All of your pages are belonging to us
We received a report of a very aggressive web spider that apparently is not obeying robots.txt.
The report claims the spider is from http://www.80legs.com/webcrawler.html
Here are a few interesting tidbits from that site.
"008 runs on a grid computing platform that consists of several thousand computers, which is why you may see our web crawler access your site from many different IP addresses."
"If you block 008 using robots.txt, you will see crawl requests die down gradually, rather than immediately. This happens because of our distributed architecture. Our computers only periodically receive robots.txt information for domains they are crawling."
And my personal favorite ...
"Blocking our web crawler by IP address will not work. Due to the distributed nature of our infrastructure, we have thousands of constantly changing IP addresses. We strongly recommend you don't try to block our web crawler by IP address, as you'll most likely spend several hours of futile effort and be in a very bad mood at the end of it."
Several thousand computers? Sounds like a recipe for a DDoS attack if I ever saw one and I don't even want to think about what could happen if that site got 0wn3d.
Has anyone else seen this? Let us know.
Christopher Carboni - Handler On Duty
Someone is attempting to register your domain in [insert country name here]
Dear Mr. Carboni,
"We are a Network Service Company which is the domain name registration center in [some city and country]. On Nov. 16 2010, we received an application from [some company that doesn't exist] requested "Sans" as their internet keyword and [country and (TLD)] domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in [country name]?
[some person name]
[some company name]
[some company address] etc ...
Really? Oh no! I might lose my company.com/cn/af/sk/so/br domain in China/Afghanistan/S.Korea/Somalia/Brazil/ ...!
This is a scam that is several years old and I'm finding out is not as widely known as I originally thought.
Back in the day I used to receive this type of email at least a few times every month, usually from a different person/company/country.
If you call / email or in some way return communication, in my experience, the "registrar" tries to extort you for some amount of money telling you that if you don't pay (I remember one for $10000 USD and another was much more though I can't remember the exact amount - credit cards gratefully accepted) you will lose whatever domain they're telling you someone is trying to register.
There may be other angles that I haven't seen before but the bottom line is this is a scam that can be filed with the other scams, phishes, hoaxes and other stuff which (hopefully) is caught by your spam filter.
Update:
One of our other Handlers pointed me to an excellent article by Dr. Neal Krawetz on this very scam. Read about it in the Hacker Factor Blog.
Christopher Carboni - Handler On Duty
Stopping the ZeroAccess Rootkit
Jack at the Infosec Institute sent a note announcing research that had been done on the ZeroAccess Rootkit.
He states "One of our InfoSec Resources Authors defeated all of the anti-debugging and anti-forensics features of ZeroAccess and traced the source of this crimeware rootkit"
The full article can be found on their website.
How widespread are rootkits in your environment?
Are you having a problem with rootkits right now or have you had a problem with them in the past?
Write in and share your experiences including any practical tips on recovery in a corporate environment.
Christopher Carboni - Handler On Duty
Comments