Latest TweetsWordPress and the Blank Target Vulnerability (aka rel noopener + noreferrer): perishablepress.com/wordpress-… #WordPress #security #html
Perishable Press

Blacklist Candidate Number 2008-04-27

Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Bob Barker Snarls at Rod Roddy ] Since the implementation of my 2G Blacklist, I have enjoyed a significant decrease in the overall number and variety of site attacks. In fact, I had to time-travel back to March 1st just to find a candidate worthy of this month’s blacklist spotlight. I felt like Rod Roddy looking over the Price-is-Right audience to announce the next name only to discover a quiet, empty room. And then like Bob gets pissed that nobody showed up and begins to bark and snarl at Rod to go across the street to the clam store and find some damn contestants. Or, ..um, something like that. Needless to say, this month’s data isn’t as fresh as I would have liked it, but I think you’ll find the information fascinating nonetheless. So let’s get on with it then:

Blacklist Candidate number 2008-04-27, come on down! You’re the next clam-store loser to get blacklisted from the site!

Synopsis

The breakdown: On March 1st, 2008, Perishable Press was attacked over 70 times from a single IP address. The attacks targeted well-known, indexed URLs by appending an apparently random selection of character strings. None of the attacks penetrated server/site defenses, and the scumbag was eventually blocked several days later after a routine access/error log investigation. The perpetrator (as identified via IP address) has not returned to the site since the initial attack.

Discussion

All attacks associated with this month’s blacklist candidate began on March 1st 2008, 02:45pm and continued until March 1st 2008, 03:39pm, as recorded in the site’s access/error logs. This is equivalent to around 54 minutes, during which time approximately 72 individual attacks were executed. This gives a rate of attack of about 1 attack every 45 seconds. Given that the attacks originated from a single, localized IP address, the rate of attack suggests that the process was not automated, but rather manually deployed.

Each attack within the series targeted fewer than twenty-five well-known, search-engine-indexed URLs from the perishablepress.com domain. Here are a few URL examples, taken directly from the associated access log:

Note: in the following log entries, each instance of perishablepress.com was replaced with example.com. This was required to prevent endless 404 errors from googlebot constantly crawling plain-text URLs.
https://example.com/press/page/25/
https://example.com/press/page/31/
https://example.com/press/2006/02/
https://example.com/press/2006/03/
https://example.com/press/2006/page/
https://example.com/press/author/perish/page/
https://example.com/press/author/perish/page/29/
https://example.com/press/2007/04/17/embed-flash-or-die-trying/
https://example.com/press/2007/02/04/embed-quicktime-notes-plus/
https://example.com/press/2006/07/26/wordpress-search-function-notes/feed/
https://example.com/press/2006/12/18/automatic-language-translation-methods/
https://example.com/press/2007/01/15/industrial-strength-spamless-email-links/
https://example.com/press/2007/12/03/wordpress-core-hacks-used-at-perishable-press/
https://example.com/press/2007/09/19/hacking-wordpress-the-ultimate-nofollow-blacklist/

Each of these URLs was appended with an apparently random assortment of character strings, including file names, JavaScript code, and PHP snippets. Here are a few examples of these “attack strings”, also taken from the access log:

...
$url/
$link/
onclick...
example.html-de
skeleton%20.css 
no-javascript.html
path/doc.html?detectflash=false
%5BNext%20URL%20in%20series%5D/
%3C/?php%20the_permalink()%20?%3E
theimage%5Bi%5D%5B1%5D;return%20false/ 
this.options%5Bthis.selectedIndex%5D.value;

Within this brilliant arsenal of cracker nonsense, three unique query strings were also used in roughly ten of the attacks. These query strings are logged and appear as follows:

?detectflash=false
?php%20echo%20get_settings(
?php%20the_permalink()%20?%3E

Also, three different user agents were used during the attacks. As logged:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1

Further, each of the attacks occurred using the site’s default theme1. No referral information is associated with any of the attack data. Here is a log excerpt demonstrating the attributes outlined in the previous discussion:

TIME: March 1st 2008, 03:25pm
404: *https://example.com/press/2006/08/page/3/%3C/?php%20echo%20get_settings(
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: php%20echo%20get_settings(
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1

TIME: March 1st 2008, 03:25pm
404: *https://example.com/press/2006/03/noscript.html
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

TIME: March 1st 2008, 03:26pm
404: *https://example.com/press/2006/page/no-javascript.html
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

TIME: March 1st 2008, 03:26pm
404: *https://example.com/press/2006/page/
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

TIME: March 1st 2008, 03:26pm
404: *https://example.com/press/2006/page/7/%3C/?php%20echo%20get_settings(
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: php%20echo%20get_settings(
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

TIME: March 1st 2008, 03:26pm
404: *https://example.com/press/2006/page/7/$url/
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

TIME: March 1st 2008, 03:26pm
404: *https://example.com/press/2006/page/7/%3C/
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

TIME: March 1st 2008, 03:26pm
404: *https://example.com/press/2006/page/5/page.html
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

TIME: March 1st 2008, 03:26pm
404: *https://example.com/press/2006/02/this.options%5Bthis.selectedIndex%5D.value;
SITE: https://example.com/
SOURCE: Perishable/Perishable
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 84.122.143.99
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
.
.
.
[ ~ 63 similar records omitted for clarity ]

In case you missed it, the entire access log is available here. ;)

Identification

Here is what we know about the identity of this month’s Blacklist Candidate:

  • IP Address: 84.122.143.99
  • Reverse IP Lookup: 84.122.143.99.dyn.user.ono.com

Complete reverse lookup courtesy of kloth.net:

Reverse Lookup Results
Host:  99.143.122.84.in-addr.arpa 
Type:  PTR
Value: 84.122.143.99.dyn.user.ono.com

IP Address Contact Information

OrgName:    RIPE Network Coordination Centre 
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:  
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   84.0.0.0 - 84.255.255.255 
CIDR:       84.0.0.0/8 
NetName:    84-RIPE
NetHandle:  NET-84-0-0-0-1
Parent:     
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS3.NIC.FR
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2003-11-17
Updated:    2004-03-16

# ARIN WHOIS database, last updated 2008-03-01 19:10

Humilation and Banishment

So, let’s summarize this pathetic clam-store wannabe. We have a single IP address registered in Amsterdam through the infamous RIPE network. Equipped with a whopping three differently identified user agents, our Blacklist Candidate for April targets a list of known URLs with an amateurish collection of piddly-wink attack strings that are simply “tacked on” to the targeted addresses.

Then, as if this weren’t utterly sad enough by itself, consider that the average attack time is 45 seconds per hit. Like, you can just imagine ‘ol numbnuts sitting there, counting on his fingers, typing in the browser’s address bar and mumbling out loud:

Duh, let’s see here, first you type the address, then you add the domain name.. um, no wait a minute.. first the address and then the secret code.. okay, um, now let’s see, what next.. oh yeah, hit the “enter” button..

Needless to say, idiots like this month’s Blacklist Candidate deserve to be exposed, humiliated, and ultimately banished. After all, even though the cracker shows zero signs of intelligence, the attacks were indeed deliberate and obviously hostile. Thus, I rest my case. Let’s block this scumbag! :)

Block via htaccess

To block this fool by IP via htaccess, copy & paste this code into your root htaccess file (click here for more information on this method):

# blacklist candidate 2008-04-27: block clam store loser
Deny from 84.122.143.99

Block via PHP

As discussed in my article on blocking IP addresses with PHP, here is an alternate technique for blacklisting the attacker:

<?php // blacklist candidate 2008-04-27: block clam store loser
$deny = array("84.122.143.99");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

As always, thanks for playing, number 2008-04-27 — we wouldn’t have done it without you!

Download

For the purists among us, here is a copy of the logged activity recorded for this month’s Blacklist Candidate.

Download log file »

Footnotes

  • 1 At the time of this writing, the site’s default theme is “Perishable”. Check out all Perishable Press themes.

Jeff Starr
About the Author Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
Archives
6 responses
  1. *adds ip to list*

    Just a side question how is the new version of the ‘2G blacklist’ coming along?

    I’ve actually added it to a number of different sites and advocated it and a lot of use has been found from it :p

  2. Jeff Starr

    As a matter of fact, I am working on it this very moment. Just as I was checking my site for proper functionality (I still test on this domain), I happened to notice your comment and well, there you go. I am hoping to have something by this time next week, possibly a little longer. But let me tell you, the new 3G blacklist is shaping up very well! ;) Stay tuned!

  3. Hi, it was interesting to read your post. Today I have found 391 occurrences of an attack similar to yours, where almost every URL from our site has been gone through with about half having “this.options%5Bthis.selectedIndex%5D.value” appended at the end of URL. The IP address was a single IP address 83.43.215.17 and it used several user agents as in your case.

    The attack lasted just under 10 minutes, which led me to believe it could have been automated,also because of the way the URLs have been jumped from one to another (e.g. two URLs from different part of site hierarchy being accessed within the same second, which is near impossible by typing or cutting/pasting URLs).

    Fortunately, our site is well protected and no harm done, but thought you should add the above IP to your blacklist.

    Regards,

    Sandra

  4. Jeff Starr

    Hi Sandra, thanks for sharing this info — I will definitely check it out and then add it to the next version of the 3G Blacklist. Thanks!

  5. I noticed some 404s in my error log recently with the same “this.options%5Bthis.selectedIndex%5D.value” appended to the URL. In this instance the culprit appears to be the MSN bot:

    Agent: msnbot/2.0b (+http://search.msn.com/msnbot.htm)._
    IP: 65.55.25.152

    Quirky bot or what?

  6. Jeff Starr

    Hi Geo, Did you verify identity with a forward/reverse lookup? It may have been faked – all the cool kidz are doing it these days.

    Here is a post on verifying identity.

    And yes, MSN/Live/Bing/Whatever is an unpredictable and quirky bot, but nowhere as near as bad as Yahoo Slurp.

    Cheers :)

[ Comments are closed for this post ]