With the Christmas break and holidays upon us I usually get a few days to tend to the digital upkeep of my little fiefdom. The plan this year was to add HTTPS/SSL capability to my blog with a wildcard SSL certificate from RapidSSL. While I was installing the certificate I noticed a large number of odd POST requests in the logs;
::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:24 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
I was naturally curious and started digging through my logs, I found 427,358 requests from that IP network over the past two weeks. Using whois I was able to identify the network and hosting provider where the requests were originating from.
[root@moon logs]# whois 89.248.172.6 [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '89.248.172.0 - 89.248.172.57' % Abuse contact for '89.248.172.0 - 89.248.172.57' is 'abuse@ecatel.net' inetnum: 89.248.172.0 - 89.248.172.57 netname: SC-QUASI40 descr: QUASI country: SC admin-c: QNL1-RIPE tech-c: QNL1-RIPE status: ASSIGNED PA mnt-by: QUASINETWORKS-MNT mnt-lower: QUASINETWORKS-MNT mnt-routes: QUASINETWORKS-MNT created: 2008-06-21T17:49:26Z last-modified: 2015-11-09T13:20:10Z source: RIPE # Filtered role: Quasi Networks LTD address: Suite 1, Second Floor address: Sound & Vision House, Francis Rachel Street address: Victoria, Mahe, SEYCHELLES remarks: ***************************************************************************** remarks: IMPORTANT INFORMATION remarks: ***************************************************************************** remarks: We are a high bandwidth network provider offering bandwidth solutions. remarks: Government agencies can sent their requests to gov.request@quasinetworks.com remarks: Please only use abuse@quasinetworks.com for abuse reports. remarks: For all other requests, please see the details on our website. remarks: ***************************************************************************** abuse-mailbox: abuse@quasinetworks.com nic-hdl: QNL1-RIPE mnt-by: QUASINETWORKS-MNT created: 2015-11-07T22:43:04Z last-modified: 2015-11-07T23:04:49Z source: RIPE # Filtered % Information related to '89.248.172.0/23as29073' route: 89.248.172.0/23 descr: Quasi Networks LTD (IBC) origin: as29073 mnt-by: QUASINETWORKS-MNT created: 2007-11-19T14:34:49Z last-modified: 2015-11-09T13:24:19Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.83.1 (DB-1)
I had never heard of Seychelles before, but Google pointed out that it’s a collection of islands off the east coast of Africa. I would personally think that bandwidth would be expensive there but I’m guessing the miscreants don’t mind paying for it.
It was pretty clear from the logs that this IP address was trying infiltrate the XMLRPC service in WordPress while hoping to avoid detection by using the Googlebot agent string. If anything using the Googlebot agent string actually draws attention to the request.
While not a foolproof solution, I’ve added another IP network into my server firewall tables.
I did a quick scan of the logs and found 38 distinct IP addresses had tried to login to my WordPress blog a total of 359 times since midnight. A number of IP addresses were from proxy and VPN providers of which the majority were based in the continental United States. There were 104 attempts from 104.193.120.218 which belongs to a service provider in Farmington Hills, MI and resolves to solutionslick.net which is a front to adult porn sites.
I’d love to spend more time pouring over my log files but I just don’t have the time or energy.
Cheers!
Ah yes, my dear friends in Seychelles. Brings back fond memories of blocking them. I have a website where I host mp3 sermon downloads (www.rhemasound.org), and they crawled my site and downloaded each file multiple time. While fortunately, I did not exceed my bandwidth limit. I did not pay for transfer like I do now using, the cloud. They really clobbered my logs. Back in the early 2000’s 2GB of transfer was quite a bit.
Interesting… again I’d think there would be cheaper places to use for hosting. I’m guessing here that Seychelles is just outside the reach of the long arm of the law and that has more to-do with the location than the cost.
Just found this blog entry and had to chuckle. You didn’t think that 89.248.172.6 IP actually originated in Seychelles did you Michael? :-D
I just did a WHOIS lookup on a prober of my mail server at work and it got redirected to LACNIC – but the address ended up being that same fake Seychelles address. I doubt Seychelles is part of Latin America ;-)
I’m guessing these overseas fraudsters haven’t heard of using DomainsByProxy to hide their WHOIS tracks, or maybe that’s a U.S.-only company so they have to use some other fake name with the fake Seychelles address. If I ever hit the Lottery I’ll go to Seychelles just so I can stroll down “Francis Rachel Street” in Mahe just so I can see how many of these fake companies don’t actually exist at the address there LOL