Content-Type: text/shitpost


Subject: An unusual web site attack
Path: you​!your-host​!ultron​!uunet​!asr33​!hardees​!brain-in-a-vat​!am​!plovergw​!ploverhub​!shitpost​!mjd
Date: 2018-08-09T11:52:17
Newsgroup: misc.test.attack
Message-ID: <e8e02a888b255fe0@shitpost.plover.com>
Content-Type: text/shitpost

Web blog website was extensively probed yesterday. This is a common occurrence, but this probe had some peculiar features.

  • All the probes came from the same address, 42.51.216.29.

  • The 3,300 probes were mostly against URLs like /admin/index/php and /admin/index.aspx. Usually, attackers have a list of paths at which there have been past security holes. This attacker seems to be hoping to discover something new. (Every one of them was 404.)

  • There were a number of requests for random-sounding pages ending in .jpg, such as /tsnFile/UserFiles/Image/diaosi.asp/bdddf17533.jpg. If this was intended to disguise the activity, it wasn't doing a very good job. A bug?

  • The referring-url was http://www.nmily.com//Ac2.asp;.jpg. Generated at random perhaps? Some of the probed URLs were things like /Ac2.asp;.jpg and /sjurj54220.asp;.jpg.

  • The claimed user agent was

    Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html
    

    Followed by the bytes 0xA3 0xA9.

  • When I did a reverse DNS lookup on the client address, I got the nonsense hostname idc.ly.ha. There is no such domain .ha. HA is not even a valid ISO 3166 country code.

    When I did a traceroute, I saw what was going on with idc.ly.ha:

    11  219.158.101.222 (219.158.101.222)  271.170 ms pc146.zz.ha.cn (61.168.250.146)  229.898 ms 219.158.101.222 (219.158.101.222)  271.159 ms
    12  hn.kd.ny.adsl (182.118.124.66)  233.331 ms pc130.zz.ha.cn (61.168.37.130)  287.333 ms  276.773 ms
    13  pc146.zz.ha.cn (61.168.250.146)  273.772 ms htuidc.bgp.ip (103.22.188.98)  237.818 ms  238.415 ms
    14  * * hn.kd.ny.adsl (182.118.124.66)  278.467 ms
    15  htuidc.bgp.ip (103.22.188.98)  276.015 ms *  276.096 ms
    16  * idc.ly.ha (42.51.216.29)  465.040 ms  419.584 ms
    

    Someone is running a bunch of hosts (botnet maybe?) and advertising PTR records with random hostnames. (There is actually a .ha.cn, but I doubt it is really involved.) Or do the returning ICMP package have fake source addresses?

It's all pretty weird.