I used the newest htaccess directives (msg 54) for several hours earlier today and then poured through the day's logs. There was one legitimate-seeming hit that was blocked. The user-agent was "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)", of course. The http version was 1.0, instead of 1.1. Presumably, the accept-encoding value was blank. (Or is accept-encoding even an option in HTTP/1.0?)

Digging through my July logs, I've found about 10% of my "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" traffic using HTTP/1.0.

I'm arriving at the conclusion that there are too many variables to reliably identify this thing without potentially locking out a real user.

I'm not convinced that the HTTP/1.0 hits are 'real', I have seen a lot of those too, and they never ask for images, etc either.

Scott

I think the Accept-Encoding might be an HTTP/1.1 option and that's why it's blank in version 1.0. If you think that the requests made with the HTTP/1.0 are really legitimate users, then you can add a test for protocol:

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.0\ \(compatible\;\ MSIE\ 5\.5\;\ Windows\ 98\)$ 
RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.1$ 
RewriteCond %{HTTP:Accept-Encoding} ^[\ ]*$ 
RewriteRule .* - [F] 

Now it says, if UA="IE5.5, win98" and HTTP="1.1" and accept-encoding="blank/whitespace" THEN ban them.

This will not ban the requests using HTTP 1.0, only HTTP 1.1 - so if you think that the 1.0 requests are also bad, user the other version in stead.

/claus

---

Added:
Still, nobody has seen it do anything but get the index from a lot of different IPs?

I'm still curious about what it is, i'm really not all that sure it's one of the well-known viruses/worms that have been mentioned. I could be wrong though.

My best theory? I believe this is some kind of worm, or virus, that is trolling for Open Proxies to use. And that perhaps a previous occupant of my IP Address had a proxy server running, or something.

I do not know... All I know is that in this case I opted to cop out, and change IPs. That made it go away... :)

I'll have to echo the comment made above. I'm on a DSL link (which makes for an awful slow website, yes), and poking through my logs last night I noticed these hits coming in. Looking back they started on Sept. 2 about 9pm. After digging up this thread, I saw the comment above, and connected the fact that I had rebooted my server machine not 20 minutes before the first hit from the... whatever it is. So before bed last night, I dropped my DSL link and brought it back up, and this morning, sure enough, not one more hit.

I don't think this is any type of true random virus doing this. There's a list somewhere that it's feeding off of. Either that or it was programmed really awfully and is only hitting certain subnets, perhaps? Either way, I'm not sure what it's looking for by just GETting the index page.

My IP when I was getting hits was in the 66.72.xx.yy range, and today, it's in 68.22.xx.yy (masked because I don't llike posting my direct IPs).

Any thoughts?

Either that or it was programmed really awfully and is only hitting certain subnets, perhaps?

Hmmmm... Not subnets. My old IP, which was getting dinged, was 64.246.62.16 before I had it changed. My new IP is in the same subnet, and its not getting the traffic. So it does not seem to be that.

I'd be more inclined to agree that it is working off a fixed list of IPs, for some unknown reason...

status update - my level of hits from this thing has dropped back to less than 30 a day. I've done nothing other than watch this... My IP has not changed and I've not implemented any slow-down or banning of this "worm" for want of a better term.

I guess whatever it was that was probing me has slowed down....

Hi there,

That thing causes me to find that lovely place and register to post.. :)

I've read all thread and same thing happens to me.

It's started around 08/18 and continues. I have around 16,000 accesses at one of the sites since from the beggining.

Here is some personal info that might help..

I've around 14 domains which all has uniqe ip in sequence. Only 3 of those sites got that entries.

all ips are in 64.x.x.x range and last digits of those 3 are 227,228,233

I hope those information might give an idea to someone..

Just to followup, I had my hosting provider assign a new IP address to my web site - it's just slightly different than what I had - same subnet and everything -- and it appears that the rash of bogus visits is gone.

I still believe the hits are coming from computers infected with the Welchia virus. Based on my reading, that virus uses both a "count-up" range of IP addresse (i.e, scanning through every possible address with the same first two numbers) *and* a set of hard-coded address ranges when its looking for new victims to infect. The hit on port 80 is intended to identify a machine running IIS.

The downtime was almost nothing in effecting the change - they had to restart my virtual web service, and it took maybe 30 minutes for the IP change to propagate around the net via DNS.

So at least I've resolved the issue for myself; maybe others can try this method?

Just to keep track of related posts: Possible evidence about "what & who" in this thread: Cloaking Device Made for Spammers [webmasterworld.com]

/claus

Trojan Spam Proxies... Makes sense to me! {insert all imaginable offensive explatives here...}

Thanx for the follow-up, Claus!

-Bob

I think I'm noticing the bogus visits decining, anyone else notice that?

dodger -

Nope. You're lucky, I guess. My 'bogus' hits have stayed consistently at the same level, 325-440 a day, since the outset. At least, for the last month or so - I grepped out the bogus hits from my older logs and regenerated my reports, so I forget what I used to get exactly. But in the last month, it's been steady.

Scott

I'm moving to a new server tomorrow so that should shake them off.

Recently changed IP and nameservers and I'm still getting the bogus traffic. It has to be hitting the VH name if the IP was changed. Followed my changes with no break in the monotony.

I think mine has gone away ro a great degree since the move - time will tell.