Russian connection to user agent "WordPress/2.1.1" in website access logs
I read the access logs for my website every day and sometimes I see something that jumps out and grabs my attention, as not right. This month, that something is a bunch of attempts to grab various pages on my blog, in an unusual manner, with a very unusual user agent: WordPress/2.1.1
At first I thought that somebody is just trying to pick up my MovableType RSS feed, but that is not what they are after. So, I did a little research on "WordPress/2.1.1" and learned that it represents a hacker compromised version of the popular WordPress PHP blogging software, which was updated months ago, to version 2.1.2, by Wordpress.org. I suppose that there may be some Wordpress users who haven't heard that this version was hacked with a backdoor, and haven't bothered to check for updates, but the log entries I am seeing are not from a Wordpress blog. I decided to do a little investigating, which is something I am good at. So, I followed the IP addresses to see from whence they came.
What I have learned so far, regarding the visitors who have configured their browser with the user agent "WordPress/2.1.1" is that, (A) - they come at me with no "Referer" field entry, (B) - they always try to GET a blog article itself, followed immediately with a request for the HEAD, and (C) - they change IP addresses after getting my 403 (Forbidden) message and try again. This cloaking of IP addresses has no effect, since I am also blocking them by their User Agent string.
Let's take a look at the access log entries for this user agent (stretch out or maximize your browser):
67.228.198.50 - - [02/Mar/2008:00:58:01 -0700] "GET /blogs/2008/02/my_spam_analysis_for_february_18_24_2008.html HTTP/1.1" 403 350 "-" "WordPress/2.1.1"
67.228.198.50 - - [02/Mar/2008:01:04:52 -0700] "HEAD /blogs/2008/02/my_spam_analysis_for_february_11_17_2008.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"
69.50.177.18 - - [13/Mar/2008:12:06:49 -0600] "GET /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 351 "-" "WordPress/2.1.1"
69.50.177.18 - - [13/Mar/2008:12:07:14 -0600] "HEAD /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"
83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"
89.108.85.75 - - [23/Mar/2008:16:52:38 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
89.108.85.75 - - [23/Mar/2008:16:53:08 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"
91.192.116.2 - - [23/Mar/2008:18:56:59 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
91.192.116.2 - - [23/Mar/2008:18:57:14 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"
216.255.185.178 - - [24/Mar/2008:10:15:07 -0600] "GET /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1
216.255.185.178 - - [24/Mar/2008:10:15:22 -0600] "HEAD /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1
These are definitely not typical access log entries and nothing a normal search engine or human visitor would do. Wordpress is a software blog application that gets installed onto web servers. It is not a browser. User agents are words that identify a browser, or a search engine, or robot. Despite the diversity of IP addresses, these visits are not unrelated. Read my extended comments to see where these IP addresses are allocated and my conclusions about their source and probable intent.
We are following the strange access log entries of a visit from somebody, or some bot, using the distinct user agent string: Wordpress/2.1.1. It hit my server over most of the month of March (so far), always using a GET followed by a HEAD request, for the same blog files. Let's trace those IP addresses to their home bases.
67.228.198.50 belongs to SoftLayer, a web host full of compromised servers and websites, that is on my Exploited Servers Blocklist.
69.50.177.18 belongs to Concord Intercage / Atrivo.com, with a CIDR of 69.50.160.0/19.
NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: INTERCAGE-NETWORK-GROUP
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM
What do we know about Atrivo and Intercage? LOTS!
A quick lookup of the IP in question, 69.50.177.18, at Spamhaus.org, reveals this interesting tidbit, under Ref: SBL53320:
69.50.160.0/19 is listed on the Spamhaus Block List (SBL)
Hosting: inhoster.com spammer/cybercrime hosting front
See:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36702
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
What is the connection between Intercage, Atrivo and Inhoster? Inhoster is registered via estdomains, which is hosted on Intercage/Atrivo, all of which are owned by the same person.
83.222.14.129 belongs to MASTERHOST-COLOCATION, which is located at Lyalin lane 3, bld 3, 105062, Moscow, Russia. The CIDR for Masterhost is 83.222.0.0/19.
89.108.85.75 is assigned to Agava Company, based in B. Novodmitrovskaya str., 36/4, 127015 Moscow, Russia. Their CIDR is 89.108.64.0/19.
91.192.116.2 is hosted in the United Kingdom, on servers owned by TodayHost Ltd. IP addresses within their CIDR; 91.192.116.0/22, have been harassing my website for a couple of months now. All of their efforts are blocked thusfar.
216.255.185.178 is owned by none other than Intercage! This particular net block has a CIDR of 216.255.176.0/20.
These unusual visits from multiple IPs, are traced back to Russian concerns. Inhoster is involved here, as probably is the RBN. Whatever they are up to, it is no good. My guess is that this is either an attempt to read the source code of my blog, looking for a way to send automated comment spam, or to test my security fences. The single British host is no surprise to me either. I have already learned that the RBN is now farming out servers from certain UK concerns, but using them for their own, malicious purposes.
My recommendations for other webmasters.
Apply my Exploited Servers Blocklist and my Russian Blocklist to your Apache Server .htaccess file, as soon as possible. If you have root access to your Linux based server, use my iptables blocklists instead, in your Linux APF firewall.
A sample of the blocklist for .htaccess, for just these aforementioned IP CIDRs, is:
<Files *>
order deny,allow
deny from 67.228.0.0/16 69.50.160.0/19 83.222.0.0/19 89.108.64.0/19 91.192.116.0/22 216.255.176.0/20
</Files>
Additionally. block access to anybody with the exact user agent "WordPress/2.1.1" - in your .htaccess, with the following rule:
RewriteCond %{HTTP_USER_AGENT} ^WordPress/2\.1\.1$
RewriteRule .* - [F]
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.