access and error logs to learn from the spammers, scrapers, and other cracker whores. Typically, attempts to exploit potential security vulnerabilities demonstrate the following characteristics:

  • indexed URLs targeted via attack strings
  • multiple URLs are tested for each attack
  • attacks occur quickly, usually within seconds
  • multiple IPs are used for each attack
  • IPs are vastly different, even random
  • many attacks are from Latin American, Asia Pacific, and RIPE networks

These trends are associated with a large majority of attacks, occurring frequently enough to be dismissed without further investigation. Attacks that deviate significantly from these familiar patterns are of particular interest, especially those involving a single IP address, enduring for longer time periods, or employing unusual attack methods. Such attacks pose a greater risk by demonstrating premeditation, threatening performance and compromising security. These more serious types of attacks are investigated fully and subsequently featured in the monthly Blacklist Candidate series. In this edition of the series, we expose, humiliate, and banish blacklist candidate #2008-03-09: IP address 87.248.163.54!

Synopsis

On March 4th, 2008, an attacker identified with IP address 87.248.163.54 attempted to access a series of nonexistent URLs, each consisting of the site’s blog root ( http://perishablepress.com/press/ ) appended by a character string emulating the following pattern:

/administrator/components/com_cropimage/admin.cropcanvas.php
/administrator/components/com_mambelfish/mambelfish.class.php
/administrator/components/com_peoplebook/param.peoplebook.php
/administrator/components/com_remository/admin.remository.php
/administrator/components/com_wmtgallery/admin.wmtgallery.php
/administrator/components/com_mosmedia/includes/media.divs.js.php
/administrator/components/com_chronocontact/excelwriter/Writer/Format.php
/administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php
/administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php

Here are the first, middle, and last entries generated in the site’s error log:

http://perishablepress.com/press/administrator/components/com_cropimage/admin.cropcanvas.php
.
.
.
http://perishablepress.com/press/components/com_swmenupro/ImageManager/Classes/ImageManager.php
.
.
.
http://perishablepress.com/press/administrator/components/com_chronocontact/excelwriter/Writer/Format.php

Using variations of these URLs, the attacker hit my server approximately 100 times over the course of four minutes (from 15:01 to 15:05), averaging an attack every 2.4 seconds. Most likely, the attacker employed an automated script to execute the requests. Further, given the uniformity of the target URL and the similarity of the appended attack strings, this attack seems to be targeting a specific software platform that is not installed on the Perishable Press domain. This indicates that the attack was not specifically targeted at my site, but rather happened as a random vulnerability check. To prevent further attacks, the associated IP address was blocked on March 5th via htaccess. No similar incidents have occurred since.

Identification

According to the reverse-lookup results returned via kloth.net’s free DNS utility, the identity of IP address 87.248.163.54 is as follows:

Host   54.163.248.87.in-addr.arpa
Type   PTR
Value  87-248-163-54.starnet.md

IP Address Contact Information

OrgName:    RIPE Network Coordination Centre 
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:  
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   87.0.0.0 - 87.255.255.255 
CIDR:       87.0.0.0/8 
NetName:    87-RIPE
NetHandle:  NET-87-0-0-0-1
Parent:     
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2004-04-01
Updated:    2004-04-06

# ARIN WHOIS database, last updated 2008-02-09 19:10

Further, the attacker employed a blank (unidentified) user-agent for every recorded attack.

Discussion

Although probably random, this attack was deliberate, automated, and hostile. Crackers trying to access URLs containing the term “administrator” are not your friends, and should be blocked immediately and dealt with accordingly. Too many people have grown accustomed to such attacks, easily dismissing them as “normal” or even “expected” activity on the Web. Wake up, folks! These mindless cracker whores are attacking your personal assets and deserve to be hunted down and punished as criminals. Would you casually dismiss someone trying to break into your car 100 times? I don’t even think so..

Details

Here are the first and last log entries for attack. As discussed, the entire set of excluded entries 1 is similar to the following:

TIME: March 4th 2008, 03:01pm
404: *http://perishablepress.com/press/administrator/components/com_cropimage/admin.cropcanvas.php
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 87.248.163.54
USER AGENT: 
REMOTE IDENTITY:
.
.
.
[ ~ 100 similar records omitted for clarity ]
.
.
.
TIME: March 4th 2008, 03:05pm
404: *http://perishablepress.com/press/administrator/components/com_chronocontact/excelwriter/Writer/Format.php
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 87.248.163.54
USER AGENT: 
REMOTE IDENTITY:

1 The entire log for this attack is available here.

Blacklist

Ladies and gentlemen, I am proud to announce the newest member of our growing htaccess blacklist, candidate #2008-03-09!

Blacklist via htaccess:

Here are two easy ways to blacklist this useless turd. The first method (and my preferred choice) is to block select portions of the URL attack strings:

# blacklist candidate 2008-03-09 = block administrative attacks
<IfModule mod_alias.c>
 redirectmatch 403 \/components\/
 redirectmatch 403 \/administrator\/
</IfModule>

Unfortunately, although this method would prevent further attacks, it would also block any legitimate URLs containing instances of the target strings. [ Update: Don from rants.thenexus.tk has confirmed that this first method will prevent Joomla users from accessing certain pages. ] Thus, for this particular blacklist candidate, we are better served by simply denying the attacker’s unique IP address:

deny from 87.248.163.54 "# blacklist candidate 2008-03-09 = block administrative attacks "

Or, to block via PHP:

As discussed in my article on blocking IP addresses with PHP, here is an alternate technique for blacklisting the attacker:

<?php // blacklist candidate 2008-03-09 = block administrative attacks
$deny = array("87.248.163.54");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

Thanks for playing, #2008-03-09 — we wouldn’t have done it without you!