Blacklist Candidate Number 2008-01-02
Welcome to the Perishable Press “Blacklist Candidate” series! In this first post, we begin a new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..
Every Wednesday, I take a little time to investigate my 404 error logs. In addition to spam, crack attacks, and other deliberate mischief, the 404 logs for Perishable Press contain errors due to missing resources, mistyped URLs, and the occasional bizarre or even suspicious behavior of the search-engine robots. Whenever possible, I attempt to resolve a majority of the “fixable” errors, either by restoring missing resources, adding an htaccess redirect, or by any other means available. Needless to say, perpetually analyzing and optimizing website traffic requires a healthy dose of determination, patience, and focus.
Our first candidate..
Having exercised a rigorous maintenance practice for well over a year now, my 404 error logs are almost completely devoid of all “fixable” 404 errors, and are filled almost exclusively with spam attacks, XSS attempts, and other miscellaneous cracker nonsense. Fortunately, my site has only fallen victim to such espionage on one occasion, and on a different server.
These days, I go through great lengths to ensure the stability and security of my site, banning all scum-infested IP addresses via my htaccess blacklist. Most of the meatsacks I encounter are small-time, piddly-wink candy-apples, but occasionally a more serious disease-bag will stumble along.
So, inspired by the helpful notices posted by A Daily Rant, I have decided to share some of the more depraved neanderthals with my audience (so kind, I know). Thus, in addition to the blacklist and blackhole data that I share with you, I am now also focusing on individual and small-group candidates for blacklisting. And so, in the philanthropic spirit of A Daily Rant, I am proud to expose blacklist candidate number 2008-01-02:
Some anonymous shmuck with IP address 75.126.85.215
Synopsis
According to my 404 error log, IP address 75.126.85.215
attempted to access the non-existent resource, “/wp-admin/admin-ajax.php
” 312 times on September 30th, 2007 and another 312 times on October 1st, 2007. During each attack, half of the access attempts were targeted at “/press/2007/wp-admin/admin-ajax.php
” and the other half at “/press/wp-admin/admin-ajax.php
”. The IP was blocked early October 2nd to prevent further attempts. Update: blocking this specific IP address seems to be effective — it is now January of 2008 and no similar attacks have yet occurred.
Identification
According to the reverse-lookup results returned via kloth.net’s free DNS utility, the identity of IP address 75.126.85.215
is as follows:
Host 215.85.126.75.in-addr.arpa
Type PTR
Value 75.126.85.215.infomart.reverse.dnska.com.
IP Address Contact Information
SoftLayer Technologies Inc. SOFTLAYER-4-3 (NET-75-126-0-0-1)
75.126.0.0 - 75.126.255.255
Innovation IT Solutions Corp. NET-75-126-85-192 (NET-75-126-85-192-1)
75.126.85.192 - 75.126.85.223
# ARIN WHOIS database, last updated 2008-01-01 19:10
Discussion
Apparently, certain versions of WordPress suffer a potential security vulnerability related to an admin-related file named admin-ajax.php
. Fortunately, at the time of the attack, I was running a version of WordPress that had fixed the vulnerability, however, that didn’t seem to stop our first official blacklist candidate from executing 624 access attempts. Candidate 2008-01-02’s attacks each lasted a duration of around 2 minutes, which translates to around 2.6 hits per second.
Details
Here are the first and last 404-log entries for both attacks. Here is the excerpt from September 30th1:
perishablepress.com
was replaced with example.com
. This was required to prevent endless 404 errors from googlebot constantly crawling plain-text URLs.// SEPTEMBER 30th, 2007 (first and last 404 entries):
September 30th 2007, 07:50am >> https://example.com/press/2007/wp-admin/admin-ajax.php
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:
.
.
.
[310 similar records omitted for clarity]
.
.
.
September 30th 2007, 07:52am >> https://example.com/press/wp-admin/admin-ajax.php
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:
And here is the excerpt from the subsequent attack on October 1st:
// OCTOBER 1st, 2007 (first and last 404 entries):
October 1st 2007, 08:58pm >> https://example.com/press/2007/wp-admin/admin-ajax.php
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:
.
.
.
[310 similar records omitted for clarity]
.
.
.
October 1st 2007, 09:00pm >> https://example.com/press/wp-admin/admin-ajax.php
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:
Let’s stop this nonsense..
Blacklist
Candidate #2008-01-02, come on down — you’re the next contestant on the htaccess blacklist! Two ways to block this moron: via .htaccess OR via PHP.
Block via htaccess
# blacklist candidate 2008-01-02: admin-ajax.php attack
Deny from 75.126.85.215
Block via PHP
<?php // blacklist candidate 2008-01-02: admin-ajax.php attack
$deny = array("75.126.85.215");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
header("location: http://www.google.com/");
exit();
} ?>
Thanks for playing, #2008-01-02 — we wouldn’t have done it without you!
Download
1 For the purists among us, here is a copy of the logged activity recorded for this month’s Blacklist Candidate.
10 responses to “Blacklist Candidate Number 2008-01-02”
Haha, your way of taking spammers as if it was personnal is funny.
I like this blog a little more every day !
Also, I wonder what tools you use to analyse the requests leading to a 404. I’m curious to see if my blog is menaced too, and kick some robot ass :)
Hi Louis,
Glad to see you again!
Trust me, I do get the joke — thus the lighthearted tone of the article — and I am glad you also see the humor in the whole charade. I do, however, take seriously all attempts to exploit my site, regardless how “impersonal” they may be perceived. Sure, the warfare is automated and largely randomized, but that does not detract from the negative consequences associated with deliberate site attacks. The mindless spammers may have no idea who they are attacking, but I assure you that those of us forced to spend time, effort, and money to combat such idiocy understand the situation quite intimately.
As for the tools I use to keep an eye on such nefarious behavior, I am preparing a plugin that is designed to do the job. Basically, I am using a variety of predefined PHP variables to create a log for all 404 hits. You need a writable log file that is written to by a custom 404 error page that captures all the desired information. Much more on this process is on the way — stay tuned..
Regards,
Jeff_
you r very lucky to have escaped a very vulnerable situation. You must be thinking “Thank God I updated blog platform…”
Of course ! I underlined the pleasant part (I mean, you making fun of them) but these spammers are the modern scourge. I really wish we had a juridic way to deal with them.
As for the plugin you raise,that is gold news. Such a plugin would be a killer ! I’m waiting on the edge of my seat :)
Note: I’m sad not to be able to tell you what I mean in my comments. I’m french and even if I get used to reading english, writing is still a pain for me.
What I’m trying to say is that there wouldn’t be confusion between us sometimes if I could write in my native langage.
Oh, and I’d say that me enhancing my english thanks to you makes you kind of a teacher for me :D
@DeepFreeze: Yes, I am very fortunate to have been running a version of WP that was not vulnerable to that particular exploit, however, there are countless others targeted at nearly every version of WordPress available. But yes, I am indeed grateful!
@Louis: I agree, especially if you mean “juridic” in the sense of, “skinning them alive and feeding their still warm flesh to the dogs..” — they are indeed the modern day scourge (well said). As for the plugin, I have the 404 scripting stuff done, I just need to work it into the WP Admin. When finished, it will serve as an excellent way for WordPress users to keep a close eye on their 404 errors. I am excited about it as well :)
:’D
Good Blogs (also forums) are always targets of Hackers (Lame Guys who have too much time in their hands). So you should be extra careful.
PS: Also its better to try to hack(/test) into your own blog to check whether your blog is vulnerable.
Great website, found searching Google for “PHP block IP address”. I’m having a guy from Russia (apparently) leave link requests for his sick porno-sites. I’m going to use your information to block him.
But I thought, why send him to Google where he can just search for his next victim. Instead let’s send them to: http://www.fbi.gov/cyberinvest/cyberhome.htm
Maybe that will give them a shock, even if momentarily. ;-)
Hi Jeff
I got to this link by reading your latest blackhole post for bad bots. I wanted to get your opinion on something. In my perusal of my logs containing bad people or bots landing on my pages over three websites I noticed that almost all of them are running IE 6. Do you also notice this situation?
I refer to this because there is so much discussion about whether or not a person should design for IE 6 or not. I contend that the largest numbers of users people pick up in their logs are bad bots or spammers.
Hi Brad,
Great point! IE6 as identified via user-agent string is a common site in my error logs, but I can’t say that “almost all” are IE6. It’s a common spoof string for bad bots, so it seems safe to say that the usage numbers for IE6 are even lower than data suggests.
And that’s good news :)