homepage Welcome to WebmasterWorld Guest from 54.242.126.126
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Songbird/0.1
Botnet, Controlled?
blend27

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3282358 posted 2:11 am on Mar 15, 2007 (gmt 0)

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060206 Songbird/0.1

comes in bunches from various IPs 5 to 10 seconds apart

seam to access index page, contact and guestbook, no image requests.

172.188.192.n
201.45.221.nnn
201.52.187.nn
201.80.176.nn
209.160.32.nnn
217.159.200.nnn
66.199.242.nn
66.68.43.nn
66.75.52.nnn
68.46.248.nnn
70.244.17.nnn
70.252.137.nnn
72.0.186.nnn
74.57.67.nnn
76.181.17.nnn
84.122.42.nn
84.94.192.nnn
86.20.235.nnn
90.157.152.nnn

I know Songbird is a little App for music, but why post data to guest book and contact page

[edited by: volatilegx at 12:57 am (utc) on Mar. 16, 2007]
[edit reason] obfuscated ip addresses [/edit]

 

wkitty42

10+ Year Member



 
Msg#: 3282358 posted 8:21 am on Mar 29, 2007 (gmt 0)

why post data? well, i think you've probably got the right idea with the botnet thing... it is likely a pr0n spammer's botnet attempting to build backlinks... are the requests GETs or POSTs? i've seen many recent attempts at cross site scripting to pull in php shell code to try to root into a system... luckily my SNORT traps them and let's me know about it... if these are done in POSTs, you generally can't see them in the logs... GETs on the other hand do show... in my case, though, SNORT blocks them before they even get to the web server ;)

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3282358 posted 10:42 pm on Apr 8, 2007 (gmt 0)

It's a spambot.

64.246.18.nnn "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060206 Songbird/0.1"

Went directly to a page to POST information, no other accesses.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3282358 posted 10:44 pm on Apr 8, 2007 (gmt 0)

The IP that I posted was from ev1servers.net, botnet very likely.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved