Content-Type: text/shitpost

Web blog website was extensively probed yesterday. This is a common occurrence, but this probe had some peculiar features.

• All the probes came from the same address, 42.51.216.29.

• The 3,300 probes were mostly against URLs like /admin/index/php and /admin/index.aspx. Usually, attackers have a list of paths at which there have been past security holes. This attacker seems to be hoping to discover something new. (Every one of them was 404.)

• There were a number of requests for random-sounding pages ending in .jpg, such as /tsnFile/UserFiles/Image/diaosi.asp/bdddf17533.jpg. If this was intended to disguise the activity, it wasn't doing a very good job. A bug?

• The referring-url was http://www.nmily.com//Ac2.asp;.jpg. Generated at random perhaps? Some of the probed URLs were things like /Ac2.asp;.jpg and /sjurj54220.asp;.jpg.

• The claimed user agent was

  Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html
  

  Followed by the bytes 0xA3 0xA9.

• When I did a reverse DNS lookup on the client address, I got the nonsense hostname idc.ly.ha. There is no such domain .ha. HA is not even a valid ISO 3166 country code.

  When I did a traceroute, I saw what was going on with idc.ly.ha:

  11  219.158.101.222 (219.158.101.222)  271.170 ms pc146.zz.ha.cn (61.168.250.146)  229.898 ms 219.158.101.222 (219.158.101.222)  271.159 ms
  12  hn.kd.ny.adsl (182.118.124.66)  233.331 ms pc130.zz.ha.cn (61.168.37.130)  287.333 ms  276.773 ms
  13  pc146.zz.ha.cn (61.168.250.146)  273.772 ms htuidc.bgp.ip (103.22.188.98)  237.818 ms  238.415 ms
  14  * * hn.kd.ny.adsl (182.118.124.66)  278.467 ms
  15  htuidc.bgp.ip (103.22.188.98)  276.015 ms *  276.096 ms
  16  * idc.ly.ha (42.51.216.29)  465.040 ms  419.584 ms
  

  Someone is running a bunch of hosts (botnet maybe?) and advertising PTR records with random hostnames. (There is actually a .ha.cn, but I doubt it is really involved.) Or do the returning ICMP package have fake source addresses?

It's all pretty weird.