Toata dragostea mea pentru diavola: Dmitry Dulepov

Posted on 15.02.09 17:49

After the recent security issues with TYPO3 I keep an especially close watch on my servers' mod_security logs. jumpurl atacks come from many IP addresses and they are already bore me. However today I saw something new and interesting:

==c5ec995b==============================
Request: 213.21.217.206 190.196.9.138 - - [15/Feb/2009:15:26:10 +0200] "GET /bug/login_page.php HTTP/1.1" 403 220 "-" "Toata dragostea mea pentru diavola" A2x6cn8AAAIAAEygTEwAAAAs "-"
Handler: redirect-handler
----------------------------------------
GET /bug/login_page.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Toata dragostea mea pentru diavola
Host: 213.21.217.206
Connection: Close
mod_security-message: Access denied with code 403. <rule is hidden> [severity "EMERGENCY"]
mod_security-action: 403

HTTP/1.1 403 Forbidden
Content-Length: 220
Connection: close
Content-Type: text/html; charset=iso-8859-1
--c5ec995b--

User agent and host look interesting. Host is the IP address of the server. This will show the default host on many servers, thus making it easy to detect various software on the server or even perform a DoS attack against the server. On this server all requests to the default host lead to an empty file.

Another interesting part was a user agent. I never saw such thing before. Searching the Internet revealed that it is some kind of vulnerability scanner. Good to know. Now it is in my mod_security rules too.

If you are curious what is "toata dragostea mea pentru diavola", it is Romanian. It means approximately "All my love is for the devil".

Comments

Johann, 15-02-09 22:35:

Thanks for the link, much appreciated.

Michael Cannon, 16-02-09 04:46:

Great find Dmitry.

Some nitwit, 26-02-09 22:34:

This user agent appeared in my own logs today on several occasions and appears to have tested the availability of a few server-based image publishing software systems or similar: copermine, photobook, others. Looks like those are bearing security risks, themselves, right?
I respond with a 403 on the occasion, but am not sure, if that is the best reaction.

unknown, 25-03-09 11:03:

toata dragostea mea pentru diavola

All my love for devil girl =))
wtf man, u stay in my country 50 years and did not known what is mean ?! =))
this is a lame blog !

2COOL, 14-07-09 04:28:

That guy tried to see if I had vulnerabilities in my Mysql,php,html and phpmyadmin (not including others) on my website today.

zap, 21-08-09 04:35:

They hit my logs also from the same IP

190.196.23.170 - - [20/Aug/2009:19:38:21 -0500] "GET HTTP/1.1 HTTP/1.1" 400 243 "-" "Toata dragostea mea pentru diavola"
190.196.23.170 - - [20/Aug/2009:19:38:21 -0500] "GET /install.txt HTTP/1.1" 404 239 "-" "Toata dragostea mea pentru diavola"
190.196.23.170 - - [20/Aug/2009:19:38:22 -0500] "GET / HTTP/1.1" 200 1552 "-" "Toata dragostea mea pentru diavola"
190.196.23.170 - - [20/Aug/2009:19:38:22 -0500] "GET /cart/ HTTP/1.1" 404 234 "-" "Toata dragostea mea pentru diavola"
190.196.23.170 - - [20/Aug/2009:19:38:23 -0500] "GET /zencart/ HTTP/1.1" 404 236 "-" "Toata dragostea mea pentru diavola"
190.196.23.170 - - [20/Aug/2009:19:38:23 -0500] "GET /zen-cart/ HTTP/1.1" 404 237 "-" "Toata dragostea mea pentru diavola"
190.196.23.170 - - [20/Aug/2009:19:38:24 -0500] "GET /zen/ HTTP/1.1" 404 234 "-" "Toata dragostea mea pentru diavola"
190.196.23.170 - - [20/Aug/2009:19:38:24 -0500] "GET /shop/ HTTP/1.1" 404 233 "-" "Toata dragostea mea pentru diavola"

Bryon Deyoung (bryonscs.com), 22-10-09 05:21:

ame with me. This person is trying t o hack me, but ha failed. They have been using proxies., nd it has been getting annoying.

Anupam Kumar, 29-10-09 14:16:

is it mean that host 213.21.217.206 is runing Toata vulnerability scanner.

Dave W, 02-11-09 12:49:

I can confirm attack from IP 80.72.33.51

ethernaut, 07-11-09 14:37:

Getting tha pretty same from 217.110.205.40...

no idea, 22-11-09 20:21:

mine came from pctuning.superhosting.cz (88.86.110.124) an was looking for
GET /includes/general.js
GET /zen/includes/general.js
GET /shop/includes/general.js
and so on.

kirill, 24-11-09 16:36:

mine came from 209.17.178.189

Charlie, 01-12-09 03:11:

Same hack attempt from 125.76.230.10

I just block the entire range once I do a lookup on the IP.

Bertie Bassett, 12-12-09 01:57:

Same hack attempt. Looking for a text file "install.txt" in several locations including /store/, /cart/, /zen/ and a whole lot more. Cam from ip 173.162.68.122 which is a ComCast Business IP based in Miami.

What, 18-01-10 19:35:

No...Toata dragostea mea pentru diavola! ... is " all my love for Diavola"
Diavola is not devil .. is a girl .. who format the scanner have put this phrases on the scaner " Toata dragostea mea pentru diavola! " , it`s just the romantic boy..that is

revere, 19-02-10 16:56:

Mine came from 189.80.1.3.

Pascal, 05-03-10 15:00:

Same here, from 218.30.21.209.

Kevin, 16-03-10 22:30:

Mine from: 217.72.172.100

HR, 02-04-10 02:19:

One more, coming from 75.75.254.96
/install.txt
/cart/install.txt
/zencart/install.txt
/zen-cart/install.txt
/zen/install.txt
/shop/install.txt
/butik/install.txt
/zcart/install.txt
/shop2/install.txt
/catalog/install.txt
/boutique/install.txt
/cart/install.txt
/store/install.txt

Ricardo, 02-04-10 21:34:

Now I'm being attacked... what's the best defense????

Tyguy, 06-04-10 20:24:

I got mine today, coming from 201.234.204.140

I got 8 in a row, scanning for these

HTTP/1.1 HTTP/1.1" 400 474
"GET /install.txt HTTP/1.1" 200 1146
"GET / HTTP/1.1" 302 421
"GET /cart/ HTTP/1.1" 200 1139
"GET /zencart/ HTTP/1.1" 200 1143
"GET /zen-cart/ HTTP/1.1" 200 1151
"GET /zen/ HTTP/1.1" 200 1138
"GET /shop/ HTTP/1.1" 200 1138

AndreNix, 07-04-10 13:41:

75.75.254.96 - - [02/Apr/2010:00:49:07 -0300] "GET HTTP/1.1 HTTP/1.1" 400 231 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:07 -0300] "GET /install.txt HTTP/1.1" 404 226 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:08 -0300] "GET /cart/install.txt HTTP/1.1" 404 230 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:08 -0300] "GET /zencart/install.txt HTTP/1.1" 404 232 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:08 -0300] "GET /zen-cart/install.txt HTTP/1.1" 404 233 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:09 -0300] "GET /zen/install.txt HTTP/1.1" 404 230 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:09 -0300] "GET /shop/install.txt HTTP/1.1" 404 230 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:09 -0300] "GET /butik/install.txt HTTP/1.1" 404 232 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:10 -0300] "GET /zcart/install.txt HTTP/1.1" 404 231 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:10 -0300] "GET /shop2/install.txt HTTP/1.1" 404 231 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:11 -0300] "GET /catalog/install.txt HTTP/1.1" 404 232 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:11 -0300] "GET /boutique/install.txt HTTP/1.1" 404 232 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:11 -0300] "GET /cart/install.txt HTTP/1.1" 404 230 "-" "Toata dragostea mea pentru diavola"
75.75.254.96 - - [02/Apr/2010:00:49:12 -0300] "GET /store/install.txt HTTP/1.1" 404 230 "-" "Toata dragostea mea pentru diavola"

free4use@abv.bg, 05-06-10 19:41:

I got 9 in a row from 190.152.88.114 on my IP server

AndyNova, 22-06-10 19:15:

This is still happening. Now from IP address 173.236.29.242:

#Date: 2010-06-21 22:33:10
GET /webmail/program/js/list.js - 80
GET /roundcube/program/js/list.js - 80
GET /rc/program/js/list.js - 80
GET /roundcubemail/program/js/list.js - 80
GET /mail/program/js/list.js - 80
GET /bin/program/js/list.js - 80
GET /roundcubemail-0.1/program/js/list.js - 80
GET /email/program/js/list.js - 80
GET /js/list.js - 80
GET /program/js/list.js - 80

Same attempt, 09-07-10 18:11:

Mine came from IP Address: 72.232.202.226

/zencart/install.txt
/zen-cart/install.txt
/zen/install.txt
/shop/install.txt
/butik/install.txt
/zcart/install.txt
/shop2/install.txt
/catalog/install.txt
/boutique/install.txt
/cart/install.txt
/store/install.txt
HTTP/1.1
/install.txt

tutohoro, 17-08-10 14:03:

... and another ip:

211.25.196.52 - - [06/Aug/2010:18:29:01 +0200] "GET /roundcube//bin/msgimport HTTP/1.1" 404 194 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:06 +0200] "GET /mss2//bin/msgimport HTTP/1.1" 404 189 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:07 +0200] "GET /mail//bin/msgimport HTTP/1.1" 404 189 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:09 +0200] "GET /mail2//bin/msgimport HTTP/1.1" 404 190 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:15 +0200] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 198 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:16 +0200] "GET /rms//bin/msgimport HTTP/1.1" 404 188 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:17 +0200] "GET /webmail2//bin/msgimport HTTP/1.1" 404 193 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:19 +0200] "GET /webmail//bin/msgimport HTTP/1.1" 404 192 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:23 +0200] "GET /wm//bin/msgimport HTTP/1.1" 404 187 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:32 +0200] "GET /roundcubemail-0.2//bin/msgimport HTTP/1.1" 404 202 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:34 +0200] "GET /roundcube-0.1//bin/msgimport HTTP/1.1" 404 198 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:35 +0200] "GET /roundcube-0.2//bin/msgimport HTTP/1.1" 404 198 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:36 +0200] "GET /round//bin/msgimport HTTP/1.1" 404 190 "" "Toata dragostea mea pentru diavola"
211.25.196.52 - - [06/Aug/2010:18:29:38 +0200] "GET /cube//bin/msgimport HTTP/1.1" 404 189 "" "Toata dragostea mea pentru diavola"

bogdan, 31-08-10 18:59:

romanii - cei mai buni hackeri

Add a comment

All fields in this form are required!

Toata dragostea mea pentru diavola

Related articles:

Comments

Add a comment

Categories

Pages

Top posts