#1  
Old 03-April-2005, 22:39
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default weird bot / webserver logs..

weird behaviour,. they have a number of IPs and lots of different user agent strings,.,

these pages are mostly blank and generated on the fly (they are listed in robots.txt)

65.102.23.169 - - [03/Apr/2005:22:23:12 +0100] "GET /2005/ HTTP/1.0" 200 12292 "-" "Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)"
65.102.23.153 - - [03/Apr/2005:22:23:24 +0100] "GET /2005/03/20/ HTTP/1.0" 200 3980 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9
x 4.90)"
63.227.217.97 - - [03/Apr/2005:22:23:32 +0100] "GET /2005/03/23/ HTTP/1.0" 200 4795 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) Appl
eWebKit/103u (KHTML, like Gecko) Safari/100"
63.227.217.97 - - [03/Apr/2005:22:23:45 +0100] "GET /2005/02/ HTTP/1.0" 200 2847 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWe
bKit/103u (KHTML, like Gecko) Safari/100"
65.102.23.153 - - [03/Apr/2005:22:23:55 +0100] "GET /2005/06/ HTTP/1.0" 200 2818 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4
.90)"
65.102.23.169 - - [03/Apr/2005:22:24:05 +0100] "GET /2005/01/ HTTP/1.0" 200 2958 "-" "Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)"
63.227.217.97 - - [03/Apr/2005:22:24:13 +0100] "GET /2005/07/ HTTP/1.0" 200 2940 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWe
bKit/103u (KHTML, like Gecko) Safari/100"
65.102.23.161 - - [03/Apr/2005:22:24:21 +0100] "GET /2005/08/ HTTP/1.0" 200 2828 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.169 - - [03/Apr/2005:22:24:38 +0100] "GET /2005/09/ HTTP/1.0" 200 2844 "-" "Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)"
65.102.12.225 - - [03/Apr/2005:22:24:49 +0100] "GET /2005/10/ HTTP/1.0" 200 2959 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
65.102.23.153 - - [03/Apr/2005:22:25:03 +0100] "GET /2005/11/ HTTP/1.0" 200 2842 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4
.90)"
65.102.23.153 - - [03/Apr/2005:22:25:13 +0100] "GET /2005/12/ HTTP/1.0" 200 2838 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4
.90)"
65.102.23.161 - - [03/Apr/2005:22:25:23 +0100] "GET /2004/12/ HTTP/1.0" 200 2838 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.161 - - [03/Apr/2005:22:25:34 +0100] "GET /2006/01/ HTTP/1.0" 200 2835 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.161 - - [03/Apr/2005:22:25:44 +0100] "GET /2004/ HTTP/1.0" 200 12165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.161 - - [03/Apr/2005:22:25:52 +0100] "GET /2004 HTTP/1.0" 301 233 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.169 - - [03/Apr/2005:22:26:00 +0100] "GET /2004/11/ HTTP/1.0" 200 2842 "-" "Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)"
65.102.23.161 - - [03/Apr/2005:22:26:11 +0100] "GET /2006/ HTTP/1.0" 200 12158 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.12.225 - - [03/Apr/2005:22:26:27 +0100] "GET /2006 HTTP/1.0" 301 233 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
65.102.23.169 - - [03/Apr/2005:22:26:35 +0100] "GET /2006/02/ HTTP/1.0" 200 2847 "-" "Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)"
65.102.23.161 - - [03/Apr/2005:22:26:43 +0100] "GET /2004/01/ HTTP/1.0" 200 2835 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.161 - - [03/Apr/2005:22:26:54 +0100] "GET /2004/02/ HTTP/1.0" 200 2843 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.153 - - [03/Apr/2005:22:27:02 +0100] "GET /2004/03/ HTTP/1.0" 200 2824 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4
.90)"
65.102.12.225 - - [03/Apr/2005:22:29:23 +0100] "GET /2006/06/ HTTP/1.0" 200 2818 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
65.102.23.153 - - [03/Apr/2005:22:29:35 +0100] "GET /2006/07/ HTTP/1.0" 200 2940 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4
.90)"
65.102.23.161 - - [03/Apr/2005:22:29:43 +0100] "GET /2006/08/ HTTP/1.0" 200 2828 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.169 - - [03/Apr/2005:22:29:57 +0100] "GET /2006/09/ HTTP/1.0" 200 2844 "-" "Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)"
65.102.23.161 - - [03/Apr/2005:22:30:05 +0100] "GET /2006/10/ HTTP/1.0" 200 2836 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.12.225 - - [03/Apr/2005:22:30:13 +0100] "GET /2006/11/ HTTP/1.0" 200 2842 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
65.102.23.169 - - [03/Apr/2005:22:30:39 +0100] "GET /2006/12/ HTTP/1.0" 200 2961 "-" "Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)"
65.102.23.161 - - [03/Apr/2005:22:30:57 +0100] "GET /2003/12/ HTTP/1.0" 200 2838 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.169 - - [03/Apr/2005:22:31:05 +0100] "GET /2007/01/ HTTP/1.0" 200 2835 "-" "Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)"
65.102.23.153 - - [03/Apr/2005:22:31:14 +0100] "GET /2003/ HTTP/1.0" 200 12225 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.9
0)"
65.102.12.225 - - [03/Apr/2005:22:31:23 +0100] "GET /2003 HTTP/1.0" 301 233 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
63.227.217.97 - - [03/Apr/2005:22:31:32 +0100] "GET /2003/11/ HTTP/1.0" 200 2965 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWe
bKit/103u (KHTML, like Gecko) Safari/100"
65.102.23.153 - - [03/Apr/2005:22:31:40 +0100] "GET /2007/ HTTP/1.0" 200 2820 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90
)"
65.102.23.153 - - [03/Apr/2005:22:31:48 +0100] "GET /2007 HTTP/1.0" 200 2820 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
"
65.102.23.161 - - [03/Apr/2005:22:32:00 +0100] "GET /2007/02/ HTTP/1.0" 200 2847 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.153 - - [03/Apr/2005:22:32:11 +0100] "GET /2003/01/ HTTP/1.0" 200 2835 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4
.90)"
65.102.23.161 - - [03/Apr/2005:22:32:25 +0100] "GET /2003/02/ HTTP/1.0" 200 2847 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.12.225 - - [03/Apr/2005:22:32:39 +0100] "GET /2003/03/ HTTP/1.0" 200 2947 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
65.102.12.225 - - [03/Apr/2005:22:32:53 +0100] "GET /2003/04/ HTTP/1.0" 200 2823 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
65.102.23.161 - - [03/Apr/2005:22:33:03 +0100] "GET /2003/05/ HTTP/1.0" 200 2812 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.161 - - [03/Apr/2005:22:33:14 +0100] "GET /2003/06/ HTTP/1.0" 200 2818 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
63.227.217.97 - - [03/Apr/2005:22:33:25 +0100] "GET /2003/07/ HTTP/1.0" 200 2817 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWe
bKit/103u (KHTML, like Gecko) Safari/100"
65.102.23.153 - - [03/Apr/2005:22:33:38 +0100] "GET /2003/08/ HTTP/1.0" 200 2951 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4
.90)"
65.102.23.161 - - [03/Apr/2005:22:33:56 +0100] "GET /2003/09/ HTTP/1.0" 200 2844 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
65.102.23.153 - - [03/Apr/2005:22:34:06 +0100] "GET /2003/10/ HTTP/1.0" 200 5267 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4
.90)"
65.102.23.153 - - [03/Apr/2005:22:34:18 +0100] "GET /2003/10/24/ HTTP/1.0" 200 5303 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9
x 4.90)"
and it goes on,.

weird huh ?

Sil
Reply With Quote
  #2  
Old 03-April-2005, 22:44
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

is mostly these ips..

63.227.217.97
65.102.12.225
65.102.23.153
65.102.23.161
65.102.23.169
Sil
Reply With Quote
  #3  
Old 03-April-2005, 22:47
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: weird bot / webserver logs..

looks like an end user doing sommat.

OrgName: U S WEST Internet Services
OrgID: USW
Address: 950 17th Street
Address: Suite 1900
City: Denver
StateProv: CO
PostalCode: 80202
Country: US

NetRange: 65.100.0.0 - 65.103.255.255
CIDR: 65.100.0.0/14
NetName: USW-INTERACT99-2BLK
NetHandle: NET-65-100-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.USWEST.NET
NameServer: NS2.DNVR.USWEST.NET
NameServer: NS3.MN.USWEST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-01-03
Updated: 2002-08-12

TechHandle: ZU24-ARIN
TechName: U S WEST ISOps
TechPhone: +1-612-664-4689
TechEmail: abuse@uswest.net

OrgAbuseHandle: QIA2-ARIN
OrgAbuseName: Qwest, Communications
OrgAbusePhone: +1-877-886-6515
OrgAbuseEmail: abuse@qwest.net

OrgNOCHandle: QIN-ARIN
OrgNOCName: Qwest IP NOC
OrgNOCPhone: +1-877-886-6515
OrgNOCEmail: support@qwestip.net

OrgTechHandle: QIA-ARIN
OrgTechName: Qwest IP Admin
OrgTechPhone: +1-877-886-6515
OrgTechEmail: ipadmin@qwest.com

# ARIN WHOIS database, last updated 2005-04-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Reply With Quote
  #4  
Old 03-April-2005, 22:50
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

well this seems to give them 500 resp codes

Code:
<LIMIT GET HEAD POST>
order allow,deny
deny from 63.227.217.97
deny from 65.102
allow from all
</LIMIT>
Sil

edit nop - that's no good - everyone gets that 500 code - apache didn't like it in the htaccess file (prolly can fix it,. ) tho would like a better solution
Reply With Quote
  #5  
Old 03-April-2005, 22:53
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: weird bot / webserver logs..

although .161 is reporting as sun OS
Reply With Quote
  #6  
Old 03-April-2005, 23:03
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

ok - done - I think.. put this into http conf..

Options -Indexes -FollowSymLinks -MultiViews -ExecCGI -Includes
AllowOverride FileInfo Options AuthConfig Indexes
Order allow,deny
deny from 63.227.217.97
deny from 65.102
now giving them

403 - Forbidden
A 403 status code indicates that the client cannot access the requested resource. That might mean that the wrong username and password were sent in the request, or that the permissions on the server do not allow what was being asked.

an it seems to load ok for me..

Sil
Reply With Quote
  #7  
Old 03-April-2005, 23:07
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: weird bot / webserver logs..

Thought you meant it was TS! being 'ripped'
Reply With Quote
  #8  
Old 03-April-2005, 23:10
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

no - is jus my box..

an tbh it don't really matter - there's nothing interesting on those pages am jus messing around..

tho I guess there's a chance they will find a hole in something - seems to be the only realson to switch around between IPs and user agents would be if there was malicious intent?

Sil
Reply With Quote
  #9  
Old 03-April-2005, 23:46
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

have come to a theory (will accept other ideas!)

behaviour was to ignore robots file (didn't even load it once)
trying to hide by flicking between IP addresses and switching between user agent strings:

Code:
 [en] (X11; U; Linux 2.2.19 i686)"
(Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/103u (KHTML, like Gecko) Safari/100"
(compatible; MSIE 4.0; Windows 95)"
(compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
(compatible; MSIE 6.0; Windows NT 5.0)"
.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/103u (KHTML, like Gecko) Safari/100"
.0 (compatible; MSIE 4.0; Windows 95)"
.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
.0 (compatible; MSIE 6.0; Windows NT 5.0)"
.77 [en] (X11; U; Linux 2.2.19 i686)"
e; MSIE 6.0; Windows NT 5.0)"
was loading pages at abt 1 page every 3 seconds and only following links (it wasn't jus random / looking for exploitable scripts)

so,. reckon it was looking for email addresses to spam to?

Sil
Reply With Quote
  #10  
Old 04-April-2005, 08:48
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

looking at log this morn,.

the scanning started at abt 10pm and finshed at abt 11.30pm..

the ips really stand out since site isn't that busy..

65.102.12.225
65.102.23.161
65.102.23.153
63.227.217.97
65.102.23.169
63.211.54.138
between them they loaded 200 ish pages - most of which were blank (cgi generated on the fly) and explicitly excluded in robots file.. an for at least the last 30 mins all they got were 403 / forbidden

others have seen same .. http://www.webhostingtalk.com/archiv.../204623-1.html

Sil

ps. 200 pages loaded plus abt 550 more were 403'd

Last edited by silver; 04-April-2005 at 08:56.
Reply With Quote
  #11  
Old 04-April-2005, 09:02
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

is quite a few ppl have seen, google searching on those ips.. http://royjacobsen.squarespace.com/d...4-24T00:00:00Z

Sil
Reply With Quote
  #12  
Old 04-April-2005, 14:59
rjacobse
Guest
 
Posts: n/a
Default Re: weird bot / webserver logs..

I'm the owner of the website mentioned in the previous comment. It's a weblog hosted by SquareSpace, so I don't have complete sysadmin powers, and besides, I don't know just gobs about this stuff, so I'm not sure what I would have done about it anyway. This weirdness hasn't shown up in my referrer logs for a while (although it did repeat from time to time). What I am seeing now is referrer spam for online casinos and offshore pharmaceuticals. (SquareSpace is allegedly working on a filter for this.)

I hate spam.

I was curious about what was up when I saw this site showing up in my referrer logs.
Reply With Quote
  #13  
Old 04-April-2005, 17:46
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

Hi Roy,

Whatever they are upto is being done to a least a few websites,,. I generally use contact forms now rather than put email addresses into webpages as it seems the only way to stop the blighters harvesting the addresses

I don't think it's much to worry or even bother to try and block,. generally I wouldn't have noticed,. I just happened to be watching the logs and it was quite worrying for a little while wondering what they were upto

Sil

PS, welcome to TS!
Reply With Quote
  #14  
Old 13-April-2005, 23:23
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: weird bot / webserver logs..

humm - has happened again

65.164.129.91 with 150 page loads
207.155.199.163.ptr.us.xo.net with 132 page loads
12.17.130.27 with 126 page loads
208.252.91.3 with 124 page loads

same MO but they didn't flick round with the useragent,. all listed with

"Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
there was the umm tell-tale flicking between the above IPs almost in rotation,. and the obvious give away of loading over 100 pages each of which is completly uninteresting and almost blank, the pages are also excluded in robots.txt..

Sil
Reply With Quote
Reply

Tags
abuse, email, google, internet, line, online, windows

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
WinXP Home Logs in and then logs off immediately Tim General Software 7 12-May-2007 11:06
Belkin ADSL+Router and Apache Webserver mapwiz Networking 2 16-February-2005 16:07
Weird BTBroadband problem Nik Broadband Internet Access 4 23-May-2004 11:23
uptime thingy,. perl 'webserver' silver General Software 2 27-July-2003 00:48


All times are GMT +1. The time now is 21:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!