Web blog website was extensively probed yesterday. This is a common
occurrence, but this probe had some peculiar features.
All the probes came from the same address, 126.96.36.199.
The 3,300 probes were mostly against URLs like
/admin/index.aspx. Usually, attackers have a list of paths at
which there have been past security holes. This attacker seems to be
hoping to discover something new. (Every one of them was 404.)
There were a number of requests for random-sounding pages ending in
.jpg, such as
this was intended to disguise the activity, it wasn't doing a very
good job. A bug?
The referring-url was
Generated at random perhaps? Some of the probed URLs were things
The claimed user agent was
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html
Followed by the bytes 0xA3 0xA9.
When I did a reverse DNS lookup on the client address, I got the
idc.ly.ha. There is no such domain
is not even a valid ISO 3166 country code.
When I did a traceroute, I saw what was going on with
11 188.8.131.52 (184.108.40.206) 271.170 ms pc146.zz.ha.cn (220.127.116.11) 229.898 ms 18.104.22.168 (22.214.171.124) 271.159 ms
12 hn.kd.ny.adsl (126.96.36.199) 233.331 ms pc130.zz.ha.cn (188.8.131.52) 287.333 ms 276.773 ms
13 pc146.zz.ha.cn (184.108.40.206) 273.772 ms htuidc.bgp.ip (220.127.116.11) 237.818 ms 238.415 ms
14 * * hn.kd.ny.adsl (18.104.22.168) 278.467 ms
15 htuidc.bgp.ip (22.214.171.124) 276.015 ms * 276.096 ms
16 * idc.ly.ha (126.96.36.199) 465.040 ms 419.584 ms
Someone is running a bunch of hosts (botnet maybe?) and advertising
PTR records with random hostnames. (There is actually a
but I doubt it is really involved.) Or do the returning ICMP
package have fake source addresses?
It's all pretty weird.