dstiles - 10:47 pm on Jun 28, 2010 (gmt 0)
Seen quite a few of these over the past few days, generally in groups of half a dozen-ish. (Title is complete UA with correct spelling.)
Behaviour is odd: every hit seems to be to the same site and page with (probably) the same unique querystring (this denotes an actual file to download or view). At the END of the querystring the file's extension (.ged) is replaced by:
This seems to be consistent, although I've only carried out a few spot-checks. It also indicates a hack attempt, since the site is not PHP anyway. It's odd that the characters are upper-ASCII apart from the space, suggesting a non-Latin character set.
Hits come from different IPs, sometimes repeats of previous ones (perhaps 5 or 6 IPs involved). All IPs seems to be from server farms apart from one which could be a server on a static business DSL line. Servers include softlayer and a multi-country (RIPE) server farm.
Initially I thought "distributed bot" but being from servers this is unlikely unless it's a proper bot such as camont, and there is almost nothing to indicate it might be (SEs show next to nothing apart from logs, which indicate I'm not alone).
Possibly it's a broken bot (replacing only the file extension seems dumb unless there is an exploitable system that includes those three letters).
Any ideas, folks?