Message Board

Tracking Harvesters/Spammers

Directory attackers?

Author: B.Rhein-Berg (10 Oct 10 6:45am)

when checking IPs accessing my CMS Drupal I found a couple of tries to get JS or EXE files:

select hostname, message from watchdog where uid=0 and type='page not found' and message regexp '.js|.exe|.php';
+-----------------+-------------------------------------------------------------------------------+
| hostname | message |
+-----------------+-------------------------------------------------------------------------------+
| 84.192.90.179 | files/languages/de_528fca730722f4627f952f2376024ad4.js |
| 66.249.66.5 | fzrb/20100925/fzrb_20100925.exe |
| 217.132.160.193 | node/index.php |
| 92.243.84.187 | plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php |
| 95.130.112.7 | files/languages/de_528fca730722f4627f952f2376024ad4.js |
| 89.138.183.94 | node/index.php |
| 66.249.66.5 | files/languages/de_7b75e5125d9225d7bafec6ad4fc8e1f2.js |
| 66.249.66.5 | 836.exe |
| 66.249.71.165 | files/languages/de_7b75e5125d9225d7bafec6ad4fc8e1f2.js |
| 94.136.58.110 | sql/scripts/setup.php |
| 94.136.58.110 | websql/scripts/setup.php |
| 92.243.84.187 | plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php |
| 94.136.58.110 | mysqlmanager/scripts/setup.php |
| 94.136.58.110 | phpMyAdmin/scripts/setup.php |
| 94.136.58.110 | phpMyAdmin1/scripts/setup.php |
| 94.136.58.110 | phpMyAdmin-2/scripts/setup.php |
| 94.136.58.110 | dbadmin/scripts/setup.php |
| 94.136.58.110 | myadmin/scripts/setup.php |
| 94.136.58.110 | mysql/scripts/setup.php |
| 94.136.58.110 | mysqladmin/scripts/setup.php |
| 94.136.58.110 | hello/YellowFish.php |
| 94.136.58.110 | db/scripts/setup.php |
| 66.249.65.116 | ie_setup.exe |
| 94.136.58.110 | phpmyadmin2/scripts/setup.php |
| 94.136.58.110 | pma/scripts/setup.php |
| 94.136.58.110 | PMA/scripts/setup.php |
| 94.136.58.110 | scripts/scripts/setup.php |
| 94.136.58.110 | phpadmin/scripts/setup.php |
| 94.136.58.110 | phpmyadmin/scripts/setup.php |
| 94.136.58.110 | webdb/scripts/setup.php |
| 94.136.58.110 | old.phpmyadmin/scripts/setup.php |
| 94.136.58.110 | phpmyadmin1/scripts/setup.php |
| 94.136.58.110 | phpmyadmin.old/scripts/setup.php |
| 94.136.58.110 | phpmyadmin-2/scripts/setup.php |

are all these IPs belonging to attackers? Surprisingly a google IP like 66.249.66.5 is in the list.

Re: Directory attackers?

Author: A.Degives Mas (20 Apr 11 5:58pm)

Yes and no; it depends on how sharply you define "attackers". To briefly explain: it looks like malicious asset requests have been fed into search engines - something quite common: I call it search engine poisoning - which allows ill-intending people to quickly retrieve listings of sites that have that particular resource / asset / characteristic.

Which then often is fed into a botnet for one attempt at an exploit or another.

If you're 100% positive you've never seen requests like these, and that indeed those requested assets are non-existing, you're arguably looking at an initial sweep, i.e. your site is broadsided with those requests, and essentially only those that give a non-404 reply are used, or better: set aside for later "use".

Those can then be fed into e.g. Google, Yahoo, or other SEs for the simple "batch search" for the particular vulnerability they're looking for.

Bottom line: if you're positive that they're fishing for garbage - i.e. your site doesn't respond other than with a 404 - you can ignore 'em. If they had a positive hit, it's likely you'll see a return of a botnet, washing over your site with requests related to these probes.

Since you're running Drupal, I recommend wrapping the Drupal script with a security wrapper; one I very much like is the GPL released ZB Block; see www.spambotsecurity.com

Good luck!