Gootkit auto-rooter scanner

Forum Moderators: open

Message Too Old, No Replies

Gootkit auto-rooter scanner

Malicious virus implanter from dynamic IPs

dstiles

9:15 pm on Sep 23, 2011 (gmt 0)

People might want to specifically block this bot.

It comes, in my experience, from compromised broadband machines so cannot usually be rejected as coming from a server farm.

UA: Gootkit auto-rooter scanner

Purpose, as far as I can tell, is to implant mailicious "footers" onto web site scripts (eg php, asp etc).

It seems to hit the home page of a site several dozen times in succession, even against a 403, presumably trying to force its way in. No other information, but I suspect once it finds an entry point it will stop trying and get to work on that and other pages.

lucy24

6:04 am on Sep 24, 2011 (gmt 0)

Oh, gosh, I just came by to ask about that very name.

<fe>
It's so hard to tell. "Gootkit auto-rooter scanner" Do you suppose it could possibly be a robot? It sounds like something that would get involved with your sewage pipes.
</fe>

When I looked it up I found a recent posting on another discussion forum in which it asked for a whole string of nonexistent php files. Mysteriously it didn't try this with me. Not that it would have done any good now that I've got the php-block sorted out.

On second thought, it sounds like something that deserves to get involved with your sewage pipes :)

incrediBILL

2:26 pm on Sep 24, 2011 (gmt 0)

Why would some idiot use such an obvious name to call attention to their activities?

Personally, I'm glad they advertise what they're doing because a few years back I assumed everything hitting our sites would all use nothing but browser UAs at this point and leave us twisting in the wind trying to figure out what in the heck was going on.

Luckily, their egos make them want to show off.

Pfui

2:46 pm on Sep 24, 2011 (gmt 0)

First saw it on 09-20, hitting from a long-compromised (per Project Honey Pot) .static.metrored.net.mx account.

Looks like just another exploit, reminiscent of ZmEu [webmasterworld.com...] , but interesting in that it probed for more of the typical php, sql, webadmin and other files than most -- on one site, 199 in 36 seconds.

FWIW, I've never seen a single exploit dissuaded by 403s, 404s, etc. They typically run through IPs sequentially, probing, invading the undefended, and moving on.

lucy24

8:56 pm on Sep 24, 2011 (gmt 0)

Is it safe to assume that the word "scanner" never occurs in the name of a legitimate UA and can, if you so choose, be blocked at the gate? Spotlight didn't find any.

:: pondering the fact that 6 months of raw log files take up pretty exactly the same space as the entire first HD of my first computer ::

dstiles

10:15 pm on Sep 24, 2011 (gmt 0)

Ezine uses "scanner" as part of its UA - I have that one whitelisted (actually, two UAs but I think one is now obsolete). The UAs below are what I whitelist but it's only part of the full UA...

EzineArticlesLinkScanner/
EzineArticles.com Link Scanner

The full current one is...

You don't have a busy site then, Lucy? My first hard disk was 256K and the next was only 5M. :)

Mozilla/5.0 (textmode; U; Linux i386; en-US; rv:3.0.110.0) Gecko/20101006 EzineArticlesLinkScanner/3.0.0g

Annoyingly, they do not have a proper rDNS but I have to let them in for a family site! :)