Jan 29, 2008

Some type of botnet using libwww-perl/5.xxx

This all looks to be related it all showed up at the same time.
Looks to be a bot net.


74.54.29.114,BB2,[01-29-2008-16:01:24],72.1d.364a.static.theplanet.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
69.64.77.89,BB2,[01-29-2008-16:01:28],ardentexchange.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
85.233.166.54,BB2,[01-29-2008-16:01:43],vps1.unluckyforsome.co.uk,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
87.106.177.9,BB2,[01-29-2008-16:01:45],s15267347.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
91.142.209.168,BB2,[01-29-2008-16:01:48],sl002.servidores-dns.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
88.84.157.36,BB2,[01-29-2008-16:01:51],v32556.1blu.de,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
87.106.183.154,BB2,[01-29-2008-16:01:52],s15277454.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.214.122.224,BB2,[01-29-2008-16:01:56],alte-wutz.de,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.214.64.202,BB2,[01-29-2008-16:01:57],psit-domains.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
86.109.163.242,BB2,[01-29-2008-16:03:45],lincl435.web3l.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
128.205.213.57,BB2,[01-29-2008-16:05:06],hyperion.eng.buffalo.edu,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
74.54.22.2,BB2,[01-29-2008-16:05:25],hm3.hostmas.net,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.7.194.105,BB2,[01-29-2008-16:05:26],66-7-194-105.static.dimenoc.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
69.61.30.100,BB2,[01-29-2008-16:05:33],alpha.webserverdns.com,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.232.101.54,BB2,[01-29-2008-16:06:10],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
216.129.112.22,BB2,[01-29-2008-16:06:26],nexenta.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
87.233.129.198,BB2,[01-29-2008-16:06:54],mail.tradehousem.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
78.110.163.108,BB2,[01-29-2008-16:07:14],server2.suspected.co.uk,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
87.106.37.48,BB2,[01-29-2008-16:08:14],s15207528.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
64.202.115.189,BB2,[01-29-2008-16:08:51],server.hotelskerala.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
74.54.22.2,BB2,[01-29-2008-16:10:32],hm3.hostmas.net,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.7.194.105,BB2,[01-29-2008-16:10:45],66-7-194-105.static.dimenoc.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
69.61.30.100,BB2,[01-29-2008-16:10:48],alpha.webserverdns.com,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
72.36.154.242,BB2,[01-29-2008-16:10:58],72.36.154.242.svservers.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
66.232.101.54,BB2,[01-29-2008-16:11:25],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
62.193.224.77,BB2,[01-29-2008-16:11:42],wpc0075.amenworld.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
216.129.112.22,BB2,[01-29-2008-16:12:57],nexenta.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
87.233.129.198,BB2,[01-29-2008-16:13:21],mail.tradehousem.com,403 User-Agent was found on blacklist ww ,libwww-perl/5.79,-
77.79.88.105,BB2,[01-29-2008-16:13:32],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
87.106.37.48,BB2,[01-29-2008-16:14:45],s15207528.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
64.202.115.189,BB2,[01-29-2008-16:15:01],server.hotelskerala.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
82.192.68.176,BB2,[01-29-2008-16:16:07],svhw.woz-visie.nl,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
82.192.68.176,BB2,[01-29-2008-16:16:31],svhw.woz-visie.nl,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
81.171.102.74,BB2,[01-29-2008-16:16:36],webhost3.eweka.nl,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.25.139.97,BB2,[01-29-2008-16:16:57],echo643.server4you.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
81.171.102.74,BB2,[01-29-2008-16:17:04],webhost3.eweka.nl,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
80.89.224.38,BB2,[01-29-2008-16:17:10],wolfram.noc.iaf.nl,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
80.89.224.38,BB2,[01-29-2008-16:17:35],wolfram.noc.iaf.nl,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
72.36.154.242,BB2,[01-29-2008-16:18:30],72.36.154.242.svservers.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
77.79.88.105,BB2,[01-29-2008-16:22:54],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
85.25.139.97,BB2,[01-29-2008-16:30:40],echo643.server4you.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-

4 comments:

farmer6re9 said...

Nasty little bugger ain't YT? This User-agent began attacking my server on January 19, 2008 and hasn't slowed down at all. The requests use the host name and not just an IP address so the botnet must be finding potential victims with the use of search engines. Perhaps with .txt as a keyword search criteria.

I have found that forbidding the User-agent is OK, but have gone a step further with the use of iptables ipt_recent module and send these hosts directly to a TARPIT when they attack.

Information about this recent phenomenon is scarce at the moment. I wonder what others are doing to mitigate the problem.

Anonymous said...

had same problem for 6 months and i am blocking it the same way as you.

no point using ip to block as this person is using victims that he has hacked already

Dosithee said...

I'm on a mac and just found a program called eversave trying to access this ip: 87.106.248.95. The Reverse DNS name is the s15324241.onlinehmome-server.info. Please help me understand what is going on. For now I will just block this connection with the program that discovered it, littlesnitch. thanks

Dosithee said...

I'm on a mac and just found a program called eversave trying to access this ip: 87.106.248.95. The Reverse DNS name is the s15324241.onlinehmome-server.info. Please help me understand what is going on. For now I will just block this connection with the program that discovered it, littlesnitch. thanks