For those who sometimes enjoy seeing the truly stupid things script kiddie do, here’s an interesting request from my server log:
190.75.219.125 - - [20/Jun/2013:13:30:55 -0700] "GET / HTTP/1.1" 200 366 "http://rankexploits.com/musings/2009
Zbblock blocks this by default. But I had to chuckle at a script so buggy that it adds what must be the error message to the uri. Let’s see “forum not found”? “This IP is banned”? “Changing proxy?” “No post sending for ms are found”? This has got to be the buggiest spambot ever!
Looks more like some one commented a line of code, and then forgot the comment separator.
Some of these people must be very new to programming, and it shows.
Just ups the numbers unfortuanately.
Who are these guys? Kids?
It does seem like it would be fun and interesting to develop, test, and run bots. Maybe this is the modern-day activity equivalent to building radios and relay based computers back in the ’50s.
I do appreciate that you’ve written at length on this subject in the past, but could you again suggest what the range of their objectives could include, beyond just doing it to see if they can? IOW, can there be a practical purpose to this – and I realize that Google and some of the others have a very practical purpose, one that has been an incredible benefit to me in recent years making it possible to quickly find information that was impossible to discover even 10 or 15 years ago.
Script kiddies use bots to (try to) make money. The most common way is to spam comments that work as advertisements. It is easier than you might expect to hire someone to do that.
They also try to break into machines to gain resources, both by stealing from the machines and by taking control of them. They also sometimes use bots to DoS machines to disrupt service (also something you can hire people to do).
There are lots of other reasons bots are used, but those three are the main ones for script kiddies.
j ferguson,
The motivations are many and range from:
1) Leaving a link in a spam comment to attract someone to click the link, visit another site and buy something to
2) Hack in to a site, get all the user passwords and other information to do something like indetity theft or direct theft.
This “+no+post+sending+forms+are+found;” looks like it was looking for a ‘post’ form. That could be a comment form, but it could be some other form (search entry etc.) Many of the bots look for a post form. If they find one, they test out entering certain specific types of garbage to try to figure out if the system is vulnerable to certain threats.
Hi Lucia,
Our boat is advertised for sale on two suitable sites which report hits. Our broker seemed impressed by the numbers our’s attracted, so I asked how many were bots and how many people since the site had no apparent way of sorting one from the other. He had idea what i was talking about, so I explained the concept and suggested that the bot count might be ascertained from the daily count on an old listing – assuming that the real people who might have been interested would all have seen it by now and moved on.
I’m waiting for his results. I can’t get at the “hit” count myself. I don’t know if he’s paying for hits but if so, I would think that he would expect the listers to distinguish live from robotic in their charges.
I have a post on the design and code for a small navigation computer at an Arduino interest site where the hits are listed. It has attracted no comments in six months yet gets about 20-25 hits a day. I expect they are all bots.
j ferguson,
Quite likely. Any decent advertising site is going to be crawlable and bots are going to find it. If you are advertising for sale, that might be to your advantage since some of those crawlers create other ads. That is: some “shopping bots” exist and create sites that let people find things for sale. Those sites generally pay for themselves by carrying advertising. The thing is: for my site, those visits are worthless because I’m not selling anything. So I’ve identified various ‘shopping bots’ and ban them. But Arduino likely does not ban them– and should not ban them.
Here’s an example I saw yesterday of just how nasty these ‘kiddies’ can be. Remotely accessing the webcam on someone’s laptop.
http://www.bbc.co.uk/programmes/p01bn7rt
Steve Ta, those people don’t even amount to script kiddies. All one does with a Remote Adminstrative Trojan is get a person to download a file that gives you access to their computer. You aren’t running a program or script. You’re basically just tricking them into giving keys to your house.
I run WUWT on wordpress.com and thus never have to worry about such hilarious diversions, but I can see the entertainment value for you.
The WP techs tell me though, that WUWT being in the top 5 wordpress blogs worldwide, plus combined with the haters who want to take it down, makes it a high profile target for regular attacks. Therefore, I’m appreciative that I don’t have to deal with these sorts of things.
Anthony,
Now all you need to protect yourself from is your content 😉
@j ferguson yes, I’m sure some people view it as dangerous. Fortunately, whether you agree with it or not, it is backed up daily.
j ferguson:
Where’s the link?
Carrick:
http://forum.arduino.cc/index.php?topic=54120.0
no snickering at my crude code. The thing does work, though.
J ferguson,
Selling you boat?!?
To become a landlubber, or to buy another boat? I got the impression you were attached to MV Arcadian.
SteveF, email me at jferg977 (usual symbol) aol (period) (usual)
Thanks, J. Interesting thread.
Carrick, Thanks.
We live in an astonishing age. when I was trying to build computers with retired Bell System DPDT relays when i was a kid in the ’50s, i couldn’t find anyone who knew anything about it nor anything in the library. The logic was obvious, to me at least. I had a 28 volt power supply built and lent to me by the guy across the street. I assembled some pretty complicated rigs, one pulse-dialed the phone if you wrote the numbers on a segmented copper pad.
The Arduino device I reported runs code which includes routines devised by guys in OZ, Germany, NZ, and US. I’ve provided my schematics and codes to sailers in Germany, France, US, and Indonesia. Without the web (and google) we would never have found each other.
Seeing this happen, gives me very great confidence that we are in the dawn of a new age which will foster much more rapid development of all sorts of things in which more than one person is interested.
if I can be forgiven a possibly political opinion, just as Macaulay observed in 1846, the dreaded debt will be lost in the ensuing boom.
For myself, after we arrive on land for good, it will be designing, writing the code for, and building the smallest autonomous airplanes (not helicopters) I can. I doubt that i will invent anything, but there are enough variables and challenges to keep me occupied well into my dwindles.
This one in wednesdays killed logs is fully too:
Reconstructed URL: http:// xxxx /modules
Whatever it is trying to submit, it claims to have a email address ‘sample@email.tst’, and it seems to be suggesting the message should tell me it came from ‘SITEURL’ and so on.
But why on Earth do they want your machine? Well, the good news is, it ain’t personal, it’s just business, as the say in all the best gangster movies.
http://thepointman.wordpress.com/2011/03/11/internet-security-2-there%e2%80%99s-a-lot-more-going-on-than-you%e2%80%99d-think/
Pointman
Pointman,
Lots of possibilities. To turn it into a zombie drone they can use for their own purposes. To shove ads into my real content. So on!
But no, it’s probably not personal. Could be– but probably not.
Lucia,
Getting persona takes more effort and expertise that the script kiddie has. The great whites only hack for a big fee or a big payoff. If nobody’s prepared to pay or they can’t shift anything you’ve got for a decent profit – you’re not worth the effort and are therefore safe.
It’d be too much effort for no return.
http://thepointman.wordpress.com/2010/12/17/why-climategate-was-not-a-computer-hack/
Pointman
I feel like I’ve discussed that Pointman post here before so I won’t dwell. Suffice to say, I think it is a stupid post, shows the writer knows far less than he thinks he does and is completely wrong.
And when I say “I think,” I mean, “Anyone with a fraction of the knowledge the writer pretends to have would know.”
lucia, I’m having a display problem with this page. There’s a large column of empty space tacked onto the left side of the page for me. It doesn’t happen on any other page.
Ah. The line in the blockquote of your last comment is stretching the page.
Brandon:
It might have been due to my comment lucia (Comment #116819) which contained very long strings. I put in some soft wordbreaks. That might help.
Yup. I edited my comment once I saw those. It’s fine now.
Wonderful incisive detailed en pointe stuff by Brandon performing in his usual tutu …
” … so I won’t dwell”.
“I think it is a stupid post”
“the writer knows far less”
“…a fraction of the knowledge the writer pretends to have would know”
and of course the wonderful finish to Lucia –
“…I’m having a display problem with this page”
Wonderful, wonderful stuff Brandon. I really like you. You’re my hero Brandon Bueller …
Pointman
Pointman, I’d have given detail as to how your post was wrong, but we both know what happens when I do. You say stupid things, insult people and run away. Why waste the time?
If someone wants to know why I said what I said, I’ll tell them. Otherwise, I’m content to respond to your worthless self-promotion with mockery. Even that is more than it deserves.
Brandon
“I feel like I’ve discussed that Pointman post here before so I won’t dwell. Suffice to say, I think it is a stupid post, shows the writer knows far less than he thinks he does and is completely wrong.”
What do you mean by “completely wrong?”
Do you mean that every claim he makes is wrong?
I’m trying to understand your position so we dont misrepresent what you said.
What do you mean exactly by completely wrong?
I’ve always found it very difficult to be “completely wrong.” I usually screw up the “completely” too.
Maybe Pointman is on to something.
Oh dear Ferris, I’m embarrassed to have you on my side. Not a palpable hit in sight and me choosing not to split ranks by engaging with in some hand bagging with your ad homs is “running away.” As yet, no indication of which post you’re talking about, not a detailed point in sight and obviously you’ve taken offense at me having the cheek to comment on another blog you consider your turf. I’m an expert in some areas – get over it Sunshine.
Sorry Bud, but you’re simply not that big. I’ll comment where I like and as I like. If that offends you, then that’s TS I’m afraid.
I won’t be intimidated or closed off by you.
Pointman
j ferguson (Comment #116932)
June 23rd, 2013 at 3:21 pm
I’ve always found it very difficult to be “completely wrong.†I usually screw up the “completely†too.
Maybe Pointman is on to something.
########################
calling someone comletely wrong is akin to saying they “make no sense”
I started to go through Pointsman essay and while there were many things he wrote that I could find issue with or have a nice argument about, I’d hardly say he was completely wrong.
There were somethings he said that it is impossible to be wrong about. Saying he is completely wrong frees the accuser from actually making a case. So, the next move would be to say “he’s completely wrong about the important stuff” so the argument would shift, goal posts moved. Its much esaier to find one mistake and then shout the whole thing is wrong.
meh. easy game to play.
Mosh,
Maybe incompletely wrong works better.
These messages are gathered from web traffic reports (404 errors) seen around the web. It is probably a bad idea to allow the world to follow your web traffic, but it happens. The links found in such web analyzer reports are used to deconstruct web sites with the goal of exploitation – at least by the experts. The druids out there are less elegant making one think they don’t even know what they’re looking for.
From Anthony’s comments I’d guess he never looks at the raw web logs or he’d know he is as “vulnerable” as any site is – that represents what the client is attempting to gather, not something the server side creates. Aside from a possible buffer overrun it is mostly just noise in the logs and harmless although I harvest the IP’s of such flagrant evidence and block the network cidr block. In your example, a whois report shows the following:
IP: 190.75.219.125
inetnum: 190.72/14
address: Segunda Avenida de los Palos Grandes, 000, Entre Av. Fr
address: 1060 – Caracas – MI
country: VE
address: Segunda Avenida de los Palos Grandes, Entre Av. Fr, 000,
address: 1060 – Caracas – MI
country: VE
So 190.72.0.0/14 goes into the IPTables file along with the meta information, Venezuela disallowing them to connect to any of the listening ports on my servers. It’s harsh, but I’m doing my part to keep them out of jail :).
dp,
I get a lot of suspicious stuff from Venezula. 🙂
Steven Mosher:
I mean he is wrong to such an extent I am justified in using mild hyperbole while mocking him. Specifically, every element of his argument is wrong. This is true primarily in a structural way, but it is also true of many specific claims made. It is even true of his conclusion – it’s not just unsupported, but wrong.
I don’t deny there may be true things in his post of the nature, “Squares have four sides.” I simply think I am justified in disregarding insignificant remarks that in no way support his argument when making a passing insult. It’s akin to a person saying, “My name is Bob” then proceeding to tell a lengthy story that is a complete fabrication. Afterwards:
Anyone not willing to allow my use of mild hyperbole should read my phrase “completely wrong” as “completely wrong in its argument.” That’s milder than the criticism I intend, but it is a true statement.
Pointman:
We aren’t on a side, and there was no ad hominems in the example I gave. In fact, there haven’t even been ad hominems in any of my comments.
I have no idea what delusion would make this seem obvious as there is no truth to it.
You suggested the MAC address extracted from an e-mail header might be a uniquely identifiable characteristic. You may be an expert in some areas, but computer security definitely isn’t one of them.
Straighten your tutu Ferris, your ego is showing. Kiss and make up?
Pointy
Pointman, there is no ego involved, and there is nothing to “make up.” I insult what you write because what you write is stupid. I insult what you write because it shows you don’t have a fraction of the knowledge you pretend to have. I insult what you write because you’ve mislead many people with it.
People like you are a blight. You take advantage of other people’s ignorance and glorify yourself in the process. You should be shunned and derided for that behavior. The only way to “make up” is to address your behavior – Take steps to fix what you’ve done. Most importantly, stop deceiving people about your level of knowledge.
Do that, and we can get along. Don’t do that, and I will criticize you for misleading people anytime I see you promote things you’ve written that are utter drivel. That’s the same as I’d do with anyone.
The only difference is I’m tempted to go through your posts, highlight all the stupid things you’ve written and correct them. That’s because you’re the best example of a false authority I’ve ever come across in the field. If I thought there was a market for such an effort, I’d do it.
Ferris, from now on I’ll consider myself insulted. What the hell, I’ll even consider myself blighted, stupid etc etc. Obviously people like my humble self must be hard on such a wonderful person like your good self. You’re beginning to look curiously attractive in a tutu, by the way, but you’re still my hero.
So, apart from “insult”, “stupid”, “mislead”, “blight”, “advantage of ignorance”, “utter drivel”, “stupid things”, “false authority”, was there anything else you wanted to say to me?
Pointman
ps. So then, do I take it there’s no chance of us kissing and making up … ?
I believe I’ve said all there is to say.