Welcome to WebmasterWorld Guest from 220.127.116.11 , register , free tools , login , search , pro membership , help , library , announcements , recent posts , open posts Become a Pro Member
Songbird/0.1 Botnet, Controlled? blend27 msg:3282360 2:11 am on Mar 15, 2007 (gmt 0) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060206 Songbird/0.1
comes in bunches from various IPs 5 to 10 seconds apart
seam to access index page, contact and guestbook, no image requests.
201.45.221.nnn 201.52.187.nn 201.80.176.nn 209.160.32.nnn 217.159.200.nnn 66.199.242.nn 66.68.43.nn 66.75.52.nnn 68.46.248.nnn 70.244.17.nnn 70.252.137.nnn 72.0.186.nnn 74.57.67.nnn 76.181.17.nnn 84.122.42.nn 84.94.192.nnn 86.20.235.nnn 90.157.152.nnn
I know Songbird is a little App for music, but why post data to guest book and contact page
[ edited by: volatilegx at 12:57 am (utc) on Mar. 16, 2007] [edit reason] obfuscated ip addresses [/edit]
wkitty42 msg:3296085 8:21 am on Mar 29, 2007 (gmt 0)
why post data? well, i think you've probably got the right idea with the botnet thing... it is likely a pr0n spammer's botnet attempting to build backlinks... are the requests GETs or POSTs? i've seen many recent attempts at cross site scripting to pull in php shell code to try to root into a system... luckily my SNORT traps them and let's me know about it... if these are done in POSTs, you generally can't see them in the logs... GETs on the other hand do show... in my case, though, SNORT blocks them before they even get to the web server ;) incrediBILL msg:3305860 10:42 pm on Apr 8, 2007 (gmt 0)
It's a spambot.
64.246.18.nnn "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060206 Songbird/0.1"
Went directly to a page to POST information, no other accesses.
incrediBILL msg:3305861 10:44 pm on Apr 8, 2007 (gmt 0)
The IP that I posted was from ev1servers.net, botnet very likely.