Forum Moderators: DixonJones
these are the example on wht is going on.
2008-08-23 00:31:12 76.110.181.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com - 404 HTTP/1.1 www.myservername.tld Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+Media+Center+PC+4.0;+.NET+CLR+2.0.50727) - -
2008-08-23 00:31:16 76.110.181.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com - 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+Media+Center+PC+4.0;+.NET+CLR+2.0.50727) - -
2008-08-23 00:31:21 76.110.181.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com - 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+Media+Center+PC+4.0;+.NET+CLR+2.0.50727) - -
2008-08-23 00:31:21 76.110.181.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com - 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+Media+Center+PC+4.0;+.NET+CLR+2.0.50727) - -
2008-08-23 00:31:49 81.165.0.xyz xyz.xyz.xyz.xyz GET http:/www.google.com - 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - -
2008-08-23 00:31:49 81.165.0.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com - 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - -
2008-08-23 00:31:51 81.165.0.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com - 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - -
2008-08-23 00:31:51 81.165.0.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com - 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - -
2008-08-23 00:33:23 203.218.1.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com ~/mypage.html 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) - -
2008-08-23 00:33:23 203.218.1.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com ~/mypage.html 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) - -
I got over 600 requests at this time. IP Addesses are from all over the world with UAs are changing with IP.
Notice that "http:/www.google.com" is the page that is being requested which would described as request_uri. it is invalid.
In several instances this would BE prepended "~" to the query string and the query_string itself would be the valid page on mysite like here:
2008-08-23 00:33:23 203.218.1.xyz - xyz.xyz.xyz.xyz GET http:/www.google.com ~/mypage.html 404 HTTP/1.1 www.mysite.tld Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) - -
Have anybody seen this recently.
These are the HEADERS THAT ARE SENT WITH EACH REQUEST:
Accept: */*
Accept-Encoding gzip, deflate
Accept-Language: en-us
Connection: Keep-Alive
Cookie: CFID=38664206; CFTOKEN=14371437
Host www.mysite.tld
UA-CPU: x86
URLSCAN-ORIGINAL-URL: /mypage.html
URLSCAN-ORIGINAL-VERB: GET
URLSCAN-STATUS-HEADER: Disallowed-query-string-sequence-detected
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
URLSCAN-ORIGINAL-URL: /mypage.html
URLSCAN-ORIGINAL-VERB: GET
URLSCAN-STATUS-HEADER: Disallowed-query-string-sequence-detected
here is the CF Snippet to stop it on application level:
<cfif StructKeyExists(GetHttpRequestData().headers,"URLSCAN-ORIGINAL-URL")>
<cfheader statuscode="403" statustext="access denied">
.... log request and IP...
<cfabort>
</cfif>
Most of the requests from IPs detected come from CN, HK and RU, as well as some dynamic ranges from US. Seems like botnet to me at this point, quiet a big one. I did some searches on the IPs in G at the beginning and came up with zilch, but running same queries again today returning some interesting data from the log files from all over the web.
Now if I could just get this persistent scraper from 65.94.164.XYZ(Bell Nexxia, CA) to understand the meaning of 403, I'be on my marry way for the Sunday BBQ!... :)
blend27
