Home
Paintings
Daily
Sudoku
Daily
Kakuro
Paul's
Lunchbox
Vegan
Recipes
More
Vegan
Recipes
PC Plus
Green Shield
Bugs
DIY Dyson
Repair
Wallpapers
Gurmukhi
Fridge
Magnets
Stuff to
Buy/ d/l
Acceptable
Use
Policy
Idiots
Copyright
Quick
Response
Codes
Learning
Gurmukhi
with
Billie
the Cat
Let the
Devil
Wear Black
Water
Rocket
Index
My Old
CompuServe
Site
Project
Pitcher
Plant

Digg
Digg this


del.icio.us
Add to
del.icio.us


Submit to Reddit
Reddit

 
10

 

Idiots

Noli arrogantium iniurias pati
(Don't let the bastards grind you down)

Zombie Server 2004Well, I've just looked at the log for the honeypot and found that somebody has been downloading literally thousands of email addresses - no doubt that they think that they will be able to make a whole load money out of their efforts. Maybe they can. Maybe people are stupid enough to buy thousands (or millions) of email addresses and pay good money. Good luck to them because one thing is for certain - the ones that they downloaded from my honeypot won't work.

Whether they are using bot networks of compromised Windows machines (is it still legal to point a Windows machine at the Internet?) or just one, some idiot will be trying to spam us all with his unwanted rubbish.

There are some interesting things about this particular download session:

  • it all came from one IP address (205.209.134.60);
  • it was done in a few blocks of time, notably:
    • 08/May/2005:04:46:20 +0100 to 08/May/2005:07:47:08 +0100 (177,000 addresses);
    • 08/May/2005:10:49:55 +0100 to 08/May/2005:11:04:31 +0100 ( 11,000 addresses); and then,
    • one page on its own at 09/May/2005:06:41:42 +0100 (1,000 addresses).
  • this one IP address downloaded all of these pages. Now, those of you with proper firewalls will know that you can have several borwsers appearing to come from one IP address but if that was the case, the distribution of times between downloads would be different - this was fairly even, suggesting that it was a single machine running a script;
  • inspection of a grepped extract of the server log showed that the html files with the email addresses in them were downloaded out of the order that they were in on the honeypot's home page and that there was not a single code 304 - again, if it was a human on a browser and clicking on links at random, you would expect there to be some repeated requests for a download. Even if there were many browsers and no gateway caching (thus no explicit 304s), somebody would have downloaded the same page as someone else (downloading was almost 95 per cent of the site) but there were no duplicate downloads - each page was only downloaded once.
  • the agent identity was different for virtually every download. If this was real, there would be an unholy range of browsers for any admin to maintain. Now, I suspect that the person behind this thought to him/herself that if they used only one agent identity, it would cause a spike that would draw attention to the incident whereas, different browsers would not.
It is interesting the amount of trouble they will go to in order to hide their tracks.

Contact -

This is an example of the user agents used...

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; (R1 1.3); .NET CLR 1.0.3705)"
"Mozilla/4.0 (compatible; MSIE 6.0; AOL 7.0; Windows NT 5.1; Creative)"
"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Hotbar 4.3.5.0)"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; Avant Browser [avantbrowser.com])"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.3.1.0; FunWebProducts)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Creative; Crazy Browser 1.0.5; .NET CLR 1.0.3705)"
"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030527 Mozilla Firebird/0.6"
"Mozilla (X11; I; Linux 2.0.32 i586)"
"Mozilla/5.0 (Windows; U; Windows NT 5.0; fr; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; FREE; Wanadoo 5.3; Wanadoo 5.5)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; PKBL008; Creative)"
"Mozilla/4.0 (compatible; MSIE 6.0; AOL 4.0; Windows 98)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; DigExt; yie6-fr; Wanadoo 5.6)"
"Mozilla/5.0 (Windows; U; Windows NT 5.0; fr-FR; rv:0.9.4.1) Gecko/20020508 Netscape6/6.2.3"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; Wanadoo 5.1; Wanadoo 5.2; Wanadoo 5.3; Wanadoo 5.5)"
"Mozilla/4.0 (compatible; MSIE 4.01; Windows 98; PKBL008)"
"Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.03  [en]"
"Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.20-xfs; X11)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; FunWebProducts; .NET CLR 1.1.4322)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Wanadoo Câble 5.6)"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030210"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Opera 5.11  [en]"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; DigExt; iOpus-I-M)"
"Mozilla/5.0 (Windows; U; Win98; fr; rv:1.5) Gecko/20031007 Firebird/0.7"