Santy Attacks (IP Addresses and Domain Name Values)

Posted: Sat Dec 25, 2004 12:09 pm

In an effort to identify who is infected by this is a worm or virus, I'm enclosing a copy of a few of the IPs that have attacked my site so far.

I'm very curious to discover the root cause of these attacks (failed to update? No anti-virus?) and identifying the sources may aid in this venture while helping others to filter out some of the hosts affected.

Here are SOME of the multiple abuse attempt IPs that I have collected so far:

63.247.87.186 = shell.konta.pl
62.2.78.10 = 62-2-78-10.business.cablecom.ch
62.212.81.12 = ns2.jronline.nl
69.73.166.108 = platinum.nocdirect.com
69.64.34.168 = air302.startdedicated.com
67.19.107.242 = 242-107-19-67.reverse.sunrisenet.com.br
80.237.130.27 = server019.webpack.hosteurope.de
66.194.239.69 = dime54.dizinc.com
216.201.96.65 = vs1.korax.net
67.18.14.98 = ns1.hostdnsserver.com
67.15.84.41 = spark.mojoservers.net
67.19.5.50 = 50.67-19-5.reverse.theplanet.com
195.246.156.14 = microscoop.server.vianetworks.fr
204.50.22.10 = server12.dayanadns.com
217.115.142.89 = hydrogen.webpack.hosteurope.de
62.173.67.22 = fastwebhosting.net

And many many more!

Useless Joined: Aug 23, 2002 Posts: 213 Location: Chicago

I was bombed early this morning by visualcoders.net which was using some stupid kinda strings.

Their host was informed and they removed the account right away then domain whois showed that the owner is from Belgium so I just called FBI and let then know about this. They said they already know about it and they think it is just another worm that is supposed to run this sting to every phpBB, PHP-Nuke, Postnuke or any other related code. They are trying to find it and stop it.

These were the strings they were using:

New Member Joined: Oct 12, 2004 Posts: 9

I am getting like 500 emails daily since two days, all with reasons like Reason: Abuse-Script or Abuse-Harvest, the only comon thing between all attacks is the agent which is
--------------------
User Agent: lwp-trivial/1.32

examples

Date & Time: 2004-12-25 12:51:57
Blocked IP: 217.199.176.8
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: lwp-trivial
--------------------
User Agent: lwp-trivial/1.32
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 217.199.176.8
Remote Port: 4388
Request Method: GET
--------------------
Who-Is for IP
217.199.176.8

Date & Time: 2004-12-25 12:24:45
Blocked IP: 81.169.168.253
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: lwp-trivial/1.38
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 81.169.168.253
Remote Port: 45814
Request Method: GET

or this new one

Date & Time: 2004-12-25 14:22:16
Blocked IP: 69.93.214.106
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.65
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 69.93.214.106
Remote Port: 41817
Request Method: GET

what is this gratishost.com ???

another Email with this which is a normal script to one of the forums, why blocked ?

Date & Time: 2004-12-25 14:18:02
Blocked IP: 69.44.57.36
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: lwp-trivial
--------------------
User Agent: lwp-trivial/1.41
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 69.44.57.36
Remote Port: 46860
Request Method: GET

I wish someone can help me with this, it started two days ago, now i get tons of Emails from sentinel, any ideas ?

Posted: Sat Dec 25, 2004 2:26 pm

Update:

According to multiple hosts contacted, the following information has been identified:

It looks like [ Only registered users can see links on this board! Get registered or login! ] and [ Only registered users can see links on this board! Get registered or login! ] are hosting the worm source-code and aiding in propogation.

There is now an official FBI investigation in progress.

Webmasters attacked by this worm are urged to:

1) Contact each host of each attacking domain to advise them to do a virus scan to identify and remove the worm from affected domains.

2) Advise those hosts to notify domain administrators to update their software so as not to be exposed or further vulnerable to the worm.

2A) Also advise hosts of the domain(s) affected that should webmasters fail to update their software immediately (so as not to be susceptible to the worm), that the domain(s) affected should be deactivated until such a time where they do not pose a threat of re-infection and further propagation to others.

This is a situation where people have failed to update their software as advised and thus they are propagating the problem.

There are also a large number of clients attempting to test successful implementation and infection of the worm. Those client IP addresses are also being collected and reported to the FBI for investigation.

While many of these clients are on dial-up, the seriousness of this attack and the involvement of the FBI has led to a great deal of cooperation with ISPs in tracking those involved.

I'll keep you apprised of more information as it becomes available.

Hangin' Around Joined: Nov 27, 2004 Posts: 37 Location: MN

Ok, i figured out that its showing up in here anyways. but is wayyyyyyy off to the right side...

I wrote a nice little protection for this so your bandwidth wont get eaten up...

place this in /includes/custom_files/custom_mainfile.php

Code:

if (eregi("wget", $_SERVER['QUERY_STRING'])) {


   die();


}

Posted: Sun Dec 26, 2004 12:22 pm

supercat, who are you replying to pls ? me ?

thanks,

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

SuperCat wrote:

Ok, i figured out that its showing up in here anyways. but is wayyyyyyy off to the right side...

I wrote a nice little protection for this so your bandwidth wont get eaten up...

place this in /includes/custom_files/custom_mainfile.php

Code:

if (eregi("wget", $_SERVER['QUERY_STRING'])) {


   die();


}

If it reaches this script, the band width has already been used. Not too sure what this accomplishes (no offense).

Posted: Sun Dec 26, 2004 12:38 pm

the rest of the page wont load. it saves that much.

Posted: Sun Dec 26, 2004 1:17 pm

The authorities will probably have as much success with the brazilian ISP's as we do.

Posted: Sun Dec 26, 2004 6:09 pm

Here is my final code:

Code:

if (eregi("wget", $_SERVER['QUERY_STRING'])) {


   require_once("config.php");


   require_once("db/db.php");


   global $db, $prefix;


   $ip = $_SERVER["REMOTE_ADDR"];


   $sql = "select * from ".$prefix."_banned_ip WHERE ip_address ='$ip'";


   $result = $db->sql_query($sql);


   $IPexists = $db->sql_fetchrow($result);


   if ($IPexists == '') {


      $date = date("Y-m-d");


      $db->sql_query("INSERT INTO ".$prefix."_banned_ip (ip_address,reason,date) VALUES ('$ip', 'wget in URL', '$date')");


      $db->sql_query("DELETE FROM ".$prefix."_session WHERE host_addr='$ip'");


   }


   die();


}