Msg#: 4617563 posted 1:57 am on Oct 18, 2013 (gmt 0)
This is a "just wondering..." question. The botnet involved has always been blocked; I only found it in logs while looking for something else. Looks like it's been visiting sporadically since August or so.
Pause for a moment of hilarity at the UA. It takes a very special kind of robot to think that masquerading as a Chinese search engine will increase its chances of getting in the door. (The IP is Softlayer, so this particular request would have been blocked at least two ways.)
The first set of three have been there all along; the second set seems to have been added last month, coincidentally after I started tracking. At least I hope it's coincidence ;) The filenames initially scared me out of my wits because-- pay close attention now-- /dir-one/dir-two/ in real life is a page that talks about an outside site, dir-two dot com. And, while I don't happen to have pages called /admin/categories.php /admin/file_manager.php /admin/banner_manager.php they are completely plausible filenames for dir-two dot com. Except for the .php extension, which I belatedly remembered the site doesn't use; it's all .jsp.
QUESTION: Does this set of three named files point to some particular CMS that conventionally uses these names? Just curious.
Msg#: 4617563 posted 3:09 am on Oct 19, 2013 (gmt 0)
There's a time and a place for Regular Expressions ;) And, for that matter, for mod_rewrite. I've currently got
:: shuffling papers ::
Deny from 184.108.40.206/18 220.127.116.11/19 18.104.22.168/15 22.214.171.124/14 126.96.36.199/15 174.139
:: detour to look up ::
I've got 174.143 flagged as Rackspace, so you could easily go 14. Or, ahem, 188.8.131.52/15. The 174.34. neighborhood has a human ISP tucked in between two server farms so I can't just go 128-blahblah/17. I track server farms but don't generally lock them out until they become offensive. I don't have anything scrapeworthy, so why put the server to the extra work.
This particular botnet is pre-blocked because anyone who asks for anything in php-- except a handful of named pages-- gets an automatic 403 rather than defaulting to 404. It's the principle of the thing.
:: glancing at incoming mail and doing a double-take as I notice that son's iPhone has me down as "Mom Lastname" ::