Blacklist Candidate Number 2008-01-02
Published Wednesday, January 2, 2008 @ 11:23 am • 8 Responses
Come one, come all — today we officially begin a new series of posts here at Perishable Press: the public exposure, humiliation, and banishment of spammers, crackers, and other site attackers. Kicking things off for 2008: blacklist candidate number 2008-01-02!
![[ Photo: Bob Barker makes a fist ]](http://perishablepress.com/press/wp-content/images/2008/blacklisted/2008-01-02.jpg "Come on down! You're the next cracker whore to get blacklisted!")
Every Wednesday, I take a little time to investigate my 404 error logs. In addition to spam, crack attacks, and other deliberate mischief, the 404 logs for Perishable Press contain errors due to missing resources, mistyped URLs, and the occasional bizarre or even suspicious behavior of the search-engine robots. Whenever possible, I attempt to resolve a majority of the “fixable” errors, either by restoring missing resources, adding an htaccess redirect, or by any other means available.
Having exercised this rigorous maintenance practice for well over a year now, my 404 error logs are almost completely devoid of all “fixable” 404 errors, and are filled almost exclusively with spam attacks, XSS attempts, and other miscellaneous cracker nonsense. Fortunately, my site has only fallen victim to such espionage on one occasion, and on a different server.
These days, I go through great lengths to ensure the stability and security of my site, banning all scum-infested IP addresses via my htaccess blacklist. Most of the meatsacks I encounter are small-time, piddly-wink candy-apples, but occasionally a more serious disease-bag will stumble along. So, inspired by the helpful notices posted by A Daily Rant, I have decided to share some of the more depraved neanderthals with my audience (so kind, I know). Thus, in addition to the blacklist and blackhole data that I share with you, I am now also focusing on individual and small-group candidates for blacklisting. And so, in the philanthropic spirit of A Daily Rant, I am proud to expose blacklist candidate number 2008-01-02: IP address 75.126.85.215!
Synopsis
According to my 404 error log, IP address 75.126.85.215 attempted to access the non-existent resource, “/wp-admin/admin-ajax.php” 312 times on September 30th, 2007 and another 312 times on October 1st, 2007. During each attack, half of the access attempts were targeted at “/press/2007/wp-admin/admin-ajax.php” and the other half at “/press/wp-admin/admin-ajax.php”. The IP was blocked early October 2nd to prevent further attempts. Update: blocking this specific IP address seems to be effective — it is now January of 2008 and no similar attacks have yet occurred.
Identification
According to the reverse-lookup results returned via ZoneEdit.Com’s free DNS utility, the identity of IP address 75.126.85.215 is as follows:
Host 215.85.126.75.in-addr.arpa
Type PTR
Value 75.126.85.215.infomart.reverse.dnska.com.
IP Address Contact Information
SoftLayer Technologies Inc. SOFTLAYER-4-3 (NET-75-126-0-0-1)
75.126.0.0 - 75.126.255.255
Innovation IT Solutions Corp. NET-75-126-85-192 (NET-75-126-85-192-1)
75.126.85.192 - 75.126.85.223
# ARIN WHOIS database, last updated 2008-01-01 19:10Discussion
Apparently, certain versions of WordPress suffer a potential security vulnerability related to an admin-related file named admin-ajax.php. Fortunately, at the time of the attack, I was running a version of WordPress that had fixed the vulnerability, however, that didn’t seem to stop our first official blacklist candidate from executing 624 access attempts. Candidate 2008-01-02’s attacks each lasted a duration of around 2 minutes, which translates to around 2.6 hits per second.
Details
Here are the first and last 404-log entries for both attacks. Here is the excerpt from September 30th 1:
// SEPTEMBER 30th, 2007 (first and last 404 entries):
September 30th 2007, 07:50am >> http://perishablepress.com/press/2007/wp-admin/admin-ajax.php
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:
.
.
.
[310 similar records omitted for clarity]
.
.
.
September 30th 2007, 07:52am >> http://perishablepress.com/press/wp-admin/admin-ajax.php
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:And here is the excerpt from the subsequent attack on October 1st:
// OCTOBER 1st, 2007 (first and last 404 entries):
October 1st 2007, 08:58pm >> http://perishablepress.com/press/2007/wp-admin/admin-ajax.php
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:
.
.
.
[310 similar records omitted for clarity]
.
.
.
October 1st 2007, 09:00pm >> http://perishablepress.com/press/wp-admin/admin-ajax.php
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:1 The entire log for this attack is available here.
Blacklist
Candidate #2008-01-02, come on down — you’re the next contestant on the htaccess blacklist!
Blacklist via htaccess:
deny from 75.126.85.215 "# blacklist candidate 2008-01-02 = admin-ajax.php attack"Or, to block via PHP:
<?php // blacklist candidate 2008-01-02 = admin-ajax.php attack
$deny = array("75.126.85.215");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
header("location: http://www.google.com/");
exit();
} ?>Thanks for playing, #2008-01-02 — we couldn’t have done it without you!
About this article
Related articles
Dialogue
8 Responses Jump to comment form
January 6, 2008 at 4:28 am
you r very lucky to have escaped a very vulnerable situation. You must be thinking “Thank God I updated blog platform…”
January 6, 2008 at 7:21 am
I do, however, take seriously all attempts to exploit my site, regardless how “impersonal” they may be perceived. Sure, the warfare is automated and largely randomized, but that does not detract from the negative consequences associated with deliberate site attacks.
Of course ! I underlined the pleasant part (I mean, you making fun of them) but these spammers are the modern scourge. I really wish we had a juridic way to deal with them.
As for the plugin you raise,that is gold news. Such a plugin would be a killer ! I’m waiting on the edge of my seat :)
Note: I’m sad not to be able to tell you what I mean in my comments. I’m french and even if I get used to reading english, writing is still a pain for me.
What I’m trying to say is that there wouldn’t be confusion between us sometimes if I could write in my native langage.
Oh, and I’d say that me enhancing my english thanks to you makes you kind of a teacher for me :D
January 6, 2008 at 2:23 pm
I agree, especially if you mean “juridic” in the sense of, “skinning them alive and feeding their still warm flesh to the dogs..”
:’D
January 6, 2008 at 8:00 pm
Good Blogs (also forums) are always targets of Hackers (Lame Guys who have too much time in their hands). So you should be extra careful.
PS: Also its better to try to hack(/test) into your own blog to check whether your blog is vulnerable.
July 9, 2008 at 7:13 am
Great website, found searching Google for “PHP block IP address”. I’m having a guy from Russia (apparently) leave link requests for his sick porno-sites. I’m going to use your information to block him.
But I thought, why send him to Google where he can just search for his next victim. Instead let’s send them to: http://www.fbi.gov/cyberinvest/cyberhome.htm
Maybe that will give them a shock, even if momentarily. ;-)
Share your thoughts..
← Previous post • Next post →
« WordPress Tip: Reduce the Size of the WP-ShortStat Database Table • WordPress Plugin: Contact Coldform »
1 • Louis
January 4, 2008 at 7:02 pm
Haha, your way of taking spammers as if it was personnal is funny.
I like this blog a little more every day !
Also, I wonder what tools you use to analyse the requests leading to a 404. I’m curious to see if my blog is menaced too, and kick some robot ass :)