Isqua Istari

The Wise Wizards

Spammers and Bots get Smarter

Posted in Articles by Ziggy Saturday August 2, 2014 at 14:38

For a while now I’ve been keeping track of my website’s error logs and banning IPs that poke around for weak points (Trying to log in to non-existent pages. Trying multiple standard address paths for the admin panel.) and until recently this has worked alright. I get about 15 queries a day from blocked IPs, so it’s manageable.

The logs often state that there was a “referer” to the page, but this can be easily faked. It’s even more obvious when the “referer” is my own site, and I know quite well that I don’t have any links to these spurious pages in my hand-crafted HTML A normal “attack” looks something like this:

[Sat Jul 19 09:29:09.634756 2014] [:error]  [client 223.240.129.48:4874] File does not exist: /home/dudecon/public_html/minecraft/login.php, referer: http://www.peripheralarbor.com/minecraft/
[Sat Jul 19 09:29:09.007436 2014] [:error]  [client 223.240.129.48:4858] File does not exist: /home/dudecon/public_html/minecraft/post.php
[Sat Jul 19 09:29:08.401537 2014] [:error]  [client 223.240.129.48:4843] File does not exist: /home/dudecon/public_html/minecraft/register.php

A few pokes at a few obvious pages, all from the same IP address, and all within a few seconds of eachother. Note the silly “referer” in the first log. But recently I seem to have caught the attention of a more organized botnet or something. Check this out:

[Fri Aug 01 20:35:09.174435 2014] [:error]  [client 198.170.241.46:4659] File does not exist: /home/dudecon/public_html/wp-login.php, referer: http://www.google.com/
[Fri Aug 01 20:25:48.760218 2014] [:error]  [client 217.115.112.107:2987] File does not exist: /home/dudecon/public_html/wp-login.php, referer: http://www.google.com/
[Fri Aug 01 20:16:27.377227 2014] [:error]  [client 184.168.200.12:17883] File does not exist: /home/dudecon/public_html/wp-login.php, referer: http://www.google.com/
[Fri Aug 01 20:06:51.704326 2014] [:error]  [client 192.99.15.227:48185] File does not exist: /home/dudecon/public_html/wp-login.php, referer: http://www.google.com/
[Thu Jul 31 11:36:01.435974 2014] [:error]  [client 217.16.10.44:48156] File does not exist: /home/dudecon/public_html/wp-login.php, referer: http://www.google.com/
[Thu Jul 31 11:26:59.114869 2014] [:error]  [client 46.105.35.91:41961] File does not exist: /home/dudecon/public_html/wp-login.php, referer: http://www.google.com/
[Thu Jul 31 11:08:42.686376 2014] [:error]  [client 192.185.83.77:12895] File does not exist: /home/dudecon/public_html/wp-login.php, referer: http://www.google.com/

I mean, I can only assume it’s a botnet. Each query is a different IP address, they happen in fairly close proximity, but spaced by minutes instead of seconds, and they all target the same non-existent login page. I suppose it’s possible that Google has stooped to trawling for security holes, but I would think they wouldn’t make it this obvious.

In any case, banning every IP that shows up like this could become wearisome. Don’t make me do it, botnet. You know I will. I’d also be happy to share my list of banned IP addresses if anyone is interested. There is a tad over 200, though a few of them are whole ip blocks due to consistent miss-behavior.

Oh, and by the way, if you find yourself IP banned from “www.peripheralarbor.com”, clean your computer, as you might be unwittingly hosting malicious software.

I’ll be happy to remove you from the ban list if you ask nicely.


No Comments »

No comments yet.

Leave a comment


RSS feed for comments on this post. TrackBack URI

Powered by Wordpress, theme by neuro