Permanent Links

Poll

What should be the topic for the next Impossibly Stupid poll?

A Town Square Poll Space

Tech Corner

See Also

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[TXT]README.html2014-11-29 09:54 14K 
[   ]info.json2014-12-09 01:41 40  
[   ]tags=logged2015-03-26 18:30 0  
[   ]tags=meta2015-03-26 18:30 0  

Who is in control at the Los Angeles Department of Water and Power?

It's been a long time since I called out anyone on their bad security practices, but some recent activity has sparked my signal analysis curiosity once again. It all started with a spam attempt from 134.201.250.156 which resolves to:

156.250.201.134.in-addr.arpa domain name pointer wp16vmtmg2.ladwp.com.

The owner of ladwp.com being, of course, the titular LADWP. Given that's a rather important organization in a rather large metropolitan area, I decided to dig deeper. Here is what the log file shows for the time around their access:

217.237.177.6 - - [14/Jul/2013:22:57:31 -0700] "GET /comment/reply/30 HTTP/1.0" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
217.237.177.6 - - [14/Jul/2013:22:57:33 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
124.207.34.91 - - [14/Jul/2013:22:57:38 -0700] "GET /comment/reply/30 HTTP/1.0" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
124.207.34.91 - - [14/Jul/2013:22:58:08 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
41.87.131.84 - - [14/Jul/2013:22:58:38 -0700] "GET /comment/reply/30 HTTP/1.0" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
41.87.131.84 - - [14/Jul/2013:22:59:29 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
112.124.39.177 - - [14/Jul/2013:23:00:28 -0700] "GET /comment/reply/30 HTTP/1.0" 403 467 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
112.124.39.177 - - [14/Jul/2013:23:00:30 -0700] "GET / HTTP/1.0" 403 459 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
41.87.131.84 - - [14/Jul/2013:23:00:31 -0700] "GET /comment/reply/30 HTTP/1.0" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
41.87.131.84 - - [14/Jul/2013:23:01:22 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
218.108.170.170 - - [14/Jul/2013:23:02:15 -0700] "GET http://www.impossiblystupid.com/comment/reply/30 HTTP/1.0" 403 524 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
218.108.170.170 - - [14/Jul/2013:23:02:16 -0700] "GET http://www.impossiblystupid.com/ HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
54.245.237.153 - - [14/Jul/2013:23:02:24 -0700] "GET /comment/reply/30 HTTP/1.1" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
54.245.237.153 - - [14/Jul/2013:23:02:28 -0700] "GET / HTTP/1.1" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
112.124.39.177 - - [14/Jul/2013:23:02:33 -0700] "GET /comment/reply/30 HTTP/1.0" 403 467 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
112.124.39.177 - - [14/Jul/2013:23:02:35 -0700] "GET / HTTP/1.0" 403 459 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
119.184.214.18 - - [14/Jul/2013:23:02:42 -0700] "GET /comment/reply/30 HTTP/1.0" 403 524 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
107.20.91.72 - - [14/Jul/2013:23:03:28 -0700] "GET /http://www.impossiblystupid.com//comment/reply/30 HTTP/1.1" 403 594 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
107.20.91.72 - - [14/Jul/2013:23:04:18 -0700] "GET / HTTP/1.1" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
124.207.34.91 - - [14/Jul/2013:23:05:31 -0700] "GET /http://www.impossiblystupid.com//comment/reply/30 HTTP/1.0" 403 594 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
124.207.34.91 - - [14/Jul/2013:23:05:57 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
134.201.250.156 - - [14/Jul/2013:23:07:17 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 200 3232 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
212.42.116.148 - - [14/Jul/2013:23:07:50 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 403 609 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
212.42.116.148 - - [14/Jul/2013:23:08:00 -0700] "GET / HTTP/1.1" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
37.139.3.32 - - [14/Jul/2013:23:08:00 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 403 609 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
37.139.3.32 - - [14/Jul/2013:23:08:51 -0700] "GET / HTTP/1.1" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
201.211.233.224 - - [14/Jul/2013:23:09:44 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.0" 403 572 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
201.211.233.224 - - [14/Jul/2013:23:09:59 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
91.121.34.130 - - [14/Jul/2013:23:10:19 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 403 609 "-" "-" 
117.20.61.244 - - [14/Jul/2013:23:12:59 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 200 3232 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
134.201.250.156 - - [14/Jul/2013:23:13:02 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 200 3232 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
134.201.250.156 - - [14/Jul/2013:23:13:04 -0700] "GET / HTTP/1.1" 200 42717 "http://www.impossiblystupid.com/" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:58 -0700] "GET /comment/reply/114 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:58 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:59 -0700] "GET /comment/reply/113 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/113" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:59 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/113" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:59 -0700] "GET /comment/reply/112 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/112" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:00 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/112" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:00 -0700] "GET /comment/reply/111 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/111" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:00 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/111" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:01 -0700] "GET /comment/reply/110 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/110" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:01 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/110" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:02 -0700] "GET /comment/reply/108 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/108" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:02 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/108" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:02 -0700] "GET /comment/reply/107 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/107" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:03 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/107" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:03 -0700] "GET /comment/reply/106 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/106" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:03 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/106" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:04 -0700] "GET /comment/reply/114 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:04 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:05 -0700] "GET /node/114 HTTP/1.0" 403 516 "http://www.impossiblystupid.com/node/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:05 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/node/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 

The first thing that jumps out is the main user agent given:

"Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10"

A quick search turns up a reference to MR SPUTNIK Spam/Hacker Bot, confirming that these people likely lost control of their computers (aka, they were hacked). That's not good news for the Los Angeles Department of Water and Power!

Going down the list, we see entries from Germany, China, Africa, Kyrgyzstan, Netherlands, Venezuela, Indonesia, and Poland. In the United States, we see Amazon's EC2 servers. For the most part, they got back a 403 error, which means that most of them are "repeat offenders", and have been blocked for previous abuse. And I have now blocked LADWP as well.

They're probably all part of a botnet, but given the nature of malware, any one of them could be the root abuser. On that note, one particular entry in the middle was the odd man out:

91.121.34.130 - - [14/Jul/2013:23:10:19 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 403 609 "-" "-" 

That IP resolves to gsdn.me which is an anonymizing server in France. Probably not activity from the control node, but extra suspicious nonetheless.

So, NSA, instead of casting a net so wide you trample on the rights of the people who bankroll your indiscretions, why haven't you instead focussed on known problems like these? Why am I, Impossibly Stupid, the one who sees that the LADWP has been compromised? Once the bad guys realize that a hacked machine on the inside of an important organization has more value than sending comment spam to a random blog, things are going to get real messy.