Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 P.H.P use of resources & spambot swarm
Author: S.Enbom   (29 May 07 10:16am)
I just noticed a swarm of bots stuck on my P.H.P. I've got a script that makes links such as

http://site/honeypot.php?fubar
http://site/honeypot.php?random/blabla
http://site/honeypot.php?applejuice/foo

I noticed the load on my very limited (only 256mb memory...) virtual server was up to 4, 5...and it sank after i banned these ips from my site.

Does the P.H.P php script take up noticeable resources when one reloads it rapidly? Would a "sleep" in the script help some? I tried modifying the script only to notice it checks it's own hash.



Here's another interesting spam thing. Yesterday (still continuing right now) I noticed what seemed like a one person/team spam-run on my site. The script was aware of the site being drupal, tried to add comment spam whereafter it used the site's search feature to see if the comment went through. I've seen that the next phase would be to spam another site with reference to my site, and not directly to the spammers own site.

What was amazing was that over 150 different IP's was used to this same spamrun yesterday, and the total is up at 230 now. I googled quite a lot of these IP's and they all came up with similar results; lots of spammed guestbooks, forums, often in asian (thai?). The user agents where also the same "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

But I don't think these get stuck in the project honeypot. Their POST attempts get stuck in my mod_security rules:

[29/May/2007:17:03:52 +0300] [100777.com/sid#1f2a6b0][rid#25427e8][/comment/reply/97][1] Access denied with code 403 (phase 2). Pattern match "(silagra|ritalin|levitra|ringtones|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\\w\\-_.]*\\.[a-z]{2,}" at ARGS:comment.[29/May/2007:17:05:24 +0300] [100777.com/sid#1f2a6b0][rid#24f26b8][/comment/reply/1456][1] Access denied with code 403 (phase 2). Pattern match "[\\w\\-_.]*poker.*\\.[a-z]{2,}" at ARGS:comment.[29/May/2007:17:06:15 +0300] [100777.com/sid#1f2a6b0][rid#211ee58][/comment/reply/1671][1] Access denied with code 403 (phase 2). Pattern match "(silagra|ritalin|levitra|ringtones|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\\w\\-_.]*\\.[a-z]{2,}" at ARGS:comment.[29/May/2007:17:08:01 +0300] [100777.com/sid#1f2a6b0][rid#23585a8][/comment/reply/1466][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.[29/May/2007:17:10:05 +0300] [100777.com/sid#1f2a6b0][rid#22d91c8][/comment/reply/1479][1] Access denied with code 403 (phase 2). Pattern match "[\\w\\-_.]*poker.*\\.[a-z]{2,}" at ARGS:comment.[29/May/2007:17:10:25 +0300] [100777.com/sid#1f2a6b0][rid#23c8af8][/comment/reply/1482][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.[29/May/2007:17:11:36 +0300] [100777.com/sid#1f2a6b0][rid#20f1dc8][/comment/reply/1105][1] Access denied with code 403 (phase 2). Pattern match "(www\\.)?transexual" at ARGS:comment.[29/May/2007:17:12:02 +0300] [100777.com/sid#1f2a6b0][rid#20f1dc8][/comment/reply/1488][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.[29/May/2007:17:13:37 +0300] [100777.com/sid#1f2a6b0][rid#20efdb8][/comment/reply/1113][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.[29/May/2007:17:13:50 +0300] [100777.com/sid#1f2a6b0][rid#238a738][/comment/reply/1498][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.


Where I to turn of these mod_security rules then akismet would catch them which would be better since it would contribute to the akismet database.


Here's the complete list of this spambot swarm:


12.206.1.158
12.218.111.15
121.132.80.14
121.141.71.231
121.15.128.18
121.177.202.23
121.247.128.122
121.247.162.252
122.2.119.135
122.2.135.223
122.213.56.16
122.47.159.72
123.248.61.184
124.107.225.255
124.125.113.135
124.125.248.39
125.212.135.188
125.212.226.169
125.214.33.11
154.20.199.244
154.5.234.98
189.19.25.148
189.4.160.230
200.109.132.69
200.115.201.109
200.143.129.178
200.203.28.181
200.55.75.2
200.67.239.216
201.132.107.176
201.17.253.46
201.38.195.70
201.39.16.150
201.48.36.180
203.146.102.4
203.81.205.48
207.38.182.218
207.81.28.2
208.107.150.117
210.211.148.129
210.211.164.223
211.200.227.140
211.202.51.115
211.217.208.7
211.51.244.21
213.100.42.50
213.107.76.51
213.112.5.214
213.89.81.172
217.122.172.112
217.65.158.120
218.146.22.42
218.233.35.126
219.91.137.251
220.1.88.114
220.239.17.43
220.239.173.163
220.70.247.148
220.83.54.30
220.89.92.21
221.124.166.201
222.234.167.203
222.76.214.36
24.10.44.255
24.116.99.35
24.150.253.92
24.173.114.228
24.180.140.145
24.19.237.0
24.210.255.240
24.214.128.61
24.217.116.202
24.22.122.17
24.239.249.89
24.241.62.252
24.247.189.181
24.3.2.67
24.3.20.109
24.59.154.124
24.9.143.173
59.0.183.212
59.162.92.183
59.181.103.100
59.25.9.95
59.92.110.195
65.70.120.243
65.97.142.198
66.176.207.42
66.186.85.53
66.227.158.212
66.245.197.222
66.30.33.124
67.149.249.42
67.163.222.116
67.173.52.243
67.177.139.77
67.185.127.3
67.187.46.249
67.67.68.234
68.108.85.224
68.145.129.38
68.191.57.89
68.196.163.232
68.199.28.214
68.202.250.98
68.250.211.219
68.36.68.84
68.37.88.118
68.41.19.191
68.42.138.106
68.54.227.187
68.56.177.92
68.74.105.209
68.8.47.146
68.80.198.46
68.84.125.31
68.9.255.238
68.9.47.201
68.95.198.192
69.119.190.116
69.14.131.240
69.145.57.168
69.158.187.105
69.212.228.72
69.246.26.246
69.248.20.96
69.92.179.101
70.160.160.183
70.176.182.30
70.177.247.69
70.246.159.118
70.64.188.95
71.156.41.202
71.194.102.167
71.194.200.15
71.196.138.47
71.200.171.159
71.203.153.25
71.206.36.154
71.234.249.7
71.87.50.248
71.88.33.231
71.9.93.23
72.12.189.100
72.137.246.167
72.140.3.28
72.164.132.226
72.192.140.103
72.193.17.211
72.199.248.18
72.201.164.192
72.204.73.136
72.48.159.24
74.115.70.44
74.119.49.26
74.121.64.39
74.122.236.78
74.135.248.9
74.138.49.163
74.140.155.189
74.193.185.210
74.194.162.184
74.194.182.73
74.221.38.53
74.57.15.127
74.61.254.218
74.69.177.55
74.74.74.104
75.108.6.204
75.109.102.17
75.132.14.111
75.136.159.106
75.183.99.235
75.37.79.193
75.72.67.155
75.74.224.186
75.74.49.139
75.84.5.52
76.100.12.247
76.106.107.180
76.107.108.195
76.108.82.19
76.174.126.108
76.174.179.22
76.186.232.12
76.187.192.62
76.20.3.77
76.215.182.103
76.26.12.53
76.49.137.191
80.108.220.249
80.216.186.167
80.72.93.143
80.99.98.166
81.106.132.6
81.110.123.14
81.172.36.20
81.200.120.62
81.236.139.178
82.228.146.182
82.234.221.53
82.24.140.21
82.247.25.226
82.247.78.69
82.253.172.220
82.29.90.8
82.36.245.69
82.40.42.232
82.47.165.246
82.47.9.35
83.14.223.198
83.86.32.36
83.86.75.24
84.121.60.115
84.192.249.149
84.25.33.183
84.41.241.173
84.75.43.183
85.168.116.188
85.187.221.25
85.84.1.44
86.101.105.12
86.101.15.116
86.7.42.223
88.161.35.194
89.34.221.209
89.35.18.216
90.227.1.111
91.134.5.57
 
 Re: P.H.P use of resources & spambot swarm
Author: S.Enbom   (29 May 07 10:26am)
Some of the spam they give leads to an .edu site.

A couple of days ago each message they spammed contained up to 4 different poorly maintained forums on various american and canadian colleges and other similar forums. The admins I mailed where a bit surprised and took care of the forums quite quickly. The one below seems to be cleande up already too.



Blonde teen with huge tits rides principal cock like a pro <a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/adult.html>Adult Escorts </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/amateur.html>Uk Free Swingers Websites </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/anal.html>Anal Hardcore Fist </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/asian.html>Celebrities Nudity Japanese Teenagers </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/ass.html>Black Teen Booty </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/babe.html>Blonde Bikini Fitness Model </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/barelylegal.html>Young Blondes </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/bdsm.html>Birthday Spankings </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/bigdick.html>Big Dick Shemales </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/bikini.html>Teen Girls Bikini </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/blowjob.html>Oral Yeast Infection </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/boobs.html>The Big Breast Archive </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/cartoon.html>3d Porn Cartoons </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/celebrity.html>Celeb Sex Scene </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/cheerleader.html>Manchester Community College </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/closeup.html>Clit Stories </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/coed.html>Hot Asian Girls </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/creampie.html>Creampie Eating Men </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/dildo.html>Dildo Slut </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/drunk.html>Passed Out Drunk Girls </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/ebony.html>Exploited Black Teen Movies </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/erotica.html>Free Adult Story Site </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/famous.html>Trish Stratus Sexy </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/fat.html>Fat Chicks Porn </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/female.html>Horny Old Women </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/femdom.html>Femdom Secretary </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/fetish.html>Effects Of Smoking Weed </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/fisting.html>Girls Fingering Their Selves </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/free.html>Free Hardcore Sex Videos </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/gay.html>Gay Father Son </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/group.html>Gangbang Facials </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/hairy.html>Gay Hairy Sex </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/handjob.html>Hand Job Cumshot </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/hardcore.html>Mouth Fucking </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/hentai.html>Final Fantasy 8 Hentai </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/hot.html>Lindsay Lohan Sexy </a><a href=http://www.kuesc.engr.ku.edu/nodes/expo/subpages_expo/_---Registration---/_log/incest.html>Teens Incest </a>
 
 Re: P.H.P use of resources & spambot swarm
Author: S.Enbom   (31 May 07 8:35am)
Actually, incredibly, the User- Agent isn't just

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

It's

"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

There's "User-Agent" in there too, so he's really blown it by not being able to fake a real browser user-agent string. This spam-run still continues from all and all over 600 IPs. All getting a slow 403 page on my site.
 
 Re: P.H.P use of resources & spambot swarm
Author: M.Zraik   (29 Jun 08 12:18am)
Hello,

It looks as though you are using pattern matching on the words themselves. It may serve you better to match on special characters such as <> .. | /, etc., in order to catch and trigger a filter. Most if not all spamming includes a link, or an insertion attempt, reverse directory transversal attempt; All of which need the special characters. If you don't allow posting of links, then your job is simple, don't allow those characters through, gracefully stop the script and exit, thus reducing resources spent on the un-wanted.

I do a lot of perl scripting, not PHP, but I am sure there is a way to place a routine or function to handle this. Use the error 410 in your .htaccess rather than 403 for your re-write rules when blocking ip's. This helps when you are scanning your statistics to separate legitimate errors from spammers.

Happy Hunting
M.Zraik



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–24, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email