Content-Type: text/shitpost

Subject: An unusual web site attack
Path: you​!your-host​!ultron​!uunet​!asr33​!hardees​!brain-in-a-vat​!am​!plovergw​!ploverhub​!shitpost​!mjd
Date: 2018-08-09T11:52:17
Newsgroup: misc.test.attack
Message-ID: <>
Content-Type: text/shitpost

Web blog website was extensively probed yesterday. This is a common occurrence, but this probe had some peculiar features.

  • All the probes came from the same address,

  • The 3,300 probes were mostly against URLs like /admin/index/php and /admin/index.aspx. Usually, attackers have a list of paths at which there have been past security holes. This attacker seems to be hoping to discover something new. (Every one of them was 404.)

  • There were a number of requests for random-sounding pages ending in .jpg, such as /tsnFile/UserFiles/Image/diaosi.asp/bdddf17533.jpg. If this was intended to disguise the activity, it wasn't doing a very good job. A bug?

  • The referring-url was;.jpg. Generated at random perhaps? Some of the probed URLs were things like /Ac2.asp;.jpg and /sjurj54220.asp;.jpg.

  • The claimed user agent was

    Mozilla/5.0 (compatible; Baiduspider/2.0; +

    Followed by the bytes 0xA3 0xA9.

  • When I did a reverse DNS lookup on the client address, I got the nonsense hostname There is no such domain .ha. HA is not even a valid ISO 3166 country code.

    When I did a traceroute, I saw what was going on with

    11 (  271.170 ms (  229.898 ms (  271.159 ms
    12  hn.kd.ny.adsl (  233.331 ms (  287.333 ms  276.773 ms
    13 (  273.772 ms htuidc.bgp.ip (  237.818 ms  238.415 ms
    14  * * hn.kd.ny.adsl (  278.467 ms
    15  htuidc.bgp.ip (  276.015 ms *  276.096 ms
    16  * (  465.040 ms  419.584 ms

    Someone is running a bunch of hosts (botnet maybe?) and advertising PTR records with random hostnames. (There is actually a, but I doubt it is really involved.) Or do the returning ICMP package have fake source addresses?

It's all pretty weird.