If it's sucking up your bandwidth, or you think it is some attempt to compromise the server, ban the IPs that generate it.

I see what you mean about the "scariness" of their names, but what pages are they getting, and what are they doing while on your site? The only thing that can really be scary is what they do, as opposed to what they're called.

If you're on an Apache server, you'd use .htaccess to ban the IP's.

It's just a junky random-User-agent generator, in and of itself, nothing to worry about.

However, as posed by the previous posters, the question is, "What are they doing with the pages they're scraping?"

They could be trying to harvest e-mail addresses, or steal your content for use on their own sites, or to "summarize" them for use on MFA (Made-For-Adsense) pages.

Actually, these user-agents are relatively easy to block without resorting to IP-based access controls, it just takes a little observation of the actual patterns they use.

Jim

It just looked to me like some form of encryption. I don't see them accessing any specific file, but was worried that it could be a command to run a hidden shell or something.

I mean ... I'm REALLY green with this. I am taking steps to secure the OS and Apache, but I'm still trying to get a firm handle on my logs.

I NEW IT!

I gzipped and opened a day's worth of last month's log files in excel. I have NOT been able to get my webalizer to show me the "get" info. So I prefer just to look at the raw data myself.

This really wierded me out. I had this ip connect for every 15 minutes starting with the below at 3:15 A.M.:

>>124.8.25.61 [18/Sep/2006:03:16:02-0400] "CONNECT 61.63.28.161:25 HTTP/1.0" 405 231 "-" "-"<<

I did a reverse ip and found this ip - then googled the owner >>kbtelecom.net<< and found a whole webload of abuse. Then looked at the ip range in the ECT and discovered it was them again NET-NAME >>twnic.net<< and email was now twnic.net.

Once again, massive amount of network intrusion posts online.

I'm pretty sure these are the form stealers that initially tipped me off that our server was under attack and made me start to take my bestowed "webmaster" title seriously.

After nearly a month, it took just looking at my raw log file to see where ips are going in my site. It must be the way my webalizer was originally set up; I couldn't see what the user-agents where accessing. And the html that it writes cuts the display table off in mid display.

Okay. NOW what to do. I'm sure these guys found an easy way to connect to my site via my forms and will find a way around my banning their ip (if they have access).

Are you saying that they are modifying files *on your server* from their location? If so, you are right to be concerned; that is very serious.

Use cpanel (or whatever you use) to look at the raw files on your server and compare them to your local copy of the file.

However, if I am reading your log line correctly (it is a different format from what I'm used to), the result code was 405 - Method Not Allowed. I don't know what the CONNECT method is (GET is most common; POST for a form page), but whatever they tried to do, they failed in this case.

[edited by: SteveWh at 11:59 am (utc) on Oct. 17, 2006]

While spelunking through my server root level files and checking the users group last month I found a user called "beta-mirror" with document root level access to all of my folders.

It wasn't a user I knew and it had a password that I didn't create. I deleted the user. I don't know if that is what caused the error or if the error is actually false (to cover their footprints).

This is not the form intrusion ... that was done a few months ago. I know the form intrusion was so they could initially upload their malichious script. Even though I had regex validation scripts prohibiting the use of script tags in my forms, they were able to enter the script anyway using hex that coded the lesser than greater than tags as unrecognizable to the validation script.

In essence what they have successfully done is to create a pharming system on my own server!

They DNS spoofed my site and are able to send email using my dns that links back to them. The litterally have my whole site. I think I have no alternative but to have my server os, apache and everything reintalled from scratch and implement strict groups control.

The nightmare of this is daunting. My site itself is a few gig of files that would have to be reloaded. All of my database instruction, crontabs, everything completely rebuilt.

This is so beyond me that I now have to tell our CEO that we need to hire a web security firm to not only stop the current damage, but set up the security strategy for the entire server security from the OS down to the perl and php, mysql, 3rd party data loading connection permissions, web pages and forms.

This is what everyone who has anything to do with web administration fears.

I suppose the first thing I will do now is to try to restrict the ip and ranges. I don't know how much it helps because I don't know a good script to even protect my forms - though I will scour phpfreaks for one. Anyone here with advice on this would be appreciated.