38.112.195.45 -- fell in bot trap

Forum Moderators: open

Message Too Old, No Replies

38.112.195.45 -- fell in bot trap

BlueSky

3:30 am on Nov 2, 2003 (gmt 0)

Pretty uneventful. He came in on a sidepage, went to the homepage, then immediately took the bait.

UA: "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"

IP belongs to PSINet (Performance Systems International), a relatively large ISP in the US belonging to Cogent Communications. Subnet: 38.112.0.0 - 38.119.255.255

bull

6:57 am on Nov 2, 2003 (gmt 0)

it was here too:

38.112.195.5 - - [02/Nov/2003:07:42:10 +0100] "GET /widmann-rezzonico_e.htm HTTP/1.1" 403 390 www.-.net "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)" "-"
38.112.195.5 - - [02/Nov/2003:07:42:10 +0100] "GET / HTTP/1.1" 403 390 www.-.net "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)" "-"

but already fed with 403 cos of no Windows NT version.
Huh, halloween, night of the bad bots or what? six new discussions.

BlueSky

12:16 pm on Nov 2, 2003 (gmt 0)

Hmmm, I get quite a few without NT version numbers. I'll have to pay more attention to them since most haven't done anything odd.

I think I figured out how to handle the guy who keeps feeding me garbage strings like this:

iyvulhi8aplyjvfqae rp g
o2kylyfxsxawcf2hkw ms kybd
XZAHBEHABG

All legit UA's I've seen so far are in both upper and lower case. This guy uses either all lower case intermixed with numbers and spaces or all uppercase letters. The string and substring lengths vary. So, I think this will get him without grabbing real users at least until he decides to switch his pattern.

RewriteCond %{HTTP_USER_AGENT} ^[a-z\ 0-9]+$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^[A-Z]+$ [OR]