Welcome to WebmasterWorld Guest from 3.93.74.227

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Automated spam - difficult to stop

     
8:39 am on Mar 16, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


(I have placed this post in this section as I will be using htaccess to (hopefully) block the users in question but if this needs to be moved, I understand).


One of my sites has received at least a dozen automated 'visits' in the last 5 days from various IP's using various U-A's (eg: Moz/4 & Moz/5), all of which follow a very similar pattern.

These visits are primarily to my CopperMine image gallery but also my main site index, guestbook, a few legitimate pages (no images, js or css) and also an unlisted 'trap' directory forbidden in robots (approx. 40-50 hits in total each time).

On appearance one could be forgiven for thinking they're genuine hits but they only take place over a 4 or 5 second period and what makes these visits stand out is the fact that URL's they are requesting are almost all existing URL's but appended by (presumably spam) URL's/domains, seemingly pointlessly.

Maybe they could be trying to find a CopperMine vulnerability/exploit (although my software is up to date) or perhaps it's simply a bad attempt at referrer spam (programmed incorrectly in the software they use)? There are also no POST attempts.

I'm concerned about bandwidth usage. These visits have all been in the last 48 hours so at this rate, and especially if the visits increase, the bandwidth used could become very noticeable but I'd also like to know if anyone recognises the pattern or has any insight as to what their intentions are.

I have included an extract from my logs. If anyone could possibly decipher what it is they're attempting to do, I'd appreciate your comments.

I have already added a htacess block on the domain names used as a lot have been repeated over the various visits but I cannot see any other patterns to block.
(domain-specific URL's changed, IP obfuscated and TLD's changed to FU)

Thank you in advance.

Other IP's with the same pattern of visits:
203.185.96.* - Thailand
211.115.125.* - Korea
128.173.97.* - USA
211.236.241.* - Korea

69.10.135.* - - [12/Mar/2012:04:06:40] "GET / HTTP/1.0" 200 16931 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:41] "GET /coppermine/thumbnails.php?album=http%3A%2F%2Farticles.weddings.FU%2Flib%2Fkat%2Flekalu%2F HTTP/1.0" 200 17437 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:43] "GET page1.php HTTP/1.0" 200 14029 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:44] "GET page2.php HTTP/1.0" 200 13966 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:45] "GET /coppermine/thumbnails.php?album=48 HTTP/1.0" 200 29642 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:47] "GET /coppermine/displayimage.php?album=48&pid=http%3A%2F%2Fmokhber.FU%2Fforum%2Flang%2Figawa%2Fmaj%2F HTTP/1.0" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:47] "GET /coppermine/login.php?referer=http%3A%2F%2Fwww.horsedrawncaravans.FU%2F_de%2Fimu%2Fmovidi%2F HTTP/1.0" 302 14877 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:49] "GET /coppermine/thumbnails.php?album=lastup&cat=http%3A%2F%2Fwww.mv-denzlingen.FU%2Fgbk%2Fimages%2Fsmilies%2Fabi%2Fumi%2F HTTP/1.0" 200 37174 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:50] "GET /coppermine/index.php?cat=http%3A%2F%2Fwww.deadlament.FU%2Fintern%2Fbilder%2Fbilder_substage_2004%2Fbilder%2Flive%2Fero%2Frew%2F HTTP/1.0" 200 34641 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:52] "GET /trap/index.php HTTP/1.0" 200 507 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:52] "GET /guestbook/ HTTP/1.0" 200 30722 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:54] "GET /guestbook/comment.php?gb_id=http%3A%2F%2Farticles.weddings.FU%2Flib%2Fkat%2Flekalu%2F HTTP/1.0" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:55] "GET /guestbook?entry=http%3A%2F%2Ftest.mev-cs.FU%2Fstefan%2F_cms%2Fuploader%2Ffiles%2Foqef%2Fmefeye%2F HTTP/1.0" 301 332 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:55] "GET HTTP/1.0" 403 1505 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:56] "GET page3.php HTTP/1.0" 200 12988 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:57] "GET /coppermine/thumbnails.php?album=14 HTTP/1.0" 200 30358 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:58] "GET /coppermine HTTP/1.0" 301 244 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:59] "GET trap/index.php HTTP/1.0" 404 802 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:06:59] "GET /coppermine/displayimage.php?album=48&pid=480 HTTP/1.0" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:00] "GET /coppermine/login.php?referer=thumbnails.php%3Falbum%3D48 HTTP/1.0" 302 14913 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:01] "GET /coppermine/login.php?reload_once&referer=http%3A%2F%2Fhrtssupport.absi-net.FU%2F_private%2Ffeqa%2Fiha%2F&message_id=ad18e58f12107d8d920504a5072d9756&message_icon=info HTTP/1.0" 200 16762 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:02] "GET /coppermine/login.php?reload_once&referer=thumbnails.php%3Falbum%3D48&message_id=http%3A%2F%2Fwww.property-options.FU%2Finfocasa%2FTemplate%2Fcache%2Ffuq%2Fpifu%2F&message_icon=info HTTP/1.0" 200 16780 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:04] "GET /coppermine/login.php?reload_once&referer=thumbnails.php%3Falbum%3D48&message_id=ad18e58f12107d8d920504a5072d9756&message_icon=http%3A%2F%2Fwww.gamepat.FU%2Fcoppermine%2Fcoppermine2%2Fg2data%2Fejilumo%2Fide%2F HTTP/1.0" 200 16780 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:05] "GET /guestbook/comment.php?gb_id=9636 HTTP/1.0" 301 248 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:05] "GET /guestbook/comment.php?gb_id=9628 HTTP/1.0" 301 248 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:06] "GET /coppermine/displayimage.php?album=14&pid=225 HTTP/1.0" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:06] "GET /coppermine/thumbnails.php?album=toprated&cat=-14 HTTP/1.0" 200 41095 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:08] "GET /coppermine/thumbnails.php?album=toprated&cat=0&page=http%3A%2F%2Fhrtssupport.absi-net.FU%2F_private%2Ffeqa%2Fiha%2F HTTP/1.0" 200 41187 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:09] "GET /coppermine/login.php HTTP/1.0" 302 14841 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:10] "GET /coppermine/login.php?reload_once&message_id=http%3A%2F%2Fwww.gamepat.FU%2Fcoppermine%2Fcoppermine2%2Fg2data%2Fejilumo%2Fide%2F&message_icon=info HTTP/1.0" 200 16753 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:12] "GET /coppermine/index.php?cat=0 HTTP/1.0" 200 34518 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:13] "GET /coppermine/displayimage.php?album=toprated&cat=0&pid=928 HTTP/1.0" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
69.10.135.* - - [12/Mar/2012:04:07:14] "GET /coppermine/login.php?reload_once&message_id=168a7a3c2e0fdfe64bd38d8d174cbe76&message_icon=info HTTP/1.0" 200 16753 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
4:11 pm on Mar 16, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 1, 2006
posts: 66
votes: 0


I'd focus on the ones with the parameterized queries. I notice that nowhere is there an HTTP_REFERER, they're all "-". Would you normally expect a gallery or guestbook request to specify a referrer? Maybe your own domain, for example?
4:23 pm on Mar 16, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


Very good point. So a ReWriteCond checking for the existence of my domain as the referrer.

Something similar to the following?

RewriteCond %{THE_REQUEST} /(coppermine|guestbook) [NC]
RewriteCond %{HTTP_REFERER} !^mydomain\.fu
ReWriteRule . - [F]


Although what if the gallery for example has been bookmarked and is requested directly without a referrer?
4:50 pm on Mar 16, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


Just realised that blocking (album|pid|referer|cat|msg_id|message_id|entry|message_icon|page|uid)=http

should stop the majority of them, for now anyway.

[edited by: Seedy at 5:03 pm (utc) on Mar 16, 2012]

4:59 pm on Mar 16, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 1, 2006
posts: 66
votes: 0


what if the gallery for example has been bookmarked


Or a page refresh?

In an ideal world, I'd give you that. But you could redirect to a gallery landing page, stripping the query string on the fly.

Sometimes you need to decide whether you want to keep picking up the soap.
5:01 pm on Mar 16, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


Yes fair point. I'm going to add a blocking rule for now and see how it goes.
Thanks for your help
5:20 pm on Mar 16, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 1, 2006
posts: 66
votes: 0


I'm not saying it's the case here, but a query string that makes an =http reference is typically attempting a remote file inclusion exploit.

This critter looks half-baked to me, but I can relate to your concern re bandwidth.

Keep us posted?
5:26 pm on Mar 16, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


Will do, thanks for the tips.
8:01 pm on Mar 16, 2012 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4562
votes: 364


This looks to me like the backlink "creation" bots I have been fighting. They sell the service of backlink creation for sites that couldn't get a backlink even with payment, then they fish around on sites, looking for a weakness that does not return a 404 when a non-existent URL is requested as part of an URL parameter. On WP sites they look for pages/posts with pingbacks enabled to make it appear that your site is linking to theirs but I have seen this on 100% static html sites too. I have always heard that referrer spam was harmless if annoying, but I am seeing Google listing these sites as inbound links, even though no links exist.

I do not know all the hows and whys and maybe my terms are not the technically correct terms, I am no expert, these are only my own observations; I believe that making sure a non existing URL delivers a 404 is an important way to make them look somewhere else. Some of those in your example are returning a "200" response which is maybe why they keep coming back.
8:15 pm on Mar 16, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


Interesting, thanks.
When they return, probably in the next few hours, they should now get a 403 for each request so I'll see if that deters them. If not, I'll try and work out how to ensure they receive a 404 and again monitor how that goes.

What you've written does make sense though and seems very likely.
Thanks
8:50 pm on Mar 16, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15937
votes: 889


I'm concerned about bandwidth usage.

If they're visiting gallery pages but not loading up images, bandwidth is probably the least of your worries.

RewriteCond %{THE_REQUEST} /(coppermine|guestbook) [NC]
RewriteCond %{HTTP_REFERER} !^mydomain\.fu
ReWriteRule . - [F]

Although what if the gallery for example has been bookmarked and is requested directly without a referrer?

It's really analogous to a hotlinking routine, isn't it? Ordinarily you have to let in blank referers both to allow search engines-- assuming you do allow them-- and people who have the page bookmarked, or are simply refreshing the page. Or who use an ISP that doesn't send referers. Humans could be admitted by checking a session cookie instead-- but then you've got the ones who don't allow cookies.

:: thinking ::

Separate loop for blank referers. String of exceptions. Cookie or authorized IP range or authorized UA or ...?

Hah. It's the usual law-enforcement dilemma. Mistakes will be made. Is it better to err on the side of blocking some innocent humans, or admitting some guilty robots?
9:03 pm on Mar 16, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


Thanks Lucy. I'm still playing with a few ideas.
Do you see any potential issues with my second idea of something similar to:

RewriteCond %{THE_REQUEST} (;action|album|board|cat|entry|gb_id|message_icon|message_id|msg_id|page|pid|profile;u|referer|topic|uid)=http
ReWriteRule . - [F]
12:18 pm on Mar 17, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


The above worked as hoped and ensured they were presented with a 403, but of course that does not solve the wasted bandwidth issue (which in all fairness isn't huge anyway).
I'm going to wait and see if their visits reduce but may perhaps serve them a 404 so that they realise their continued attempts to inject these URL's are unsuccessful.
Despite obvious proxy use, by an increase in recent visits from certain Far East destinations, I'm quite sure these hits are originating in South Korea.
9:43 am on Mar 22, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


So the bandwidth issue is now more important than previously.
One of my sites last night received around 2000 hits in an approx. 1hr 30min period, almost entirely within my gallery but strangely none of them appear to be attempted spam hits as previously.
It looks to be a complete site scrape although no images were pulled.
I'm not 100% these hits were connected to the above spam attempts but I'm pretty sure it's very likely. A U.K. IP was used this time so I've sent a report to their abuse address hoping they might reply but I won't hold my breath.
(Although it appears I'm not alone: [cyberscapes.co.uk...]

Peer1 (UK) - 83.222.224.0/19
Short extract of my logs below.

Can anyone shed any light on what might have been going on please?
Any suggestions welcome.

Thank you


83.222.230.*** - - [22/Mar/2012:06:20:23 +0000] "GET /gallery/thumbnails.php?album=65 HTTP/1.1" 200 20189 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:20:25 +0000] "GET /gallery/thumbnails.php?album=71 HTTP/1.1" 200 24315 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:20:27 +0000] "GET /gallery/thumbnails.php?album=70 HTTP/1.1" 200 35267 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:20:29 +0000] "GET /gallery/thumbnails.php?album=69 HTTP/1.1" 200 25518 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:20:31 +0000] "GET /gallery/thumbnails.php?album=68 HTTP/1.1" 200 35432 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
....../snip/........
83.222.230.*** - - [22/Mar/2012:06:25:28 +0000] "GET /gallery/thumbnails.php?album=lastup&cat=-72 HTTP/1.1" 200 35612 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:25:30 +0000] "GET /gallery/thumbnails.php?album=lastcom&cat=-72 HTTP/1.1" 200 28898 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:25:32 +0000] "GET /gallery/thumbnails.php?album=topn&cat=-72 HTTP/1.1" 200 35441 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:25:35 +0000] "GET /gallery/thumbnails.php?album=toprated&cat=-72 HTTP/1.1" 200 39574 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:25:37 +0000] "GET /gallery/login.php?referer=thumbnails.php%3Falbum%3D72 HTTP/1.1" 302 14913 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
....../snip/........
83.222.230.*** - - [22/Mar/2012:06:45:06 +0000] "GET /gallery/thumbnails.php?album=topn&cat=8&page=2 HTTP/1.1" 200 36651 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:45:08 +0000] "GET /gallery/thumbnails.php?album=topn&cat=8&page=3 HTTP/1.1" 200 36349 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:45:11 +0000] "GET /gallery/thumbnails.php?album=topn&cat=8&page=4 HTTP/1.1" 200 36332 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:45:13 +0000] "GET /gallery/thumbnails.php?album=topn&cat=8&page=10 HTTP/1.1" 200 22712 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:45:15 +0000] "GET /gallery/login.php?referer=thumbnails.php%3Falbum%3Dtoprated%26cat%3D8 HTTP/1.1" 302 14945 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
....../snip/........
83.222.230.*** - - [22/Mar/2012:06:45:17 +0000] "GET /gallery/thumbnails.php?album=lastup&cat=-36 HTTP/1.1" 200 35623 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:45:19 +0000] "GET /gallery/thumbnails.php?album=lastcom&cat=-36 HTTP/1.1" 200 17878 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:45:21 +0000] "GET /gallery/thumbnails.php?album=topn&cat=-36 HTTP/1.1" 200 35472 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
83.222.230.*** - - [22/Mar/2012:06:45:23 +0000] "GET /gallery/thumbnails.php?album=toprated&cat=-36 HTTP/1.1" 200 20589 "http://www.google.com/search" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
6:13 am on Mar 29, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 28, 2012
posts: 54
votes: 0


FYI:
The above 'attack' appears to have been a one-off and the rule I used in my previous post appears to have stopped the attempted gallery referrer spam/injections(?).