by   March 07 2016   
Are you finding more errors when 213.174.146.187 visits your site? How about Path/File access error Code 75 ? I find that I only see this type of error when a select type of bot visits me. Is it due to the Forced SSL and images? I'll know more when they come back. I've added more monitoring code for this selected error type.

Why do I get Path/File access error Code 75 ?

Well, it could be as many thing. Your permissions are wrong. 

But in my case it's a hacker that is up to no good. 

Many of us use debugging scripts to identify coding issues. 

I like many do the same but I also know my code and can and DO monitor every connection and POST GET. 

Here's my example of why you might not really be seeing this error from normal traffic. 

My Friendly Hacked Bot IP: 213.174.146.187

Update: 3-8-2016 testing: 46.229.173.131 and confirmed, using hacked open server to manage rogue BOT. 

From my testing the error occurs when the server has nearly all it's ports open for external connections. I don't have time to list them all but I would simply ignore these errors when you can proxy scan the classic http ports. 

Testing for Proxy on 46.229.173.131
Using www.google.com
Yes Proxy on 46.229.173.131:80 Server Status: 200
Test text: Welcome page body { background: #e7e7e7; font-family: Verdana, sans-serif; font-size: 11pt; } #page { background: #ffffff; margin: 50px; border: 

Yes, I did create my own flavor of reverse proxy scanning with ASP Classic code. It works very well and can be triggered by this error to do a live scan and report. Can you .Net guys do the same? (Just joking, I'm sure you can.)

Just one more way to "Passive" discovery. Who needs to scan the web when the web scans you? 

Here's the code line for this error:  Set objImg = loadpicture(img)

Here's the pattern that always triggers the Path/File Access Error. 

This error has nothing to do with permissions but I'm still not sure why it's only triggered by rogue bots on open hacked servers. Kind of thinking it's a virus looking to spread but until I can collect more passive data I will not know. 

If you know what this is caused by feel free to contact my Google+ account. Be sure to offer up proof because I don't take anyones word, only proof. 

User Agents used in a quick write attempt all from same IP address 213.174.146.187. 
The time: 3/7/2016 3:42:12 PM

List is all hits that triggered the Path/File access error code 75.

  1. UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
  2. UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  3. UserAgent: Mozilla/5.0 (Linux; Android 4.2.2; en-us; SAMSUNG-SGH-1337 BUild/JDQ39) AppleWebKit/535.19 (KHTML, like Gecko) Version/1.0 Chrome/18.0.1025.308 Mobile Safari/535.19
  4. UserAgent: Mozilla/5.0 (Linux; Android 4.2.2; en-us; SAMSUNG-SGH-1337 BUild/JDQ39) AppleWebKit/535.19 (KHTML, like Gecko) Version/1.0 Chrome/18.0.1025.308 Mobile Safari/535.19
  5. UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  6. UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  7. UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari
  8. UserAgent: Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
  9. UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  10. UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
  11. UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
  12. UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari
  13. UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
  14. UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  15. UserAgent: Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
  16. UserAgent: Mozilla/5.0 (Linux; Android 4.2.2; en-us; SAMSUNG-SGH-1337 BUild/JDQ39) AppleWebKit/535.19 (KHTML, like Gecko) Version/1.0 Chrome/18.0.1025.308 Mobile Safari/535.19
  17. UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  18. UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  19. UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari
  20. UserAgent: Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
  21. UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0

All hits within one minute from same IP address sending different user agents. 

I thought it was a variable issue or a naming issue but now I see it's some type of exploit attempt. 

The code that is causing the error reads the width and height of images using loadpicture()

It is very clear to me that this is some type of BOT collecting or scraping. 
This bot could have issues with my forced SSL connection. 
Or it's causing an error when checking to see if the file exists. 

It also could just be fluke. 

I will monitor it more adding more debug to the script. 

Here's why I say they are up to no good: https://isc.sans.edu/asdetailsascii.html?as=39572

Over 280 reports from one target. 
Add that to my 50 or so total for several days and we have a question mark to who this is as well as what is their goal. 

ASP Classic mixed with force SSL seems to cause issues with script kiddies. 

I will update as soon as I see the line that triggers the error.

 

Are you finding more errors when 213.174.146.187 visits your site? How about Path/File access error Code 75 ? I find that I only see this type of error when a select type of bot visits me. Is it due to the Forced SSL and images? I'll know more when they come back. I've added more monitoring code for this selected error type.