The Linux Page

Comment spam attack from 109.230.213.100

Network connections

This morning I was attacked by a robot. I quickly noticed that my websites were slow and saw a pretty large amount of traffic on port 80: 208 connections!

Use the arrow to expand or collapse this section
tcp        0      0 192.168.1.1:80          109.230.213.100:65413   ESTABLISHED
tcp      441      0 192.168.1.1:80          109.230.213.100:65445   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65071   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65279   TIME_WAIT 
tcp      497      0 192.168.1.1:80          109.230.213.100:49326   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65276   TIME_WAIT 
tcp      463      0 192.168.1.1:80          109.230.213.100:49312   ESTABLISHED
tcp      472      0 192.168.1.1:80          109.230.213.100:49340   ESTABLISHED
tcp      474      0 192.168.1.1:80          109.230.213.100:65471   ESTABLISHED
tcp      495      0 192.168.1.1:80          109.230.213.100:65502   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65053   TIME_WAIT 
tcp      494      0 192.168.1.1:80          109.230.213.100:49315   ESTABLISHED
tcp      459      0 192.168.1.1:80          109.230.213.100:65495   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65152   TIME_WAIT 
tcp      531      0 192.168.1.1:80          109.230.213.100:49361   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65349   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65379   ESTABLISHED
tcp      446      0 192.168.1.1:80          109.230.213.100:49164   ESTABLISHED
tcp      480      0 192.168.1.1:80          109.230.213.100:65486   ESTABLISHED
tcp      483      0 192.168.1.1:80          109.230.213.100:49398   ESTABLISHED
tcp      511      0 192.168.1.1:80          109.230.213.100:65463   ESTABLISHED
tcp      459      0 192.168.1.1:80          109.230.213.100:49393   ESTABLISHED
tcp      463      0 192.168.1.1:80          109.230.213.100:49416   ESTABLISHED
tcp      511      0 192.168.1.1:80          109.230.213.100:49289   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65330   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64870   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65123   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64913   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65281   TIME_WAIT 
tcp      448      0 192.168.1.1:80          109.230.213.100:49211   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65193   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64974   TIME_WAIT 
tcp      541      0 192.168.1.1:80          109.230.213.100:65511   ESTABLISHED
tcp      465      0 192.168.1.1:80          109.230.213.100:65433   ESTABLISHED
tcp      468      0 192.168.1.1:80          109.230.213.100:49242   ESTABLISHED
tcp      486      0 192.168.1.1:80          109.230.213.100:49213   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64695   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64758   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65192   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64772   TIME_WAIT 
tcp      459      0 192.168.1.1:80          109.230.213.100:65478   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64703   TIME_WAIT 
tcp      455      0 192.168.1.1:80          109.230.213.100:65493   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64921   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65420   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65101   TIME_WAIT 
tcp      465      0 192.168.1.1:80          109.230.213.100:49226   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65406   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65358   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65049   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65150   TIME_WAIT 
tcp      490      0 192.168.1.1:80          109.230.213.100:49169   ESTABLISHED
tcp      464      0 192.168.1.1:80          109.230.213.100:65435   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64752   TIME_WAIT 
tcp      433      0 192.168.1.1:80          109.230.213.100:49294   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64880   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64733   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64712   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65233   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65243   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64771   TIME_WAIT 
tcp      491      0 192.168.1.1:80          109.230.213.100:49299   ESTABLISHED
tcp      455      0 192.168.1.1:80          109.230.213.100:49328   ESTABLISHED
tcp      465      0 192.168.1.1:80          109.230.213.100:49298   ESTABLISHED
tcp      498      0 192.168.1.1:80          109.230.213.100:49186   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64710   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64843   TIME_WAIT 
tcp      446      0 192.168.1.1:80          109.230.213.100:65452   ESTABLISHED
tcp      469      0 192.168.1.1:80          109.230.213.100:65531   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65411   ESTABLISHED
tcp      494      0 192.168.1.1:80          109.230.213.100:49442   ESTABLISHED
tcp      457      0 192.168.1.1:80          109.230.213.100:49390   ESTABLISHED
tcp      487      0 192.168.1.1:80          109.230.213.100:49345   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65191   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65165   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64757   TIME_WAIT 
tcp      438      0 192.168.1.1:80          109.230.213.100:49331   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64881   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64817   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65278   TIME_WAIT 
tcp      501      0 192.168.1.1:80          109.230.213.100:49185   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65197   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65132   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65285   TIME_WAIT 
tcp      465      0 192.168.1.1:80          109.230.213.100:49368   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65246   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64809   TIME_WAIT 
tcp      470      0 192.168.1.1:80          109.230.213.100:49266   ESTABLISHED
tcp      493      0 192.168.1.1:80          109.230.213.100:65488   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65305   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64704   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65241   TIME_WAIT 
tcp      469      0 192.168.1.1:80          109.230.213.100:49202   ESTABLISHED
tcp      473      0 192.168.1.1:80          109.230.213.100:49284   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64842   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64899   TIME_WAIT 
tcp      469      0 192.168.1.1:80          109.230.213.100:49384   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65354   ESTABLISHED
tcp      511      0 192.168.1.1:80          109.230.213.100:49272   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65149   TIME_WAIT 
tcp      483      0 192.168.1.1:80          109.230.213.100:49163   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64607   TIME_WAIT 
tcp      456      0 192.168.1.1:80          109.230.213.100:49216   ESTABLISHED
tcp      441      0 192.168.1.1:80          109.230.213.100:65510   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64748   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64612   TIME_WAIT 
tcp      464      0 192.168.1.1:80          109.230.213.100:49388   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65099   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64985   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65106   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65097   TIME_WAIT 
tcp      477      0 192.168.1.1:80          109.230.213.100:65525   ESTABLISHED
tcp      488      0 192.168.1.1:80          109.230.213.100:49274   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65020   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64787   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64709   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65269   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65135   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64804   TIME_WAIT 
tcp      480      0 192.168.1.1:80          109.230.213.100:49177   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65090   TIME_WAIT 
tcp      488      0 192.168.1.1:80          109.230.213.100:65505   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65363   TIME_WAIT 
tcp      465      0 192.168.1.1:80          109.230.213.100:49429   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65293   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64761   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64887   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65242   TIME_WAIT 
tcp      460      0 192.168.1.1:80          109.230.213.100:49282   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65133   TIME_WAIT 
tcp      456      0 192.168.1.1:80          109.230.213.100:49165   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64596   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65374   ESTABLISHED
tcp      425      0 192.168.1.1:80          109.230.213.100:49444   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65337   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65073   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65320   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65146   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64810   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65194   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65303   TIME_WAIT 
tcp      511      0 192.168.1.1:80          109.230.213.100:49426   ESTABLISHED
tcp      476      0 192.168.1.1:80          109.230.213.100:49200   ESTABLISHED
tcp      459      0 192.168.1.1:80          109.230.213.100:49391   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64977   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65424   ESTABLISHED
tcp      517      0 192.168.1.1:80          109.230.213.100:49206   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65111   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64781   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65025   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65042   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65266   TIME_WAIT 
tcp      505      0 192.168.1.1:80          109.230.213.100:49276   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65240   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65208   TIME_WAIT 
tcp      441      0 192.168.1.1:80          109.230.213.100:49399   ESTABLISHED
tcp      474      0 192.168.1.1:80          109.230.213.100:49261   ESTABLISHED
tcp      453      0 192.168.1.1:80          109.230.213.100:49176   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64729   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65347   TIME_WAIT 
tcp      507      0 192.168.1.1:80          109.230.213.100:49441   ESTABLISHED
tcp      460      0 192.168.1.1:80          109.230.213.100:49319   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64938   TIME_WAIT 
tcp      417      0 192.168.1.1:80          109.230.213.100:49346   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65261   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65362   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65126   TIME_WAIT 
tcp      439      0 192.168.1.1:80          109.230.213.100:65465   ESTABLISHED
tcp      455      0 192.168.1.1:80          109.230.213.100:49436   ESTABLISHED
tcp      466      0 192.168.1.1:80          109.230.213.100:49325   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65355   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64845   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65137   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65028   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65407   ESTABLISHED
tcp      498      0 192.168.1.1:80          109.230.213.100:49238   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65297   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65341   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65386   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64909   TIME_WAIT 
tcp      463      0 192.168.1.1:80          109.230.213.100:49291   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65283   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65070   TIME_WAIT 
tcp      508      0 192.168.1.1:80          109.230.213.100:65521   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64916   TIME_WAIT 
tcp      441      0 192.168.1.1:80          109.230.213.100:65523   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64945   TIME_WAIT 
tcp      443      0 192.168.1.1:80          109.230.213.100:49314   ESTABLISHED
tcp      478      0 192.168.1.1:80          109.230.213.100:49227   ESTABLISHED
tcp      466      0 192.168.1.1:80          109.230.213.100:65533   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64978   TIME_WAIT 
tcp      439      0 192.168.1.1:80          109.230.213.100:65485   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64860   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64654   TIME_WAIT 
tcp      459      0 192.168.1.1:80          109.230.213.100:49166   ESTABLISHED
tcp      524      0 192.168.1.1:80          109.230.213.100:65480   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64986   TIME_WAIT 
tcp      482      0 192.168.1.1:80          109.230.213.100:49217   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64879   TIME_WAIT 
tcp      428      0 192.168.1.1:80          109.230.213.100:65459   ESTABLISHED
tcp      425      0 192.168.1.1:80          109.230.213.100:49464   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:65308   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:65410   ESTABLISHED
tcp        0      0 192.168.1.1:80          109.230.213.100:64716   TIME_WAIT 
tcp        0      0 192.168.1.1:80          109.230.213.100:64952   TIME_WAIT 
tcp      498      0 192.168.1.1:80          109.230.213.100:49268   ESTABLISHED
tcp      454      0 192.168.1.1:80          109.230.213.100:65453   ESTABLISHED
tcp      511      0 192.168.1.1:80          109.230.213.100:49218   ESTABLISHED

This always means you're under attack. I wish there was a way for the firewall to auto-detect and then auto-block such robots. Maybe I'll find a good tool that does that for us at some point.

"Working" connections

So, I looked at the Apache logs. Two of my sites were attacked. I'll show the second one first as it worked better for the bot on that one:

As you can see, the robot went to a few pages and found one with a /comment/reply/... link. A first time on linux.m2osw.com and then on win32.m2osw.com (note that both represent the exact same site.)

At that point, it attempts to POST some random spam messages. All of those failed due to the CAPTCHA and the fact that Drupal forms include an identifier which is required on each POST and each new POST reset the previous identifier so you'd need to re-read the form each time which it doesn't do (surprising, if they know of Drupal, they should know that's required...)

However, notice how fast this goes. The user posts once every few seconds. I have an anti-spam system that would have blocked the robot was it any faster anyway.

When it gets blocked

So... before trying to post on my Linux website (i.e. the one you're reading now!) it hit my http://animals.m2osw.com/ website. That other site got hit over 7,300 times. The reason? The comment pages were refusing the robot with a 403 or a 503. I'm not too sure why he got 403's as you're suppose to be able to access those forms on that system too, although again there's a CAPTCHA.

However, there is a quite interesting side effect to this one. There are 300 lines of the 7,300. Click on the link to open the log.

First of all, the robot checks the home page and attempts a POST. That seems to have worked (the POST failed though, probably because of the CAPTCHA.)

Second it finds the adsense search feature and uses it to search the site.

Then, it checks the home page comment section again (I'm wondering whether the logs were saved in the order I received the requests...) and gets 2 x on the same day and a 3rd time the next day.

Today, all of a sudden, it looks like it switched to a different mode reading many pages at once, including the home page (which was already read once in the first step.)

A few interesting facts:

  • The first 8 requests happened at 09:39:13
  • Most of the others happened within 2 or 3 seconds
  • Fairly quickly it starts getting 503 errors (server not available)
  • The browser designation changes on nearly all accesses
  • Now it starts getting 403 errors (forbidden access)
  • The server continues to return code 200 once in a while so the robot continues...

What I find quite interesting is the browser designation. This makes me think I can write an anti-spam tool that checks that string. If it changes more than once in X seconds, then it's a spammer robot, block that IP address.

I do change the string once in a while to test features such as the iPhone capabilities. But a system that changes more than once within a second cannot be human! It takes me a few seconds between accesses to switch between one and the other, etc.

Oh! And the exact same URLs are being checked over and over again. That's sad. Why would you do that unless  you wanted to be detected? Of course, another more complex detection is to notice that the robot reads the data contained in the page but not the linked files such as JavaScript, images, and CSS files.

So... a few things I can work on to better block these attacks.