Hetmanship Referrer Spam Campaign: Case Study

Got it by a small referrer spam campaign today, for some website called “hetmanship”. I’ll not mention the extent, as if you look them up you might download some malware. That would be bad.

As is typical, multiple IPs from around the world: Indonesia, China (8), Russia/UA (5), Mexico, Columbia, Peru, Germany, US. They are indeed difficult to track.
Referrer: http://hetmanship.(will not publish)
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

101.255.62.202: TACHYON ID
104.131.109.105: DIGITAL OCEAN
114.215.150.13: Aliyun Cn
119.29.147.219: Tencent Beijing
119.29.151.193: Tencent Beijing
119.29.151.224: Tencent Beijing
119.29.156.102: Tencent Beijing
120.52.73.97: CHINA UNICOM
120.52.73.98: CHINA UNICOM
171.122.163.186: China Unicom Shanxi
185.31.162.240: SPACENET Planetahost Ru
189.219.85.93: Television Internacional MX
190.107.24.23: ASOCIACION DE TELEVICION COMUNITARIA DE ANDES AUPAN, Columbia
198.50.206.0: OVH
201.16.129.12: COLIGUI Lima, peru
213.202.252.166: Myloc De
80.87.81.14: Vodafone
82.165.76.98: SCHLUND 1&1 De
90.154.127.19: OJSC Rostelecom RU
91.203.62.169: UCMA Ua
91.217.42.64: Uralskie Kabelnye Seti Ru
94.141.231.6: SKYNET TeleRu Ru

Here are my log entries:

120.52.73.97	[15/Dec/2016:13:13:40	GET /wp/tag/food/#11 HTTP/1.1	403	635	http://hetmanship.xyz
120.52.73.98	[15/Dec/2016:13:12:25	GET /wp/tag/food/#3 HTTP/1.1	403	635	http://hetmanship.xyz
120.52.73.98	[15/Dec/2016:13:12:25	GET /wp/tag/food/#30 HTTP/1.1	403	635	http://hetmanship.xyz
120.52.73.98	[15/Dec/2016:13:12:25	GET /wp/tag/food/#33 HTTP/1.1	403	635	http://hetmanship.xyz
120.52.73.98	[15/Dec/2016:13:12:25	GET /wp/tag/food/#6 HTTP/1.1	403	635	http://hetmanship.xyz
120.52.73.98	[15/Dec/2016:13:12:26	GET /wp/tag/food/#32 HTTP/1.1	403	635	http://hetmanship.xyz
120.52.73.98	[15/Dec/2016:13:12:28	GET /wp/tag/food/#31 HTTP/1.1	403	635	http://hetmanship.xyz
171.122.163.186	[15/Dec/2016:13:13:55	GET /wp/tag/food/#52 HTTP/1.1	404	19607	http://hetmanship.xyz
185.31.162.240	[15/Dec/2016:13:13:33	GET /wp/tag/food/#26 HTTP/1.1	404	19607	http://hetmanship.xyz
189.219.85.93	[15/Dec/2016:13:13:44	GET /wp/tag/food/ HTTP/1.1	200	51183	http://hetmanship.xyz
189.219.85.93	[15/Dec/2016:13:13:46	GET /wp/tag/food/ HTTP/1.1	200	51183	http://hetmanship.xyz
189.219.85.93	[15/Dec/2016:13:13:46	GET /wp/tag/food/ HTTP/1.1	200	51183	http://hetmanship.xyz
190.107.24.23	[15/Dec/2016:13:13:40	GET /wp/tag/food/#4 HTTP/1.1	301	-	http://hetmanship.xyz
190.107.24.23	[15/Dec/2016:13:13:46	GET /reasoned.php HTTP/1.1	200	9570	http://hetmanship.xyz
198.50.206.0	[15/Dec/2016:13:13:31	GET /wp/tag/food/#13 HTTP/1.1	301	-	http://hetmanship.xyz
198.50.206.0	[15/Dec/2016:13:13:57	GET /reasoned.php HTTP/1.1	200	9473	http://hetmanship.xyz
201.16.129.12	[15/Dec/2016:13:13:52	GET /wp/tag/food/#17 HTTP/1.1	404	19607	http://hetmanship.xyz
213.202.252.166	[15/Dec/2016:13:12:34	GET /wp/tag/food/#12 HTTP/1.1	403	638	http://hetmanship.xyz
213.202.252.166	[15/Dec/2016:13:12:34	GET /wp/tag/food/#9 HTTP/1.1	403	638	http://hetmanship.xyz
213.202.252.166	[15/Dec/2016:13:13:01	GET /wp/tag/food/#20 HTTP/1.1	403	638	http://hetmanship.xyz
213.202.252.166	[15/Dec/2016:13:13:01	GET /wp/tag/food/#42 HTTP/1.1	403	638	http://hetmanship.xyz
80.87.81.14	[15/Dec/2016:13:14:35	GET /wp/tag/food/#23 HTTP/1.1	301	-	http://hetmanship.xyz
82.165.76.98	[15/Dec/2016:13:13:56	GET /wp/tag/food/#28 HTTP/1.1	301	-	http://hetmanship.xyz
90.154.127.19	[15/Dec/2016:13:13:24	GET /wp/tag/food/#37 HTTP/1.1	301	-	http://hetmanship.xyz
90.154.127.19	[15/Dec/2016:13:13:29	GET /reasoned.php HTTP/1.1	200	9482	http://hetmanship.xyz
91.203.62.169	[15/Dec/2016:13:14:33	GET /wp/tag/food/#28 HTTP/1.1	301	-	http://hetmanship.xyz
91.203.62.169	[15/Dec/2016:13:14:39	GET /reasoned.php HTTP/1.1	200	9440	http://hetmanship.xyz
91.217.42.64	[15/Dec/2016:13:12:47	GET /wp/tag/food/#17 HTTP/1.1	301	-	http://hetmanship.xyz
91.217.42.64	[15/Dec/2016:13:12:47	GET /wp/tag/food/#66 HTTP/1.1	301	-	http://hetmanship.xyz
94.141.231.6	[15/Dec/2016:13:14:03	GET /wp/tag/food/#75 HTTP/1.1	301	-	http://hetmanship.xyz

Leave a Reply

Your email address will not be published. Required fields are marked *