Block Greasy Uploads Scanner

♦ Posted by Jeff Starr in .htaccess, Security

Updated July 16, 2018

Whether you’re running WordPress or not, your site may be getting hit by endless scanning for your site’s uploaded files and similar nonexistent resources. Specifically, the “Greasy Uploads Scanner” endlessly scans sites for nonexistent resources in the /uploads/ directory, even if the directory itself doesn’t exist. Just mindless scanning for all sorts of weird files. It steals your server resources and threatens your site security. We hates them. And we wants to block them.

What the scan looks like

To give you a better idea of the type of malicious scanning we’re talking about, here are some example URI requests taken directly from the log files:

http://example.com/wp-content/uploads/2015/07/mitos-e-verdades-sobre-as-sobrancelhas.jpg
http://example.com/wp-content/uploads/2009/11/artesanato-em-madeira1.jpg
http://example.com/wp-content/uploads/2009/10/tatuagem-nas-costas1.jpg
http://example.com/wp-content/uploads/2009/11/saias-fotos-cintura-alta.jpg
http://example.com/wp-content/uploads/2012/11/corte-de-cabelo-longo-2013-6.jpg
http://example.com/wp-content/uploads/2009/12/bolo-casamento.jpg
http://example.com/wp-content/uploads/2014/07/moda-sa%c3%adda-de-praia-ver%c3%a3o-2015-4.jpg
http://example.com/wp-content/uploads/2014/09/Penteados-para-festas-conhe%c3%a7a-as-principais-apostas-para-o-ver%c3%a3o-5.jpg
http://example.com/wp-content/uploads/2012/12/artesanato-de-Flores-de-feltro-sortidas-3.jpg?894491
http://example.com/wp-content/uploads/2014/07/cole%c3%a7%c3%a3o-de-ver%c3%a3o-2015-da-morena-rosa-5.jpg
http://example.com/wp-content/uploads/2009/10/escrita-no-braco.jpg
http://example.com/wp-content/uploads/2014/03/logo-TP1.png
http://example.com/wp-content/uploads/2012/03/Rabo-de-cavalo-lateral-Passo-a-Passo-4.jpg
http://example.com/wp-content/uploads/2010/06/cabelos-cacheados-cortes-9.jpg
http://example.com/wp-content/uploads/2009/09/blusa-moda.jpg
http://example.com/wp-content/uploads/2014/09/Como-usar-top-cropped-7.jpg
http://example.com/wp-content/uploads/2010/04/decoupage-em-chinelo-como-fazer.jpg
http://example.com/wp-content/uploads/2012/12/Fantasias-f%c3%a1ceis-de-fazer-e-criativas-6.jpg
http://example.com/wp-content/uploads/2015/08/emagrecer-de-vez-145x100.jpg
http://example.com/wp-content/uploads/2013/03/cabelo-inverno-2013-cores-2.jpg
http://example.com/wp-content/uploads/2014/02/como-decorar-apartamento-pequeno-4.jpg
http://example.com/wp-content/uploads/2009/11/penteado-madrinha1.jpg
http://example.com/wp-content/uploads/2011/08/cabelo-masculino-2012-16.jpg
http://example.com/wp-content/uploads/2011/06/blazer-feminino-moda.jpg
http://example.com/wp-content/uploads/2010/03/quarto-decorado-adolescente-13.jpg
http://example.com/wp-content/uploads/2012/10/decora%c3%a7%c3%a3o-de-bolos-passo-a-passo-6.jpg
http://example.com/wp-content/uploads/2013/06/Acess%c3%b3rios-para-usar-na-formatura-4.jpg
http://example.com/wp-content/uploads/2009/11/esporte-fino.jpg
http://example.com/wp-content/uploads/2013/05/cabelos-castanhos-com-luzes-5.jpg
http://example.com/wp-content/uploads/2014/09/Moda-Roupas-%e2%80%93-primavera-Ver%c3%a3o-2015-da-Aha-4.jpg
http://example.com/wp-content/uploads/2010/03/Roupa-Social-Feminina-3.jpg
http://example.com/wp-content/uploads/2012/07/tatuagem-feminina-3D-5.jpg
http://example.com/wp-content/uploads/2013/07/corte-de-cabelos-femininos-tendencias-2014-2.jpg
http://example.com/wp-content/uploads/2015/03/vestidos-curtos-de-festa-1-11.jpg
http://example.com/wp-content/uploads/2011/02/moda-infantil-2011-6.jpg
http://example.com/wp-content/uploads/2009/10/Fantasias-halloween5.jpg
http://example.com/wp-content/uploads/2014/08/melissa-ver%c3%a3o-2015-800x532.jpg
http://example.com/wp-content/uploads/2011/03/lembrancinha-batizado-1-9.jpg
http://example.com/wp-content/uploads/2011/05/adam-lambert-cortes-de-cabelo-5.jpg

Each greasy scan requests around 1,500 of these URIs within about 3 minutes. Until I blocked them, I was getting numerous scans like this every day. Was maddening.

So can we block these types of requests based on the requested URIs? To do so, we would need to block either /wp-content/ or /uploads/, which only makes sense if your site is NOT using those particular directories. If that sounds like you, then a few simple lines in your site’s root .htaccess file will block them all:

# Block Greasy Uploads Scanner (non-WP sites)
<IfModule mod_alias.c>
	RedirectMatch 403 ^/wp-content/uploads/
</IfModule>

That code will stop the greasy scans cold. Again, you would only want to implement this technique on non-WP sites or WP sites that are NOT using the /uploads/ directory. If you are using WordPress, blocking via the request URI won’t work. So let’s continue the investigation until a solution presents itself.

Associated user agents

The greasy scans also provide an example of why it can be ineffective to block requests based on user agent. There are just too many strings that would need to be blocked. During the scan, the reported user agent changes. Here is a sampling:

Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1

Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36

Mozilla/5.0 (Linux; Android 4.2.2; SM-T111M Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.76 Safari/537.36

Mozilla/5.0 (Linux; Android 4.2.1; en-us; Nexus 5 Build/JOP40D) AppleWebKit/535.19 (KHTML, like Gecko; googleweblight) Chrome/38.0.1025.166 Mobile Safari/535.19

Mozilla/5.0 (Linux; U; Android 4.1.2; pt-br; GT-S5310B Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Mozilla/5.0 (Linux; Android 4.4.2; SM-T210 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 GSA/5.3.26.19.arm

Mozilla/5.0 (Linux; Android 4.4.2; SM-G313ML Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile Safari/537.36

Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/9.0.60246 Mobile/12H321 Safari/600.1.4

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36

Mozilla/5.0 (Linux; Android 5.0.2; XT1069 Build/LXB22.99-16.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.76 Mobile Safari/537.36

Mozilla/5.0 (Linux; Android 4.3; SM-G3502T Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36

So even if we wanted to block based on the reported user agent, it would be virtually impossible because of similarities with legitimate agents. So after excluding legit strings like Mozilla, Linux, Android, Chrome, and so forth, there wouldn’t be any effective patterns to match against. Perhaps we can stop these scans based on the associated IP addresses? Let’s find out..

Associated IP addresses

If you’re familiar with my tutorials, you’ve probably heard me mention that in general blocking based on IP address is only recommended for blocking specific, individual threats. Like when you want to block some scumbag from lurking around and stalking your other users. Stuff like that. Attempts to block bots, scripts, and other automated requests via IP results in a LOT of false positives and ultimately is pretty ineffective. This is because most malicious activity is routed through some sort of proxy service to obscure identity. And the IPs used by proxies change constantly, so there’s no point in trying to block them. Besides, there are far better ways to block bad bots and bad requests.

With that in mind, the IPs associated with the Greasy Uploads Scanner serve as a perfect example of why blocking via IP address is futile. If there were only a handful of offending IPs, that would be great; we could easily block all greasy upload scans with a few choice directives. Unfortunately, the greasy scans report hundreds of different IPs. Check it out for yourself:

greasy-uploads-scanner.txt

Right? That’s a lot of IPs to block, far too many to make it worthwhile. The server would have to work through each of those IPs for every request. So it would be better for performance to just let the greasy bastard scan your site.

For more information about blocking IPs, how I collect data, and other relevant details, read through my article, Worst IPs: 2016 Edition.

Associated referrers

Continuing our hunt for a simple, effective way to block the greasy uploads scans, we examine the reported referrer URLs. Here are some examples from the log file:

http://trikaladay.com.br/
http://trikaladay.com.br/blank.html
http://todaperfeita.com.br/category/beleza/
http://todaperfeita.com.br/moda-roupa-social-feminina-fotos-e-dicas/
http://todaperfeita.com.br/vestidos-de-festa-para-gordinhas-fotos-e-modelos/
http://todaperfeita.com.br/decoupage-em-chinelos-com-guardanapo-passo-a-passo/
http://todaperfeita.com.br/body-splash-da-victorias-secret-entenda-as-fragrancias/
http://todaperfeita.com.br/deliciosa-receita-de-pastel-de-forno-massa-com-guarana/
.
.
.

Yep, that will do it. Pretty much every reported referrer is from either trikaladay.com.br or todaperfeita.com.br. This presents a simple, effective solution that can be implemented via .htaccess:

# Block Greasy Uploads Scanner
<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_REFERER} todaperfeita [NC,OR]
	RewriteCond %{HTTP_REFERER} trikaladay   [NC]
	RewriteRule (.*) - [F,L]
</IfModule>

..aaand mission accomplished. Here we are checking the referrer for either offender, and then blocking them with a 403 “Forbidden” server response. Simple, effective, and elegant. Just for fun, we could also combine the two directives, like so:

RewriteCond %{HTTP_REFERER} (todaperfeita|trikaladay) [NC]

It’s just good times all around.