Up to no good ?

[FeuerFrei]

Just banned this guy from the website I operate.

Looking at the referrer it's safe to assume he's up to no good, right?

74.208.184.75 - - [30/Jul/2013:09:55:02 -0400] "GET / HTTP/1.1" 200 4431 "file:///C:/Users/Administrator/Desktop/lists/domains_3/domainsorg_3_4.csv" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

I should probably add the visitor then went on to request a dozen html pages without requesting the embedded .js/.css/.jpgs. Put it all together and it smells fishy.

 

[Savatar]

From the looks of it he may have just clicked a link in his local csv file in a folder on his desktop. It is unusual, but I can't say it's necessarily malicious.... perhaps he just likes to keep links to his favorite sites in a csv file? From the file name, it sounds like that isn't the only one... he could have just compiled a list of domain names and is checking for availability by clicking them all or something like that. Who knows... it might be overkill blocking someone based on just that unless there are a lot of other weird requests or strange activity from him.

I sometimes browse with noscript and image downloads disabled - so I can't say not requesting those is too unusual either. (Maybe he was just crawling the page?)

 

[PrincessFrosty]

Hard to say for sure, its either a user with some odd browsing habits which is very possible, or it could equally be a bot in which case if it's malicious then it's merely automated and probably nothing to worry about anyway (loads of automated bots crawl the web every day)

 

[FeuerFrei]

From the looks of it he may have just clicked a link in his local csv file in a folder on his desktop. It is unusual, but I can't say it's necessarily malicious.... perhaps he just likes to keep links to his favorite sites in a csv file? From the file name, it sounds like that isn't the only one... he could have just compiled a list of domain names and is checking for availability by clicking them all or something like that. Who knows... it might be overkill blocking someone based on just that unless there are a lot of other weird requests or strange activity from him.

I sometimes browse with noscript and image downloads disabled - so I can't say not requesting those is too unusual either. (Maybe he was just crawling the page?)

Thank you both for the analysis. :hmm: I was having trouble coming up with innocuous reasons to maintain a massive list of .org domains in a desktop folder with numbered subfolders.

I'm thinking it was a visit from someone's personal software script/bot, not a human, given that it twice issued this request - "GET /chop; HTTP/1.1". chop is a javascript variable name used in the index.html page first requested - used in this context "self.main.location.href = chop;" It's not a clickable anchor-tag href.

I'm a bit touchy on security because five weeks ago our site was attacked and pages deleted en masse. I deleted everything on the server and found the hacker was uploading their own (presumably infected) versions of our webpages. Somehow they'd been overwriting our files without changing the modified date - so we hadn't noticed.

I think our site made someone's list of juicy targets.
Believe me, I'm working on fixing that with far more than IP banning.

 

[SecurityTheatre]

I think our site made someone's list of juicy targets.
Believe me, I'm working on fixing that with far more than IP banning.

Keep in mind that it's unlikely to be the content that got you on such a list.

Generally attackers just troll around for vulnerable versions of software. They'll write a tool to find version x.x of Drupal or PHPBB or whatever and then attack it.

If you update/change your software, you are unlikely to end up on the same list.

Thought it's entirely possible it was someone following up on the previous attack to check on the status of the page... Or perhaps it's a security researcher tracking down previously identified infections.

It's hard to say. It can't hurt to block, really...

 

[jaqie]

Absolute worst case scenario would prolly be a script kiddie.

No hacker worth jack would send non scrubbed referrers.

 

[FeuerFrei]

Basically all the visitor (listed above) did was request the root document, request all html files referenced by that one document, then slunk away. No evident probing for vulnerabilities, yet I banned the IP, FWIW, because the referrer smells funny. Forewarned is foreblocked.

Keep in mind that it's unlikely to be the content that got you on such a list.

Generally attackers just troll around for vulnerable versions of software. They'll write a tool to find version x.x of Drupal or PHPBB or whatever and then attack it.

If you update/change your software, you are unlikely to end up on the same list.

Thought it's entirely possible it was someone following up on the previous attack to check on the status of the page... Or perhaps it's a security researcher tracking down previously identified infections.

It's hard to say. It can't hurt to block, really...

Since our site was attacked in June, I've kept our visitor-contact forms offline, as a precaution. There's no sign the third-party mail scripts we employed are still being actively developed, so there's no updates to be had. :\ Plus I'm loathe to pay for a form-hosting provider. So if anyone knows offhand a secure PHP script that can stuff some form fields into a pretty HTML email and send it to multiple addresses while referring the submitter to a thank-you page - I'm all ears.