Security Information Vulnerability Research Security Blog

The Zombie Army is Upon Us

September 6th, 2005 by noam, Filed under: Commentary, Spam

We have experienced a “massive attack” of SPAM on our blogging system from various hosts all pointing to two websites:
http://www.cosmicbuddha.com/blog/archives/ 001169.html (I have broken the URL intentionally)
And
http://anthony.ianniciello.net/blog/archives/ 000079.html (I have again broken the URL intentionally)

The comments contained very brief sentences and links to the above web sites.

From what it looks like it was an act of an attack against automatic blacklisting and un-moderated comments, probably not conducted by authors’ of the above blogs.

Some of the IPs that have SPAMed our Blog contained at least one port that was acting as a proxy.

In some cases legitimate but badly configured proxies, such as in the case of a Cisco proxy (Application and Content Networking System Software 5.3.3).

In other cases the proxies were what appeared to be backdoor based proxies - the server’s/computer’s intent was not to act as a proxy.

In two instances the IP from which came the attack was the firewall/router, making me believe that the infected/zombie host was on the inside of the network, rather than on the outside.

I one of the more funny instances, the host that SPAMed us was a Windows NT with IIS 4.0 without any service packs, I was sure I would never see such a machine on the Internet, but I was shown to be wrong :) .

In any case if we do find out a bit more on this SPAM attack, we will let you know.

DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

-

Is your site safe from SQL Injection? Use Active Network Scanning to protect your network!

2 Comments:

  1. Justin, on September 7th, 2005 at 9:12 am Said:

    I am the owner of the first blog you link to above and can confirm that I was in no way related to the spam attacks on your network. I am very sorry that this has happened, but have no idea why my site’s link is being used in that spam comment. I employ MT-Blacklist to control spam and my blacklist is diligently maintained, so this might have been some type of attack or probe regarding blacklisting.

    Other site owners have commented on the page that was used in the spam, and if you have any further input it would be great if you could contact me.

    Once again, I am very ashamed to be linked to this in any way, but have no relationship with the idiots who are spamming you.

  2. Software Only, on September 10th, 2005 at 10:44 pm Said:

    New assault of comment spam

    If you are like me, you got blasted by friendly comments from Alexander Kolt, Nicolas Trumen, John Reed, Peter Back, and Kelly Ronald all praising your blog, your post and yourself. This new generation of comment spam is more clever than previous but f…

Leave a Comment

Security RSS Subscribe


Vulnerability Scanner