Blacklist Candidate Number 2008-04-27
by Jeff Starr on Sunday, April 27, 2008 – 4 Responses
Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..
![[ Photo: Bob Barker Snarls at Rod Roddy ]](http://perishablepress.com/press/wp-content/images/2008/blacklisted/2008-04-27.jpg "Go to the clam store and git some contestants, dammit!!")
Since the implementation of my 2G Blacklist, I have enjoyed a significant decrease in the overall number and variety of site attacks. In fact, I had to time-travel back to March 1st just to find a candidate worthy of this month’s blacklist spotlight. I felt like Rod Roddy looking over the Price-is-Right audience to announce the next name only to discover a quiet, empty room. And then like Bob gets pissed that nobody showed up and begins to bark and snarl at Rod to go across the street to the clam store and find some damn contestants. Or, ..um, something like that. Needless to say, this month’s data isn’t as fresh as I would have liked it, but I think you’ll find the information fascinating nonetheless. So let’s get on with it then:
Blacklist Candidate number 2008-04-27, come on down! You’re the next clam-store loser to get blacklisted from the site!
Synopsis
The breakdown: On March 1st, 2008, Perishable Press was attacked over 70 times from a single IP address. The attacks targeted well-known, indexed URLs by appending an apparently random selection of character strings. None of the attacks penetrated server/site defenses, and the scumbag was eventually blocked several days later after a routine access/error log investigation. The perpetrator (as identified via IP address) has not returned to the site since the initial attack.
Discussion
All attacks associated with this month’s blacklist candidate began on March 1st 2008, 02:45pm and continued until March 1st 2008, 03:39pm, as recorded in the site’s access/error logs. This is equivalent to around 54 minutes, during which time approximately 72 individual attacks were executed. This gives a rate of attack of about 1 attack every 45 seconds. Given that the attacks originated from a single, localized IP address, the rate of attack suggests that the process was not automated, but rather manually deployed.
Each attack within the series targeted fewer than twenty-five well-known, search-engine-indexed URLs from the perishablepress.com domain. Here are a few URL examples, taken directly from the associated access log:
http://perishablepress.com/press/page/25/
http://perishablepress.com/press/page/31/
http://perishablepress.com/press/2006/02/
http://perishablepress.com/press/2006/03/
http://perishablepress.com/press/2006/page/
http://perishablepress.com/press/author/perish/page/
http://perishablepress.com/press/author/perish/page/29/
http://perishablepress.com/press/2007/04/17/embed-flash-or-die-trying/
http://perishablepress.com/press/2007/02/04/embed-quicktime-notes-plus/
http://perishablepress.com/press/2006/07/26/wordpress-search-function-notes/feed/
http://perishablepress.com/press/2006/12/18/automatic-language-translation-methods/
http://perishablepress.com/press/2007/01/15/industrial-strength-spamless-email-links/
http://perishablepress.com/press/2007/12/03/wordpress-core-hacks-used-at-perishable-press/
http://perishablepress.com/press/2007/09/19/hacking-wordpress-the-ultimate-nofollow-blacklist/Each of these URLs was appended with an apparently random assortment of character strings, including file names, JavaScript code, and PHP snippets. Here are a few examples of these “attack strings”, also taken from the access log:
...
$url/
$link/
onclick...
example.html-de
skeleton%20.css
no-javascript.html
path/doc.html?detectflash=false
%5BNext%20URL%20in%20series%5D/
%3C/?php%20the_permalink()%20?%3E
theimage%5Bi%5D%5B1%5D;return%20false/
this.options%5Bthis.selectedIndex%5D.value;Within this brilliant arsenal of cracker nonsense, three unique query strings were also used in roughly ten of the attacks. These query strings are logged and appear as follows:
?detectflash=false
?php%20echo%20get_settings(
?php%20the_permalink()%20?%3EAlso, only three different user-agents were employed during the attacks. As logged:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1Further, each of the attacks occurred using the site’s default theme 1. No referral information is associated with any of the attack data. Here is a log excerpt demonstrating the attributes outlined in the previous discussion:
TIME: March 1st 2008, 03:25pm
404: *http://perishablepress.com/press/2006/08/page/3/%3C/?php%20echo%20get_settings(
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING: php%20echo%20get_settings(
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1
TIME: March 1st 2008, 03:25pm
404: *http://perishablepress.com/press/2006/03/noscript.html
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/no-javascript.html
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/7/%3C/?php%20echo%20get_settings(
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING: php%20echo%20get_settings(
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/7/$url/
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/7/%3C/
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/page/5/page.html
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
TIME: March 1st 2008, 03:26pm
404: *http://perishablepress.com/press/2006/02/this.options%5Bthis.selectedIndex%5D.value;
SITE: http://perishablepress.com/
SOURCE: Perishable/Perishable
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
.
.
.
[ ~ 63 similar records omitted for clarity ]In case you missed it, the entire access log is available here. ;)
Identification
Here is what we know about the identity of this month’s Blacklist Candidate:
IP Address: 84.122.143.99
Reverse IP lookup (provided via zoneedit.com):
Reverse Lookup Results
Host: 99.143.122.84.in-addr.arpa
Type: PTR
Value: 84.122.143.99.dyn.user.ono.com
IP Address Contact Information
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 84.0.0.0 - 84.255.255.255
CIDR: 84.0.0.0/8
NetName: 84-RIPE
NetHandle: NET-84-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS3.NIC.FR
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2003-11-17
Updated: 2004-03-16
# ARIN WHOIS database, last updated 2008-03-01 19:10Humilation and Banishment
So, let’s summarize this pathetic clam-store wannabe. We have a single IP address registered in Amsterdam through the infamous RIPE network. Equipped with a whopping three differently identified user agents, our Blacklist Candidate for April targets a list of known URLs with an amateurish collection of piddly-wink attack strings that are simply “tacked on” to the targeted addresses. Then, as if this weren’t utterly sad enough by itself, consider that the average attack time is 45 seconds per hit. Like, you can just imagine ‘ol numbnuts sitting there, counting on his fingers, typing in the browser’s address bar and mumbling out loud:
Duh, let’s see here, first you type the address, then you add the domain name.. um, no wait a minute.. first the address and
thenthe secret code.. okay, um, now let’s see, what next.. oh yeah, hit the “enter” button..
Needless to say, idiots like this month’s Blacklist Candidate deserve to be exposed, humiliated, and ultimately banished. After all, even though the cracker shows zero signs of intelligence, the attacks were indeed deliberate and obviously hostile. Thus, I rest my case. Let’s blacklist this scumbag! :)
Blacklist via htaccess:
To blacklist this fool by IP via htaccess, copy & paste this code into your root htaccess file (click here for more information on this method):
deny from 84.122.143.99 "# blacklist candidate 2008-04-27 = block clam store loser"Or, to block via PHP:
As discussed in my article on blocking IP addresses with PHP, here is an alternate technique for blacklisting the attacker:
<?php // blacklist candidate 2008-04-27 = block clam store loser
$deny = array("84.122.143.99");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
header("location: http://www.google.com/");
exit();
} ?>As always, thanks for playing, number 2008-04-27 — we wouldn’t have done it without you!
Footnotes
- 1 At the time of this writing, the site’s default theme is Perishable.
![[ Jeff Starr ]](http://images.monzilla.biz/serious/jeff-starr.png)
![[ Advertise Here ]](http://images.monzilla.biz/serious/adspot.png)
4 Responses
Add a comment
Don – #1
*adds ip to list*
Just a side question how is the new version of the ‘2G blacklist’ coming along?
I’ve actually added it to a number of different sites and advocated it and a lot of use has been found from it :p
Perishable – #2
As a matter of fact, I am working on it this very moment. Just as I was checking my site for proper functionality (I still test on this domain), I happened to notice your comment and well, there you go. I am hoping to have something by this time next week, possibly a little longer. But let me tell you, the new 3G blacklist is shaping up very well! ;) Stay tuned!
Sandra – #3
Hi, it was interesting to read your post. Today I have found 391 occurrences of an attack similar to yours, where almost every URL from our site has been gone through with about half having “this.options%5Bthis.selectedIndex%5D.value” appended at the end of URL. The IP address was a single IP address 83.43.215.17 and it used several user agents as in your case.
The attack lasted just under 10 minutes, which led me to believe it could have been automated,also because of the way the URLs have been jumped from one to another (e.g. two URLs from different part of site hierarchy being accessed within the same second, which is near impossible by typing or cutting/pasting URLs).
Fortunately, our site is well protected and no harm done, but thought you should add the above IP to your blacklist.
Regards,
Sandra
Jeff Starr – #4
Hi Sandra, thanks for sharing this info — I will definitely check it out and then add it to the next version of the 3G Blacklist. Thanks!