142.252.249.27 is Scanning for Crypto Wallets and Backups

hacking, IP addresses, , , ,

Found a log entry from 142.252.249.27 this morning:

142.252.249.27 - - [09/Sep/2019:07:59:18 -0700] "HEAD /backup.zip HTTP/1.1" 404 4128 "http://www.freefixer.com/backup.zip" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

The bot running at 142.252.249.27 is scanning freefixer.com for backups, databases, data, code, bitcoin wallets, bitcoin cash wallets, litecoin wallets, dogecoin wallets, etc. It looks for various file formats such as .zip, .rar, .dat, .7z, .sql, .mdb, .mdf, .tgz, .tar and .sql. Here’s the complete lite of requests that 142.252.249.27 did: 

 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /wallet.zip
 HEAD /wallet.rar
 HEAD /wallet.dat
 HEAD /wallet.7z
 HEAD /wallet.sql
 HEAD /wallet.mdb
 HEAD /wallet.mdf
 HEAD /wallet.tgz
 HEAD /wallet.tar.gz
 HEAD /wallet.backup.zip
 HEAD /wallet.backup.rar
 HEAD /wallet.backup.dat
 HEAD /wallet.backup.7z
 HEAD /wallet.backup.sql
 HEAD /wallet.backup.mdb
 HEAD /wallet.backup.mdf
 HEAD /wallet.backup.tgz
 HEAD /wallet.backup.tar.gz
 HEAD /litecoin.zip
 HEAD /litecoin.rar
 HEAD /litecoin.dat
 HEAD /litecoin.7z
 HEAD /litecoin.sql
 HEAD /litecoin.mdb
 HEAD /litecoin.mdf
 HEAD /litecoin.tgz
 HEAD /litecoin.tar.gz
 HEAD /Litecoin.zip
 HEAD /Litecoin.rar
 HEAD /Litecoin.dat
 HEAD /Litecoin.7z
 HEAD /Litecoin.sql
 HEAD /Litecoin.mdb
 HEAD /Litecoin.mdf
 HEAD /Litecoin.tgz
 HEAD /Litecoin.tar.gz
 HEAD /Bitcoin.zip
 HEAD /Bitcoin.rar
 HEAD /Bitcoin.dat
 HEAD /Bitcoin.7z
 HEAD /Bitcoin.sql
 HEAD /Bitcoin.mdb
 HEAD /Bitcoin.mdf
 HEAD /Bitcoin.tgz
 HEAD /Bitcoin.tar.gz
 HEAD /bitcoin.zip
 HEAD /bitcoin.rar
 HEAD /bitcoin.dat
 HEAD /bitcoin.7z
 HEAD /bitcoin.sql
 HEAD /bitcoin.mdb
 HEAD /bitcoin.mdf
 HEAD /bitcoin.tgz
 HEAD /bitcoin.tar.gz
 HEAD /HShare.zip
 HEAD /HShare.rar
 HEAD /HShare.dat
 HEAD /HShare.7z
 HEAD /HShare.sql
 HEAD /HShare.mdb
 HEAD /HShare.mdf
 HEAD /HShare.tgz
 HEAD /HShare.tar.gz
 HEAD /btc.zip
 HEAD /btc.rar
 HEAD /btc.dat
 HEAD /btc.7z
 HEAD /btc.sql
 HEAD /btc.mdb
 HEAD /btc.mdf
 HEAD /btc.tgz
 HEAD /btc.tar.gz
 HEAD /bch.zip
 HEAD /bch.rar
 HEAD /bch.dat
 HEAD /bch.7z
 HEAD /bch.sql
 HEAD /bch.mdb
 HEAD /bch.mdf
 HEAD /bch.tgz
 HEAD /bch.tar.gz
 HEAD /btm.zip
 HEAD /btm.rar
 HEAD /btm.dat
 HEAD /btm.mdb
 HEAD /btm.mdf
 HEAD /btm.tgz
 HEAD /btm.tar.gz
 HEAD /bcd.zip
 HEAD /bcd.rar
 HEAD /bcd.dat
 HEAD /bcd.7z
 HEAD /bcd.sql
 HEAD /bcd.mdb
 HEAD /bcd.mdf
 HEAD /bcd.tgz
 HEAD /bcd.tar.gz
 HEAD /bcx.zip
 HEAD /bcx.rar
 HEAD /bcx.dat
 HEAD /bcx.7z
 HEAD /bcx.sql
 HEAD /bcx.mdb
 HEAD /bcx.mdf
 HEAD /bcx.tgz
 HEAD /bcx.tar.gz
 HEAD /qianbao.zip
 HEAD /qianbao.rar
 HEAD /qianbao.dat
 HEAD /qianbao.7z
 HEAD /qianbao.sql
 HEAD /qianbao.mdb
 HEAD /qianbao.mdf
 HEAD /qianbao.tgz
 HEAD /qianbao.tar.gz
 HEAD /doge.zip
 HEAD /doge.rar
 HEAD /doge.dat
 HEAD /doge.7z
 HEAD /doge.sql
 HEAD /doge.mdb
 HEAD /doge.mdf
 HEAD /doge.tgz
 HEAD /doge.tar.gz
 HEAD /dogecoin.zip
 HEAD /dogecoin.rar
 HEAD /dogecoin.dat
 HEAD /dogecoin.7z
 HEAD /dogecoin.sql
 HEAD /dogecoin.mdb
 HEAD /dogecoin.mdf
 HEAD /dogecoin.tgz
 HEAD /dogecoin.tar.gz
 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /bf.zip
 HEAD /bf.rar
 HEAD /bf.dat
 HEAD /bf.7z
 HEAD /bf.sql
 HEAD /bf.mdb
 HEAD /bf.mdf
 HEAD /bf.tgz
 HEAD /bf.tar.gz
 HEAD /beifen.zip
 HEAD /beifen.rar
 HEAD /beifen.dat
 HEAD /beifen.7z
 HEAD /beifen.sql
 HEAD /beifen.mdb
 HEAD /beifen.mdf
 HEAD /beifen.tgz
 HEAD /beifen.tar.gz
 HEAD /shujuku.zip
 HEAD /shujuku.rar
 HEAD /shujuku.dat
 HEAD /shujuku.7z
 HEAD /shujuku.sql
 HEAD /shujuku.mdb
 HEAD /shujuku.mdf
 HEAD /shujuku.tgz
 HEAD /shujuku.tar.gz
 HEAD /shuju.zip
 HEAD /shuju.rar
 HEAD /shuju.dat
 HEAD /shuju.7z
 HEAD /shuju.sql
 HEAD /shuju.mdb
 HEAD /shuju.mdf
 HEAD /shuju.tgz
 HEAD /shuju.tar.gz
 HEAD /ziliao.zip
 HEAD /ziliao.rar
 HEAD /ziliao.dat
 HEAD /ziliao.7z
 HEAD /ziliao.sql
 HEAD /ziliao.mdb
 HEAD /ziliao.mdf
 HEAD /ziliao.tgz
 HEAD /ziliao.tar.gz
 HEAD /freefixer.zip
 HEAD /freefixer.com.zip
 HEAD /www.freefixer.com.zip
 HEAD /freefixer.rar
 HEAD /freefixer.com.rar
 HEAD /www.freefixer.com.rar
 HEAD /freefixer.dat
 HEAD /freefixer.com.dat
 HEAD /www.freefixer.com.dat
 HEAD /freefixer.7z
 HEAD /freefixer.com.7z
 HEAD /www.freefixer.com.7z
 HEAD /freefixer.sql
 HEAD /freefixer.com.sql
 HEAD /www.freefixer.com.sql
 HEAD /freefixer.mdb
 HEAD /freefixer.com.mdb
 HEAD /www.freefixer.com.mdb
 HEAD /freefixer.mdf
 HEAD /freefixer.com.mdf
 HEAD /www.freefixer.com.mdf
 HEAD /freefixer.tgz
 HEAD /freefixer.com.tgz
 HEAD /www.freefixer.com.tgz
 HEAD /freefixer.tar.gz
 HEAD /freefixer.com.tar.gz
 HEAD /www.freefixer.com.tar.gz

Vanta Telecommunications Limited and egihosting.com are names that shows up then I did a lookup in ARIN register, as shown in the screenshot below. I’m assuming one of their customers have been hacked.

If you’ve been following this blog for the last week you know that I’ve been trying to weed out fake Bingbots, Yandexbots and Googlebots and other types of bad behaviour. Since 142.252.249.27 is currently trying to gain access to non-public information I’m going to block it in Apache’s .htaccess file.