Blacklist Candidate Number 2008-04-27

Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Bob Barker Snarls at Rod Roddy ] Since the implementation of my 2G Blacklist, I have enjoyed a significant decrease in the overall number and variety of site attacks. In fact, I had to time-travel back to March 1st just to find a candidate worthy of this month’s blacklist spotlight. I felt like Rod Roddy looking over the Price-is-Right audience to announce the next name only to discover a quiet, empty room. And then like Bob gets pissed that nobody showed up and begins to bark and snarl at Rod to go across the street to the clam store and find some damn contestants. Or, ..um, something like that. Needless to say, this month’s data isn’t as fresh as I would have liked it, but I think you’ll find the information fascinating nonetheless. So let’s get on with it then:

Blacklist Candidate number 2008-04-27, come on down! You’re the next clam-store loser to get blacklisted from the site!

Synopsis

The breakdown: On March 1st, 2008, Perishable Press was attacked over 70 times from a single IP address. The attacks targeted well-known, indexed URLs by appending an apparently random selection of character strings. None of the attacks penetrated server/site defenses, and the scumbag was eventually blocked several days later after a routine access/error log investigation. The perpetrator (as identified via IP address) has not returned to the site since the initial attack.

Discussion

All attacks associated with this month’s blacklist candidate began on March 1st 2008, 02:45pm and continued until March 1st 2008, 03:39pm, as recorded in the site’s access/error logs. This is equivalent to around 54 minutes, during which time approximately 72 individual attacks were executed. This gives a rate of attack of about 1 attack every 45 seconds. Given that the attacks originated from a single, localized IP address, the rate of attack suggests that the process was not automated, but rather manually deployed.

Each attack within the series targeted fewer than twenty-five well-known, search-engine-indexed URLs from the perishablepress.com domain. Here are a few URL examples, taken directly from the associated access log:

http://perishablepress.com/press/page/25/
http://perishablepress.com/press/page/31/
http://perishablepress.com/press/2006/02/
http://perishablepress.com/press/2006/03/
http://perishablepress.com/press/2006/page/
http://perishablepress.com/press/author/perish/page/
http://perishablepress.com/press/author/perish/page/29/
http://perishablepress.com/press/2007/04/17/embed-flash-or-die-trying/
http://perishablepress.com/press/2007/02/04/embed-quicktime-notes-plus/
http://perishablepress.com/press/2006/07/26/wordpress-search-function-notes/feed/
http://perishablepress.com/press/2006/12/18/automatic-language-translation-methods/
http://perishablepress.com/press/2007/01/15/industrial-strength-spamless-email-links/
http://perishablepress.com/press/2007/12/03/wordpress-core-hacks-used-at-perishable-press/
http://perishablepress.com/press/2007/09/19/hacking-wordpress-the-ultimate-nofollow-blacklist/

Each of these URLs was appended with an apparently random assortment of character strings, including file names, JavaScript code, and PHP snippets. Here are a few examples of these “attack strings”, also taken from the access log:

...
$url/
$link/
onclick...
example.html-de
skeleton%20.css 
no-javascript.html
path/doc.html?detectflash=false
%5BNext%20URL%20in%20series%5D/
%3C/?php%20the_permalink()%20?%3E
theimage%5Bi%5D%5B1%5D;return%20false/ 
this.options%5Bthis.selectedIndex%5D.value;

Within this brilliant arsenal of cracker nonsense, three unique query strings were also used in roughly ten of the attacks. These query strings are logged and appear as follows:

?detectflash=false
?php%20echo%20get_settings(
?php%20the_permalink()%20?%3E

Also, only three different user-agents were employed during the attacks. As logged:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1

Further, each of the attacks occurred using the site’s default theme 1. No referral information is associated with any of the attack data. Here is a log excerpt demonstrating the attributes outlined in the previous discussion:

TIME: March 1st 2008, 03:25pm
404: *http://perishablepress.com/press/2006/08/page/3/%3C/?php%20echo%20get_settings(
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: php%20echo%20get_settings(
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1

TIME: March 1st 2008, 03:25pm
404: *http://perishablepress.com/press/2006/03/noscript.html
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/no-javascript.html
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/7/%3C/?php%20echo%20get_settings(
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: php%20echo%20get_settings(
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/7/$url/
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/7/%3C/
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/5/page.html
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/02/this.options%5Bthis.selectedIndex%5D.value;
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
.
.
.
[ ~ 63 similar records omitted for clarity ]

In case you missed it, the entire access log is available here. ;)

Identification

Here is what we know about the identity of this month’s Blacklist Candidate:

IP Address: 84.122.143.99
Reverse IP lookup (provided via kloth.net):

Reverse Lookup Results
Host:  99.143.122.84.in-addr.arpa 
Type:  PTR
Value: 84.122.143.99.dyn.user.ono.com

IP Address Contact Information

OrgName:    RIPE Network Coordination Centre 
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:  
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   84.0.0.0 - 84.255.255.255 
CIDR:       84.0.0.0/8 
NetName:    84-RIPE
NetHandle:  NET-84-0-0-0-1
Parent:     
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS3.NIC.FR
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2003-11-17
Updated:    2004-03-16

# ARIN WHOIS database, last updated 2008-03-01 19:10

Humilation and Banishment

So, let’s summarize this pathetic clam-store wannabe. We have a single IP address registered in Amsterdam through the infamous RIPE network. Equipped with a whopping three differently identified user agents, our Blacklist Candidate for April targets a list of known URLs with an amateurish collection of piddly-wink attack strings that are simply “tacked on” to the targeted addresses. Then, as if this weren’t utterly sad enough by itself, consider that the average attack time is 45 seconds per hit. Like, you can just imagine ‘ol numbnuts sitting there, counting on his fingers, typing in the browser’s address bar and mumbling out loud:

Duh, let’s see here, first you type the address, then you add the domain name.. um, no wait a minute.. first the address and then the secret code.. okay, um, now let’s see, what next.. oh yeah, hit the “enter” button..

Needless to say, idiots like this month’s Blacklist Candidate deserve to be exposed, humiliated, and ultimately banished. After all, even though the cracker shows zero signs of intelligence, the attacks were indeed deliberate and obviously hostile. Thus, I rest my case. Let’s blacklist this scumbag! :)

Blacklist via htaccess:

To blacklist this fool by IP via htaccess, copy & paste this code into your root htaccess file (click here for more information on this method):

deny from 84.122.143.99 "# blacklist candidate 2008-04-27 = block clam store loser"

Or, to block via PHP:

As discussed in my article on blocking IP addresses with PHP, here is an alternate technique for blacklisting the attacker:

<?php // blacklist candidate 2008-04-27 = block clam store loser
$deny = array("84.122.143.99");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

As always, thanks for playing, number 2008-04-27 — we wouldn’t have done it without you!

Footnotes

  • 1 At the time of this writing, the site’s default theme is Perishable.