> /"Error 503 : Service Temporarily Unavailable"/ > I guess this one got hit too? ;)
Probably yes. But if you weren't visiting with Tor, there is a good chance you would not see the 503 message. Loads fine for me. ;) Spambotsecurity.com is Zaphod's site. He write ZBBlock which blocks any connection that violates certain 'rules'. (SQL injection patterns and so on.) It also has two switches that permits tor blocking with TOR IPs being 'rule' violations if that is turned on. (One switch only blocks posting from TOR. The other bans all connections.) A first violation by an IP within 1 hour sees a 403 page with an explanation. 503's are shown after a number of violations by the same IP. The default is 3 violations but certain rule violations result in 'instabann' which means they are served 503's after the first visit. I think that's what Zap uses. The 503 page is shown for 1 day, afterwards, it reverts to 403-- for 3 more violations by that IP or for a violation that merited an instaban. If visits from that IP recurr ZBBlock swtiches back to 503. (The 503 page saves the server cpu because it's just a quick local look up for that IP.) So if you saw the 503 address, the IP you connected with had visited and violated a rule at least 3 times in the past 24 hours. I don't know if Zap has the "Tor" switch on or off. You would need to as Zap himself. And if you wanted to know why a specific IP was blocked, you would have to ask Zap. But generally speaking, if you want to read sites that block hostile connections generally, and/or which block Tor specifically, you will need to visit and read without using Tor (and often without using certain proxies that tend to be used by scrapers and hackers.) So I suspect if you want to see the discussion of the bots using Tor doing SQL injection you will need to use a non-Tor IP. FWIW, I'll edit the entry. But the series of ZBblock entries read more or less like this: #: 3934 @: Thu, 18 Jul 2013 13:49:00 -0400 Running: 0.4.10a3 / 74c Host: sipb-tor.mit.edu IP: 18.187.1.68 Score: 5 Violation count: 1 INSTA-BANNED Why blocked: No access allowed from hosts listed as hostile on Stop Forum Spam (http://www.stopforumspam.com/removal) (local block). RFI attack/SQL injection (QU-001). RFI attack/SQL injection (QU-002). RFI attack/SQL injection (QU-024). Blind poke detected. INSTA-BAN (IB-023). Heavy hit. INSTA-BAN. You have been instantly banned due to extremely hazardous behavior! Query: fontstyle=999999.9%20%2F*%2130000union%20all%20select%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303 536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x313032 35343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383 0303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536*%2F-- Referer: User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0; MEGAUPLOAD 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.5.21022; FDM) Reconstructed URL: http:// mysite.com /index.php/solutions/acquisition-solutions/protest-proof-awards?fontstyle=999999.9%20%2F*%2130000union%20all%20select%20 0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303 235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x313032353438 30303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383030353 6%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3 1303235343830303536%2C0x31303235343830303536*%2F-- With hosts that include: #: 3935 @: Thu, 18 Jul 2013 13:49:43 -0400 Running: 0.4.10a3 / 74c Host: axigy2.torservers.net #: 3936 @: Thu, 18 Jul 2013 13:53:35 -0400 Running: 0.4.10a3 / 74c Host: tor-exit-router39-readme.formlessnetworking.net Host: tor-exit-router41-readme.formlessnetworking.net Host: herngaard.torservers.net And so on. This continues. All were 'instabanned'. That means all the IPs that hit were served 503's on their second visit. So if the IP you used happens to have recently hit that particular forum with requests similar to those above, you would be served the 503 too. The IP I use hasn't been banned there, so I am served the forum page. Lucia ---- > Read the thread at > http://www.spambotsecurity.com/forum/viewtopic.php?f=15&t=2095 The title > is > "Anyone else get hit by TOR-cloaked(?) botnet?" > > Bot with Tor addresses hitting sites and attempting SQL injection have > been seen. I don't know how widespread it is. > Lucia /"Error 503 : Service Temporarily Unavailable"/ I guess this one got hit too? ;) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
