Here is a bit more: Thinking that it must be bots waiting for instructions,
I looked through my comment logs to see if I could find any changes on that
page. I didn't find any on that page but...

Some days ago, on a related but different page... the matching page, if you
will (? Again, I don't want to say the page, but if the page taking hits was
"come in" the page that was commented on would be "go out"), someone calling
themselves "littleb@email.com" made a number of very strange comments:

On 07/14 @ 14:14 from 212.243.13.48 = ip-plus.net 
690515136 <a href="http://www.276083374.com">276083374</a>
http://www.464965820.com

On 07/14/ @ 14:15 from 216.126.141.44 = starnetusa.net
690515136 [url=http://www.330987548.com]330987548[/url]
http://www.464965820.com

On 09/07 @ 18:39 from 218.16.122.88 = gddc.com.cn
960998535 <a href="http://www.858578491.com">858578491</a>
http://www.619433593.com

On 09/07 @ 18:41 from 168.210.90.181 = is.co.za
960998535 [url=http://www.269244384.com]269244384[/url]
http://www.619433593.com

Now, IP addresses can be represented as decimal numbers. E.g. 

276083374 = 16.116.178.174 

because 174 + (178 * 256) + (116 * 65536) + (16 * 16777216) = 276083374

Reverse DNS on 16.116.178.174 shows it is owned by HP.COM

330987548 = 19.186.120.28 = ford.com

858578491 = 51.44.222.59 = Department of Social Security of the UK

269244384 = 16.12.87.224 = HP.com

If the leading numbers are also decimal IP's...
690515136 = 41.40.108.192 = afrinic.net

960998535 = 57.71.172.135 = equant.com

And the following URLs:
464965820 = 27.182.208.188 = ??? Invalid ???

619433593 = 36.235.206.121 = ??? Invalid ???

If those were more sequential in nature, I would have guessed that they were
date/time stamps. Perhaps of when to start the attack.

Now, there were no such strange hits on this other page around 09/07 but
there were some on 07/14. Those came from only a few different Ips:
212.243.13.48, 216.126.141.44 mostly with one each from
219.131.196.122,82.119.225.22, and 202.103.67.47 and all of those had the
user agent string:

Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)

So, the questions:

- Was that a test? The bot net zombie program being developed?

- Where the target IP address at HP, ford and the UK DSS hit with a DoS or
some other sort of attack?

The thing is, piclist.com isn't like most wiki, blog systems. If you make a
comment, it really does instantly go onto the HTML page, yes, but NO it is
not shown to everyone who views that page. Yes, it IS shown to the person
who posted the comment, but ONLY to their IP address. For example, if
1.2.3.4 posts "hello" on a page, that text is saved in the .htm file. And if
1.2.3.4 then views the page, the text is displayed to him. But if 4.3.2.1
views that same page, the text is removed prior to being displayed. Of
course, I was sent an email when the comment was posted, and if I approve
it, then everyone can see it; but not until then.

So it would be easy for some wannabbe bot net master to think that
piclist.com would be just the place to quickly post instructions to his bots
without any danger that the comment would be removed. But it wouldn't work,
because the bots could never see it.

I'm going to also post this on the security news group at grc.com and cc the
respective abuse addresses and whois record holders.

Wow... I think I have access to a bot net... I just have no idea what they
do...


> -----Original Message-----
> From: piclist-bounces@mit.edu 
> [mailto:piclist-bounces@mit.edu] On Behalf Of James Newton, Host
> Sent: 2006 Nov 07, Tue 11:46
> To: 'Microcontroller discussion list - Public.'
> Subject: [OT] A botnet is watching a page at piclist.com
> Importance: High
> 
> This is just weird:
> 
> A few days ago I noticed that a page containing information 
> that is not interesting and is commonly available elsewhere 
> was becoming very popular on the site. It is now the most 
> popular single page with 4352 hits in the last
> 6 days. I'm not going to post the page URL here because I 
> don't want to upset what is going on with you all visiting 
> the page. Suffice it to say that the page is just about 
> stupid and almost empty.
> 
> Today I started looking at my server logs to see who was 
> linking to that page (expecting to find a referred from URL 
> in at least some of the hits) and I was somewhat shocked to 
> find that all the hits not only do not specify the referrer, 
> they are also from exactly the same user agent:
> 
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+C
LR+1.1.4322)
> 
> No variation at all. So I thought that some idiot had 
> probably got his site ripping engine stuck on one page. But 
> no, the accesses are coming from different IP addresses. No 
> single IP address has ever requested the page more than once. 
> In fact, none of them have requested ANY page on my server 
> anytime in the last 7 days OTHER than this one.
> 
> So then I thought it must be a DoS attack, but no, the volume 
> is still quite low. In fact: There has not been more than 1 
> access from each IP address.
> And each IP address only hits that one page... One time...
> 
> So think about this: Thousands of different IP addresses from 
> all over the world (mostly outside the USA) are making one 
> request of my server for a nothing page and then going away.
> 
> These must be zombies. They are running some software that is 
> causing them to make this request on first install or once 
> every so many days but greater than the 7 days I've checked.
> 
> Questions:
> 
> - Is the author of the zombie planning to use my page to post 
> updated instructions to his program? Piclist.com is a wiki... 
> I've locked the page so it can not be modified just incase, 
> but I am still alowing it to be viewed.
> 
> - Is there some outfit that investigates things like this who 
> would be interested to know what I'm seeing?
> 
> - If this is a zombie program is its reference to my server 
> going to implicate me? In other words, could someone who is 
> tracking the zombie and looking for the author think that it 
> is me since the program is looking here?
> 
> - What would you do if you were me?
> 
> ---
> James Newton: PICList webmaster/Admin
> mailto:jamesnewton@piclist.com  1-619-652-0593 phone
> http://www.piclist.com/member/JMN-EFP-786
> PIC/PICList FAQ: http://www.piclist.com
> 
> 
> --
> http://www.piclist.com PIC/SX FAQ & list archive View/change 
> your membership options at 
> http://mailman.mit.edu/mailman/listinfo/piclist

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist