Blacklist Candidate Number 2008-03-09

Published Saturday, March 8, 2008 @ 10:47 pm • 9 Responses

Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Bob Barker Looking Sharp ] Imagine, if you will, an overly caffeinated Bob Barker, hunched over his favorite laptop, feverishly scanning his server access files. Like some underpaid factory worker pruning defective bobble heads from a Taiwanese assembly line, Bob rapidly identifies and isolates suspicious log entries with laser focus. Upon further investigation, affirmed spammers, scrapers and crackers are swiftly blacklisted from future access. For the most heinous offenders, we suddenly hear Rod Roddy’s guzzling voice echo throughout the room:

Candidate number 2008-03-09, COME ON DOWN!! — you’re the next contestant to get blacklisted from the site!”

Every week, I dig through my access and error logs to learn from the spammers, scrapers, and other cracker whores. Typically, attempts to exploit potential security vulnerabilities demonstrate the following characteristics:

  • indexed URLs targeted via attack strings
  • multiple URLs are tested for each attack
  • attacks occur quickly, usually within seconds
  • multiple IPs are used for each attack
  • IPs are vastly different, even random
  • many attacks are from Latin American, Asia Pacific, and RIPE networks

These trends are associated with a large majority of attacks, occurring frequently enough to be dismissed without further investigation. Attacks that deviate significantly from these familiar patterns are of particular interest, especially those involving a single IP address, enduring for longer time periods, or employing unusual attack methods. Such attacks pose a greater risk by demonstrating premeditation, threatening performance and compromising security. These more serious types of attacks are investigated fully and subsequently featured in the monthly Blacklist Candidate series. In this edition of the series, we expose, humiliate, and banish blacklist candidate #2008-03-09: IP address 87.248.163.54!

Synopsis

On March 4th, 2008, an attacker identified with IP address 87.248.163.54 attempted to access a series of nonexistent URLs, each consisting of the site’s blog root ( http://perishablepress.com/press/ ) appended by a character string emulating the following pattern:

/administrator/components/com_cropimage/admin.cropcanvas.php
/administrator/components/com_mambelfish/mambelfish.class.php
/administrator/components/com_peoplebook/param.peoplebook.php
/administrator/components/com_remository/admin.remository.php
/administrator/components/com_wmtgallery/admin.wmtgallery.php
/administrator/components/com_mosmedia/includes/media.divs.js.php
/administrator/components/com_chronocontact/excelwriter/Writer/Format.php
/administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php
/administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php

Here are the first, middle, and last entries generated in the site’s error log:

http://perishablepress.com/press/administrator/components/com_cropimage/admin.cropcanvas.php
.
.
.
http://perishablepress.com/press/components/com_swmenupro/ImageManager/Classes/ImageManager.php
.
.
.
http://perishablepress.com/press/administrator/components/com_chronocontact/excelwriter/Writer/Format.php

Using variations of these URLs, the attacker hit my server approximately 100 times over the course of four minutes (from 15:01 to 15:05), averaging an attack every 2.4 seconds. Most likely, the attacker employed an automated script to execute the requests. Further, given the uniformity of the target URL and the similarity of the appended attack strings, this attack seems to be targeting a specific software platform that is not installed on the Perishable Press domain. This indicates that the attack was not specifically targeted at my site, but rather happened as a random vulnerability check. To prevent further attacks, the associated IP address was blocked on March 5th via htaccess. No similar incidents have occurred since.

Identification

According to the reverse-lookup results returned via ZoneEdit.Com’s free DNS utility, the identity of IP address 87.248.163.54 is as follows:

Host   54.163.248.87.in-addr.arpa
Type   PTR
Value  87-248-163-54.starnet.md

IP Address Contact Information

OrgName:    RIPE Network Coordination Centre 
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:  
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   87.0.0.0 - 87.255.255.255 
CIDR:       87.0.0.0/8 
NetName:    87-RIPE
NetHandle:  NET-87-0-0-0-1
Parent:     
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2004-04-01
Updated:    2004-04-06

# ARIN WHOIS database, last updated 2008-02-09 19:10

Further, the attacker employed a blank (unidentified) user-agent for every recorded attack.

Discussion

Although probably random, this attack was deliberate, automated, and hostile. Crackers trying to access URLs containing the term “administrator” are not your friends, and should be blocked immediately and dealt with accordingly. Too many people have grown accustomed to such attacks, easily dismissing them as “normal” or even “expected” activity on the Web. Wake up, folks! These mindless cracker whores are attacking your personal assets and deserve to be hunted down and punished as criminals. Would you casually dismiss someone trying to break into your car 100 times? I don’t even think so..

Details

Here are the first and last log entries for attack. As discussed, the entire set of excluded entries 1 is similar to the following:

TIME: March 4th 2008, 03:01pm
404: *http://perishablepress.com/press/administrator/components/com_cropimage/admin.cropcanvas.php
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 87.248.163.54
USER AGENT: 
REMOTE IDENTITY:
.
.
.
[ ~ 100 similar records omitted for clarity ]
.
.
.
TIME: March 4th 2008, 03:05pm
404: *http://perishablepress.com/press/administrator/components/com_chronocontact/excelwriter/Writer/Format.php
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 87.248.163.54
USER AGENT: 
REMOTE IDENTITY:

1 The entire log for this attack is available here.

Blacklist

Ladies and gentlemen, I am proud to announce the newest member of our growing htaccess blacklist, candidate #2008-03-09!

Blacklist via htaccess:

Here are two easy ways to blacklist this useless turd. The first method (and my preferred choice) is to block select portions of the URL attack strings:

# blacklist candidate 2008-03-09 = block administrative attacks
<IfModule mod_alias.c>
 redirectmatch 403 \/components\/
 redirectmatch 403 \/administrator\/
</IfModule>

Unfortunately, although this method would prevent further attacks, it would also block any legitimate URLs containing instances of the target strings. [ Update: Don from rants.thenexus.tk has confirmed that this first method will prevent Joomla users from accessing certain pages. ] Thus, for this particular blacklist candidate, we are better served by simply denying the attacker’s unique IP address:

deny from 87.248.163.54 "# blacklist candidate 2008-03-09 = block administrative attacks "

Or, to block via PHP:

As discussed in my article on blocking IP addresses with PHP, here is an alternate technique for blacklisting the attacker:

<?php // blacklist candidate 2008-03-09 = block administrative attacks
$deny = array("87.248.163.54");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

Thanks for playing, #2008-03-09 — we wouldn’t have done it without you!

Copyright2009PerishablePress

About this article

This is article #513, posted by Jeff Starr on Saturday, March 08, 2008 @ 10:47pm. Categorized as Function & tagged with apache, attack, blacklist, htaccess, php, security, spam, tricks. Updated on April 27, 2008. Visited 23236 times. 9 Responses »

Related articles

Dialogue

9 Responses Jump to comment form

1H5N1

March 9, 2008 at 9:13 am

Wonderful and useful arcticle :)
A little funny too :D

2Perishable

March 9, 2008 at 1:09 pm

Thank you — I am glad you found it useful (and entertaining)! :)

3Don

March 10, 2008 at 9:01 am

great article again dude;
a note on the joomla side of using this trick.
Don’t :p
the ‘\/components\/’ will muck about and possibly stop components from working. (tested on the only live component I had puarcade).
And then the ‘\/administrator\/’
will stop you getting in to your back end.

4Perishable

March 10, 2008 at 2:45 pm

Yes, that’s what I figured.. it almost seems as if the attack was intended for Joomla, although other platforms may use similar structures. In either case, thanks for the confirmation — will definitely advise against the first method of blocking via htaccess.

5Volkher Hofmann

April 18, 2008 at 8:48 am

Hi,

[disclaimer:] Consider me a nOOB who has spent quite some some time reading up on your posts here before posting this.

Background: I have recently migrated my site from Expression Engine to Wordpress and - as expected - I’ve been deluged by spam from the second I switched the new site live. I had a couple of top spots on Google with the old site that I redirected permanently to the new site. They’re being harvested one by one and … well, you know the rest.

Ever since then - I wrote a post on it on my site - I’ve been reading around I don’t know how many sites to find a viable solution for my problem, a solution that’s “future-proof”.

Your blacklisting of attempts via a predefined and extendable blacklist seems to be the most future-proof, meaning I can work my way into your way of doing things and not waste any time trying to understand other plugins and whatnot … which might eventually disappear from the face of this earth.

In short, I think if I follow your excursions into swampy territories here, try to learn as I go along and adapt to the ever-changing tactics of the spam league, I might be able to transfer that knowledge CMS-independently in the future. You know, time-saving and all of that.

So, before I become a regular around here and while hoping that you won’t abandon your Don-Quixote-like fight against spam ;) , I have two (simple?) questions to get me going:

You started out with a blacklist which you then offered up (forgive me if I misread that) in a more compressed and efficient format. If, again, I understood correctly, all the subsequent posts (like this one) then offer up tidbits that I could add to the .htaccess file to build upon my/our defence(s). Am I correct? That means I would take the compressed blacklist file and add on everything that you’ve posted on this issue since then?

Secondly, already now I have a several hundred lines long .htacces file. There was no way I could rewrite the former links into the new ones (they didn’t really have a common denominator … or I was too dumb), so I have a bit more than one-hundred permanent redirects in there that will be thrown out once Google has figured out that what was once there isn’t there anymore (or, elsewhere).

So, last question: If I tack your blacklist and snippets onto the file, will that have a major (minor I don’t care about) effect on the loading time of my site’s pages? The redirects didn’t seem to hurt much.

Thanks for bearing with me and for taking the time to read this.
I hope I wasn’t too much of a nuisance.

Cheers!

6Perishable

April 20, 2008 at 3:47 pm

Welcome, Volkher! :)

First question: yes, you read correctly; the first blacklist was replaced with an optimized (compressed) version that was also updated with new bots and other villains. I would recommend using the compressed version over the original version. As for combining these different htaccess strategies (i.e., the “ultimate blacklist” and the “2G blacklist”), you are correct. For example, within my site’s root htaccess file, I placed a copy of my compressed blacklist after the other (non-blacklist) directives. Placement isn’t necessary, but I thought I would mention it. Then, after the first set of blacklist directives, and as a distinct and separate set of rules, I included a copy of the 2G blacklist. Beyond these two lists, I have several rules blocking specific user-agents, followed by a final set of individual “deny from” directives. So, to generalize this strategy (and to answer your question more directly), you should be able to include as many spam-blocking and other security-related rules as necessary to your root htaccess file. They are designed and intended to operate independently of one another in a perpetual state of symbiotic bliss. ;) As long as the code blocks are kept distinct and accurate, all should be fine.

And this leads very nicely into the response to your second question, which is also a resounding “yes”. As with any script, processing time is related to the number of executed steps. htaccess is no different, however, I have seen (and used) htaccess files with many more directives than we are talking about here. Of course, depending on the server and available resources, your mileage may vary. To check the performance for yourself, upload the htaccess file you intend to use and use a tool such as this free website speed test to determine the average load time. Then, remove the rules in question and run the test again. Comparing averages should give you a good indication of the effect on loading time. Incidentally, if you decide to run such a test, I would love to hear the results! :)

Now, I have a question for you.. I read through the comments in your intense WordPress: Spam Magnet article, and saw that Perishable Press itself had been blacklisted from your workplace’s filtering system. What’s up with that, anyway? I always thought of this site as the exact antithesis to all things spam-related on the Internet ;) No worries though — I understand the intricate complexities of administrative security policies (sarcasm). In any case, I hope this information helps! Let me know if I may be of any further assistance.

Regards,
Jeff

7Volkher Hofmann

April 20, 2008 at 7:27 pm

Jeff,

thanks for your detailed reply. I’m glad I got it for once. For me this is all a totally new way of approaching things and I will finally dare to jump and learn how all these commands work in detail. I always stayed away from .htaccess because messsing things up there usually screws up everything else as well. So, I’ll follow your instructions here (starting next weekend) and see what happens. I’ll also report back once I have things in place and let you know if I have any speed issues.

The comment about your site having been blacklisted came from some other visitor who then never returned, so I have no idea how that came about. But, and I’m just guessing here, if someone approaches spam fighting by letting some plugin reign free without keeping it in check, the same thing will happen that has been developing on my site … eventually, just about everything and everyone is being blocked, deterred or blacklisted. You need to take action to reverse some steps a plugin took to protect you from spam.

It’s the latter that had me thinking about searching for another solution. I’d like to be in charge without leaving the thinking work to a plugin.

Secondly, if I invest lots of time into figuring out what works, I’d like to invest that time on a method that’s future-proof, meaning that I can use and adapt the .htaccess method and migrate that to just about any other setup, should I decide to change CMS down the line.

So, thanks again … and I’ll be a regular around here to see what’s cookin’ …

8Perishable

April 21, 2008 at 8:51 am

Sounds good, Volkher! I look forward to seeing you around the site. As always, let me know if I may be of any further assistance. Good luck!

9Volkher Hofmann

April 21, 2008 at 12:50 pm

Thanks!
And … shall do.
Cheers!

Subscribe to comments on this post

Share your thoughts..

TopRead official comment policy

← Previous post • Next post →

« Fake Slifer Yu-Gi-Oh! Cards on EbayWhat is My WordPress Feed URL? »

Contact Perishable Press

  • Contact Jeff via form

Search Perishable Press

About Perishable Press

Perishable Press is the virtual playground of Jeff Starr — visionary, founder and lead developer of Monzilla Media, a small web and graphic design company in the lush desert oasis of Moses Lake, Washington. Perishable Press features articles and tutorials on many aspects of digital design..

Read more..

Perishable on Twitter

Google tells users to drop support for IE6! @ http://www.tgdaily.com/content/view/40785/140/

Perishable on Tumblr

WordPress Tip for Multiple Themes

Sunday, 4 January 2009, 5:16 pm

If your site makes available multiple themes for users to choose from, remember to include the JavaScript (or any other required code) for any statistical applications that you might be using, such as Mint, Google Analytics, and so forth. I am not sure about the various WordPress statistics plugins, but they may need to be included as well. A good way to check if your stats plugin is tracking data across all themes is to either visit a few pages that you know others aren’t hitting, or else activate each of the alternate themes and check the source code of each one for the required code.

Earlier today, I realized that only several of my most recent themes included the required JavaScript for Mint and Google Analytics. I am now in the process of editing each of the 18 themes available for users at Perishable Press. Haven’t decided on whether or not both statistics apps are needed for all themes, but I will certainly be using at least one of them to keep an eye on everything.

Insane Christmas

Monday, 22 December 2008, 9:47 pm

For as long as I can remember, Christmas has always been a relatively peaceful affair. Sure there’s the usual holiday stress — traffic, shopping, presents, relatives, and all that goes with the preparation of a traditional celebration, but when it’s all said and done, you get to relax and enjoy the peace and harmony of gathering together and basking in the reason for the season: the birth of Christ.

This year, however, the stress factor has been kicked up a few notches, making for a rather insane Christmas if I do say so myself. In addition to the usual holiday chaos, we are currently purchasing a brand new home, and quickly realizing the incredible amount of work involved in the process. If you’ve ever bought a newly built home, you know exactly what I am talking about here.

Plus, as if all the paperwork, inspections, insurance, costs, and anxious anticipation weren’t enough to confound the usual holiday stress, we are also packing up everything, dealing with kids, working full-time jobs, and — beginning on Christmas Eve — moving into our new house.

It certainly is all a great joy and blessing to have such amazing things going on, but combined with the work that I do on the Web — blogging, designing, projects, helping people, and so on — it really becomes all too much rather quickly. We are doing are best to get through everything with our sanity intact, but I have to admit that this is the most insane Christmas I have ever experienced.

New (4G) Blacklist Now in Beta

Monday, 22 December 2008, 9:27 pm

Just a quick note to anyone interested in securing their websites against malicious activity, spam, and other nonsense. Several months after releasing my 3G Blacklist, I have finally begun work on the next incarnation of the blacklist: the 4G Firewall!

The first part of the blacklist is now ready for testing, and I plan on setting it up on Perishable Press within the next few days. While testing on my own site, I thought it would beneficial to also invite a few “beta” testers to run the code on their own site(s) as well.

So, if you have a site that receives its share of malicious attacks, and cracker exploits, drop me a line via the contact form at Perishable Press and I will send you the initial block of HTAccess directives. This version of the Blacklist is looking better than ever, and I look forward to releasing the complete version to the public early in 2009.

Thanks for the Free Traffic and Link Juice

Sunday, 7 December 2008, 1:26 pm

Just wanted to thank the fine folks at fafich.ufmg.br for all the free traffic and link juice. Thanks to their misapplication of my comprehensive canonicalization code, every non-canonical version of their 21,700 indexed pages points directly to my site, Perishable Press. This means that every one of their permalink URLs that is mistyped, lacks the “www” prefix, or contains the superfluous “index.php” file name is directed via permanent redirect directly to the home page of my site.

I have tried contacting the site owner(s) about this situation, but it has been over a week and I have yet to hear anything back. Hopefully, they will take notice soon and correct the issue by properly configuring their htaccess file, but in the meantime, I certainly don’t mind the extra link juice and free traffic! :)

No Plugin Needed for Feed Delay

Monday, 24 November 2008, 10:01 am

I recently saw a WordPress plugin that was designed to delay the publication of your WordPress feed by any specified time interval. While it is a good idea to carefully proofread your content before posting it, a plugin certainly is not required to do so.

As savvy WordPress users already know, WordPress has a built-in post-preview feature that enables authors to view their unpublished content as a published post. This enables authors to do any amount of proofreading and browser checking until they are satisfied with the results.

To do this, simply write your post as usual, and then click on the “Preview this post” button on the right-hand side of the screen. In older versions of WordPress (less than 2.5, I think), you actually need to save (without publishing!) the post first and then re-open it as if to continue editing. You will then see a “Preview »” link sort of hidden (due to poor CSS design) in the upper-right corner near the edit post field. Right-click on that link to open in new tab and you are good to go.

No extra plugin needed! :)

Read more on Tumblr..

Subscribe to Comments Recent Dialogue

  • Mark: There we go! That's the way to do it! Thanks, Jeff!...
  • Jeff Starr: Well said, Mark! Here is some news that I find ...
  • Jeff Starr: Thank you all for the great feedback! I wrote this article as a way to purge some of my thoughts on Twitter, but now see that some of...
  • Jeff Starr: Thank you so much for the thoughtful feedback, Adrian. It has been a good year indeed, and I certainly hope that 2009 brings many ble...
  • Jeff Starr: Hi heywho, glad to hear you are doing well! ;) I wish I could join in the festivities.. it has been so long that I almost have forgot...
  • Rob Barrett: Thanks for posting about the Stealth Publish plugin -- just what I needed for my site. Works perfectly!...
  • Jeff Starr: Hi Chiwan, I got your email and have sent some information that may help you with this. Cheers, Jeff...
  • Chiwan: Hi. This is cool. So I can I replace the clock that comes with your Apathy theme with this clock? If that's not possible, how do ...
  • Brass Engraved: Thankyou very much for this, worked like a dream!...
  • Patrix: I'm using FeedBurner and the Feedsmith plugin for my filter blog, DesiPundit. I found your post via the WordPress page for RSS feeds ...

Read more recent comments..

Subscribe to Content Recent Activity

Explore the Archives..

Attention: Do NOT follow this link!