Blacklist Candidate Number 2008-02-10

Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Bob Barker points a finger ] Scumbag number 2008-02-10, “COME ON DOWN!!” — you’re the next baboon to get banished from the site!

Like many bloggers, I like to spend a little quality time each week examining my site’s error logs. The data contained in Apache, 404, and even PHP error logs is always enlightening. In addition to suspicious behavior, spam nonsense, and cracker mischief, this site frequently endures automated and even manual attacks targeting various XSS exploits, WordPress vulnerabilities, and other potential security holes. Although the number of successful attacks remains relatively small, the very nature of some of the attacks serves to threaten site performance, security and stability. Such is the case of blacklist candidate number 2008-02-10: IP address


On January 31st, 2008, IP address attempted to access an apparently random array of legitimate URLs, each appended with either of the following cryptic character strings:



Alternating these two appended strings, the attacker hit my site over 200 times, beginning at 06:33 and ending at 08:14. Around half of the requests referred from a matching-URL query-string, while the others were targeted via matching URL without a query string (see log below for details). To secure the site, the associated IP and offending character strings were blocked on February 3rd to prevent further attacks. No similar attacks have occurred since the blacklisting.


According to the reverse-lookup results returned via’s free DNS utility, the identity of IP address is as follows:

Type   NS

IP Address Contact Information

OrgName:    University of California, Santa Barbara 
OrgID:      UCSB
Address:    Office of Information Technology
Address:    North Hall 2124
City:       Santa Barbara
StateProv:  CA
PostalCode: 93106-3201
Country:    US

NetRange: - 
NetName:    UCSB
NetHandle:  NET-128-111-0-0-1
Parent:     NET-128-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.UCSB.EDU
NameServer: NS2.UCSB.EDU

# ARIN WHOIS database, last updated 2008-02-09 19:10

Further, here is the user agent recorded for every entry in the access log:

Mozilla/5.0 (compatible; heritrix/1.12.1 +


What on earth was the attacker trying to achieve using these alternating character strings? I honestly have no idea. Frankly, I don’t have the time to research every cryptic cracker technique that crosses my logs. One thing is certain, however, the attack was deliberate, automated, and hostile. Fortunately, my server endured the onslaught and infiltration was prevented. If you have information regarding the nature or purpose of this increasingly common type of attack, please share your insights with the community. I would love to know more about the mysterious character strings.


Here are the first and last log entries for attack. The entire set of excluded entries 1 is very similar to either of the following:

TIME: January 31st 2008, 06:33am
404: *
SOURCE: Perishable/Perishable
USER AGENT: Mozilla/5.0 (compatible; heritrix/1.12.1 +
[~200 similar records omitted for clarity]
TIME: January 31st 2008, 08:12am
404: *,m4//000____::um,qymuxH%3bmJ.5G+D//001F00Dox%7b1rF9DrEtxmn7unwp%7dqDr/
SOURCE: Perishable/Perishable
USER AGENT: Mozilla/5.0 (compatible; heritrix/1.12.1 +

1 The entire log for this attack is available here.


Candidate #2008-02-10, come on down — you’re the next contestant on the htaccess blacklist!

Blacklist via htaccess:

Here are two easy ways to blacklist this scumbag. The first method (and my preferred choice) is to block select portions of the URL character-string appendages:

# blacklist candidate 2008-02-10 = block cryptic character string attacks
<IfModule mod_alias.c>
 redirectmatch 403 xAou6
 redirectmatch 403 qymux

And of course, the second blocking method is to simply deny the attacker’s unique IP address:

deny from "# blacklist candidate 2008-02-10 = cryptic character strings"

Or, to block via PHP:

<?php // blacklist candidate 2008-02-10 = cryptic character strings
$deny = array("");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
} ?>

Thanks for playing, #2008-02-10 — we wouldn’t have done it without you!