Confessions of a G33k: Live capture comment spammer logs

May 26, 2004

Live capture comment spammer logs

Yesterday afternoon I went to take a quick look at my logs, only to notice that a comment spammer was hitting me in real time. When I realized what was occurring, I immediately went to ban the offending IPs as they appeared. Here's the logs, and I want to point out a few things to y'all.

First, take a look at the HTTP error codes.
HTTP 403 - are IP's I've banned. It appears that some of the IPs that hit me on Tuesday were ones that were used in previous comment spamming attacks. This means that the comment spammers probably only have a set amount of cracked machines that they can use. This also means that IP banning after being attacked will help alleviate the problem.
HTTP 405 - method not allowed. I've throttled MT to only accept comments after a certain amount of time. And the idiot who created this script apparently was unaware of this limitation, thusly his comments are being rejected.

Host: 64.124.222.172 [Attack script on webserver - IP WHOIS resolves to above.net]
Url: /blog/archives/001202.html
Http Code : 403
Date: May 25 16:18:53
Http Version: HTTP/1.1"
Size in Bytes: 1010

Host: 24.97.4.148
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 16:01:19
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 200.202.216.162
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 16:01:18
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 66.186.173.42
Url: /blog/archives/001202.html
Http Code : 403
Date: May 25 16:01:16
Http Version: HTTP/1.0"
Size in Bytes: 998
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 69.10.70.130
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 16:01:16
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 64.124.222.172 [Attack script]
Url: /blog/archives/001202.html
Http Code : 403
Date: May 25 16:01:15
Http Version: HTTP/1.1"
Size in Bytes: 1010

Host: 219.117.212.87
Url: /blog/archives/001202.html
Http Code : 200
Date: May 25 16:01:15
Http Version: HTTP/1.0"
Size in Bytes: 8602
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 213.171.57.162 [Surprise, this IP is from .ru]
Url: /blog/styles-site.css
Http Code : 200
Date: May 25 16:00:45
Http Version: HTTP/1.1"
Size in Bytes: 6026
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) [Looks like a legit browser.]

Host: 200.180.247.230
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:57:19
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 198.26.130.36
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:57:17
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 61.120.94.198
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:57:16
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 80.82.139.21
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:57:14
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 203.22.206.51
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:57:02
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 212.25.77.189
Url: /blog/archives/001202.html
Http Code : 403
Date: May 25 15:57:00
Http Version: HTTP/1.0"
Size in Bytes: 998
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 203.122.54.129
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:56:58
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 80.49.24.15
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:56:55
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 63.171.110.188
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:56:48
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Host: 200.163.234.2
Url: /blog/archives/001202.html
Http Code : 405
Date: May 25 15:56:36
Http Version: HTTP/1.0"
Size in Bytes: 318
Referer: http://www.cleverhack.com/blog/archives/001202.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Posted by joy at May 26, 2004 01:14 PM | TrackBack

Comments