Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

possible spambot/harvester : 207.189.121.58

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Sat Aug 01, 2009 1:08 pm    Post subject: possible spambot/harvester : 207.189.121.58 Reply with quote

Some spammers are smarter than others and use tools that do not stand out like a clown in full gear in a church Wink. This visitor here was literally screaming for attention (cry for love?):

Quote:
207.189.121.58 - - [01/Aug/2009:17:37:21 +0200] www.example.com "GET /weblog/enrmp139-boiar-para-piratear/ HTTP/1.0" 403 238 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
207.189.121.58 - - [01/Aug/2009:17:37:41 +0200] www.example.com "GET /weblog/enrmp139-boiar-para-piratear HTTP/1.0" 403 237 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
207.189.121.58 - - [01/Aug/2009:17:38:02 +0200] www.example.com "GET /weblog/ HTTP/1.0" 403 209 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
207.189.121.58 - - [01/Aug/2009:17:38:21 +0200] www.example.com "GET /weblog HTTP/1.0" 403 208 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
207.189.121.58 - - [01/Aug/2009:17:38:41 +0200] www.example.com "GET / HTTP/1.0" 403 202 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"


This is a bad fake for many reasons:
1. IE 4.0 (like anyone would use a 12-year-old browser Wink)
2. Unspecified NT version
3. nonsensical addition (the dots and /1.0 thing)
4. No image, css or js requests

It's been a couple of years since I last saw spambots of that type, so it seems someone dusted off an old "appz" CD. The requested url has been non-existent for ages, but it did appear on several blogspam lists sold in the usual Ruskrainian forums.

Whois reveals an unknown ViaWest customer:

Quote:
%rwhois V-1.5:003fff:00 rwhois.viawest.net (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:VIAWEST-NETBLOCK-207.189.96.0/19
network:Auth-Area:207.189.96.0/19
network:Network-Name:VW-207.189.121.0-79466
network:IP-Network:207.189.121.0/25
network:Organization;I:VW-CUST-79466
network:Tech-Contact;I:ROUTI-ARIN
network:Admin-Contact;I:ZV2-ARIN
network:Created:20020815
network:Updated:20090726
network:Updated-By:routing (curly sign) viawest.net


Project Honeypot have seen it too:

Quote:
Spider First Seen approximately 5 months, 1 week ago
Spider Last Seen within 1 week
Spider Sightings 55 visit(s)
User-Agents seen with 1 user-agent(s)
IPs In The Neighborhood
207.189.121.42
207.189.121.44
207.189.121.57

207.189.121.58's User Agent Strings
Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )

http://www.projecthoneypot.org/ip_207.189.121.58

Google reveals that this address, along with others in this range, are quite busy visiting websites all across the globe, but without dropping any spam bombs themselves. Rather, this seems to be some harvestor, but surely nothing legitimate. Needless to say that this brainless wonder did not ask for robots.txt prior to its requests, which is another reason for me to firewall 207.189.121.0/25

O.


Last edited by olliver on Sun Aug 02, 2009 3:04 am; edited 1 time in total
Back to top
View user's profile Send private message
sotet
Junior Member


Joined: 10 Sep 2004
Last Visit: 31 Jan 2010
Posts: 47

PostPosted: Sat Aug 01, 2009 5:22 pm    Post subject: Reply with quote

Interesting observations and very detailed, too. Also, when you put that IP in Google (207.189.121.5Cool, you get a lot results. I see that also as a sign of being majorly compromised.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Sun Aug 02, 2009 12:50 am    Post subject: Reply with quote

sotet wrote:
I see that also as a sign of being majorly compromised.


Well, given the available data, I'm not sure about that: A typical compromised box has a "hit and run" functionality, which makes sense since a botmaster never knows how long a zombie remains good. So there should be any reports about spam blasts or probes for exploitable scripts in order to make a compromise likely. Also, note the crawling interval, which is rather long. This may as well be some kind of "desktop application" constantly running in the background.

But at the end of the day, this is a moot point anyway: I know this /25 is a souce of traffic I do not find acceptable and the range is small enough to make false positives pretty unlikely (it belongs to one customer).

O.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group