homepage Welcome to WebmasterWorld Guest from 54.227.56.174
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Get Request
Ken_S




msg:4509638
 2:44 am on Oct 19, 2012 (gmt 0)

Not Sure Where To Ask
Odd Get Request

I had this get request today and it is a first - I did a Google but what was there was one of those, "say what giberish", comments. Can anyone enlighten me on this.

93.182.133.xxx - - [18/Oct/2012:06:54:55 -0700] "GET /++++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+forum+not+found+/+could+not+find+IP HTTP/1.0" 403 3159 "http://www.example.com/++++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+forum+not+found+/+could+not+find+IP" "Mozilla/5.0 (Windows NT 5.1; rv:10.0.3) Gecko/20100101 Firefox/10.0.3"

93.182.133.xxx - - [18/Oct/2012:06:54:56 -0700] "GET / HTTP/1.0" 403 3159 "http://www.example.com/++++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+forum+not+found+/+could+not+find+IP" "Mozilla/5.0 (Windows NT 5.1; rv:10.0.3) Gecko/20100101 Firefox/10.0.3"

93.182.133.xxx - - [18/Oct/2012:06:54:56 -0700] "GET / HTTP/1.0" 403 3159 "http://www.example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:10.0.3) Gecko/20100101 Firefox/10.0.3"

93.182.133.xxx - - [18/Oct/2012:06:54:57 -0700] "GET / HTTP/1.0" 403 3159 "http://www.example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:10.0.3) Gecko/20100101 Firefox/10.0.3"


Thanks,
Ken

 

dstiles




msg:4510257
 9:42 pm on Oct 20, 2012 (gmt 0)

According to my notes 93.182.128.0 - 93.182.191.255 has a history of bad hits. I have a note that it may be a server farm or may be static business IPs but either way it's blocked.

I take it the rows of +++ are where you have obfuscated the original pagenames? The 403 rejects the visitor - did you do that deliberately or was it generated by something out of your control?

I consider any firefox earlier than 14 to be a possible fake, with the exception of 12 which is the last version that Windows 2000 can run.

I haven't considered google to be a responsible SE for a few years now - it often returns gibberish, as I understand it. Try ixquick - works for me.

lucy24




msg:4510297
 12:53 am on Oct 21, 2012 (gmt 0)

Oh, gosh, I saw some of those just recently too. I've met the strings of +++ in the past, but I remember the "forum not found" (because, er, I don't have a forum?).

I take it the rows of +++ are where you have obfuscated the original pagenames?

No, if his bot is the same as mine, that's literally what you get in the logs. Well, %2B that is.

:: shuffling papers ::

Here is a direct cut & paste from raw logs. They went on to ask for the front page, giving the previous %2B request as referer.

91.236.74.192 - - [13/Oct/2012:09:33:44 -0700] "GET /fun/AlonzoMelissa.html++++++++++++++++++++++++++++++++++++Result:+forum+not+found+/+could+not+find+IP HTTP/1.0" 301 671 "http://example.com/fun/AlonzoMelissa.html++++++++++++++++++++++++++++++++++++Result:+forum+not+found+/+could+not+find+IP" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.165 Safari/535.19 YI"
91.236.74.192 - - [13/Oct/2012:09:33:45 -0700] "GET /fun/AlonzoMelissa.html%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2BResult:%2Bforum%2Bnot%2Bfound%2B/%2Bcould%2Bnot%2Bfind%2BIP HTTP/1.0" 403 1389 "http://www.example.com/fun/AlonzoMelissa.html%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2BResult:%2Bforum%2Bnot%2Bfound%2B/%2Bcould%2Bnot%2Bfind%2BIP" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.165 Safari/535.19 YI"

Hm, didn't notice the redirect before. Missing www, as in the auto-referer. So they went back out into the Internet, which changed the previous + signs to %2B. 91.a.b.c is one of those godawful ranges that's all broken into 23s and 24s. This one's apparently a Polish robot.

I consider any firefox earlier than 14 to be a possible fake

Camino insists on calling itself "like Firefox 3.6" for some arcane technical reason. But you can filter it out with careful punctuation:

Camino/2.1.2 (like Firefox/3.6.28)


Incidentally, all those plusses prevent Forums auto-linking from kicking in. I had to do some hasty 'example.com' re-edits :)

Ken_S




msg:4510318
 3:40 am on Oct 21, 2012 (gmt 0)

I take it the rows of +++ are where you have obfuscated the original pagenames?


Nah, only change was example.com - copied & pasted from my logs - all those ++++++ is the way it came

Ken

g1smd




msg:4510341
 8:13 am on Oct 21, 2012 (gmt 0)

I see several bots that probe around over a period of days then make that long request. You'd think they'd go away after having not found a forum to spam, but no they come back again a few days or week later...

Rosalind




msg:4510428
 4:40 pm on Oct 21, 2012 (gmt 0)

It reminds me of a log entry I got recently from a well-known brand of comment spam software. In fact, searching for some of the string with the pluses made into spaces confirms that's exactly what it is. Block.

Ken_S




msg:4512679
 4:25 pm on Oct 26, 2012 (gmt 0)

GET /?q=imce HTTP/1.1

Another first for me ..


Any understanding of this would, "hopefully" :-) expand my understanding.

176.9.192.xxx - - [26/Oct/2012:05:57:08 -0700] "GET /?q=imce HTTP/1.1" 403 3140 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1"

Ken

g1smd




msg:4512709
 5:13 pm on Oct 26, 2012 (gmt 0)

It's looking for the root index page of your site and feeding the parameter
q=ince to it. Your site blocked the request.
Ken_S




msg:4512801
 8:07 pm on Oct 26, 2012 (gmt 0)

176.9.192.xxx

q=imce

Thanks g1smd ..

I've had that IP range blocked for a long time - haven't never seen that parameter before .. I'm assuming it could be called, fishing for a server response? Anyway that's the way I will view it until I find out different.

Ken

phranque




msg:4512885
 2:49 am on Oct 27, 2012 (gmt 0)

something to do with drupal and the IMCE image uploader?

IMCE integration assumes clean URLs to be enabled | drupal.org:
http://drupal.org/node/1027500 [drupal.org]

drupal6-imce:
http://github.com/k4ml/drupal6-imce [github.com]

Ken_S




msg:4512935
 10:40 am on Oct 27, 2012 (gmt 0)

Thanks phranque

IMCE integration assumes clean URLs to be enabled | drupal.org:


Since I don't run any CMs, and I assume that basically it was what someone was checking for.

Ken

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved