-- Search Engine Spider and User Agent Identification
---- casper bot search attempts to infect sites
incrediBILL - 10:52 pm on Jul 7, 2010 (gmt 0)
OK, I stand corrected, most of the activity today is totally different from the past few days.
Mostly seeing this coming from So. Korea:
"POST /I[DEX]887 HTTP/1.1" "MaMa CaSpEr"
I don't even know what the heck "/I[DEX]887" is or why anyone would try to post to it but those stupid scripts tried about 30 times with some variations.
Also had a couple of "contact.php" hits from Germany with a Firefox UA:
"POST /contact.php HTTP/1.1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
Wonder why the sudden shift from GET to POST?
At a minimum the POST no longer exposes the source of the file they're attempting to upload in a log file so it makes it a little harder to figure out the source of the hacked computer and take it down.