homepage Welcome to WebmasterWorld Guest from 54.226.180.223
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Possible bot
Readie




msg:4587763
 9:15 am on Jun 26, 2013 (gmt 0)

Hey guys,

Got a user agent popping up in my access logs 21,863 times within a 3 week period - noticed it due to the S.N.O.W.4 suffix:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET4.0C; .NET CLR 3.5.30729; MS-RTC LM 8; .NET4.0E; S.N.O.W.4; S.N.O.W.4)

All requests originate from the same IP address: 95.172.68.155

Behaviour pattern makes me suspect it's a bot. If it is a bot, it's a pretty rude one. Ignoring robots.txt and doing things like this (Referer and UA grepped out):

95.172.68.155 - - [23/Jun/2013:02:55:25 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:55:52 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:56:47 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:56:57 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:57:08 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:57:19 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:57:26 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:58:02 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:58:16 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"

Anyone got any more information on this one?

 

wilderness




msg:4587881
 3:56 pm on Jun 26, 2013 (gmt 0)

Nothing from me on the UA, however the IP and the backbone range are server farms.

dstiles




msg:4587930
 7:18 pm on Jun 26, 2013 (gmt 0)

95.172.68.0 - 95.172.71.255
95.172.68.0/22
Internap - block as server farm.
I have 18 ranges for internap, all blocked.

Specifically, 95.172.68.155 has dozens of open ports. If it's not really a server it certainly looks like a bot or even a compromised machine.

Readie




msg:4587980
 9:50 pm on Jun 26, 2013 (gmt 0)

Cheers for the info guys. Blocked now :)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved