Another one banned

Forum Moderators: open

Message Too Old, No Replies

Another one banned

cyberkat

12:40 pm on Jul 26, 2003 (gmt 0)

Added another person to the htaccess logs. Do they think that we are stupid?
Got this today:
218.145.25.80 - - [26/Jul/2003:05:38:26 -0400] "GET /robots.txt HTTP/1.0" 200 1921 "-" "GoogleBot"
218.145.25.80 - - [26/Jul/2003:05:38:27 -0400] "GET / HTTP/1.0" 200 52776 "-" "dloader(NaverRobot)/1.5"

KORNET - KOREA TELECOM - Network Management Center

Seems that alot of the formmail hacking and proxing comes from the far east.

Romeo

12:49 pm on Jul 26, 2003 (gmt 0)

Hi cyberkat,
and welcome to webmasterworld.

Yes, I have seen this too, as reported in
[webmasterworld.com...]

The blocklists get longer every day ... :-)

Regards,
R.

Patrick Taylor

12:58 pm on Jul 27, 2003 (gmt 0)

Forgive my ignorance (if not my curiosity)... but what is an htaccess log?

claus

1:37 pm on Jul 27, 2003 (gmt 0)

Patrick_Taylor, here's the thread on htaccess bans:

[webmasterworld.com...]

- and part 2 of the thread (!) starts here:

[webmasterworld.com...]

/claus

cyberkat

3:08 pm on Jul 27, 2003 (gmt 0)

Pretty much had it with these IPs, banning them totally. And now it is time to report it to abuse@t-ipnet.de
I would love to post the entire log entries but they are 185 hits each(strange). Plus no one should be using the request type "OPTIONS" this many times. Am I wrong?
First & last entry logs posted from present to past hits. Ruled out this is not a crazy bot.

80.145.215.151 - - [26/Jul/2003:23:55:57 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
****183 of same OMITTED****
80.145.215.151 - - [27/Jul/2003:00:00:23 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

80.129.25.191 - - [06/Jun/2003:12:38:13 -0400] "OPTIONS / HTTP/1.1" 200 210 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
****183 of same OMITTED****
80.129.25.191 - - [06/Jun/2003:12:40:58 -0400] "OPTIONS / HTTP/1.1" 200 210 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

80.129.25.191 - - [06/Jun/2003:07:29:12 -0400] "OPTIONS / HTTP/1.1" 200 210 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
****183 of same OMITTED****
80.129.25.191 - - [06/Jun/2003:07:32:20 -0400] "OPTIONS / HTTP/1.1" 200 210 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

cyberkat

2:24 pm on Jul 28, 2003 (gmt 0)

UPDATE: RE the 300+ entry logs above reported to ISP. Their Response

Dear Sir or Madam

We received and analysed your e-mail.
The causer is a customer of T-Online.
Therefore we sent your complaint to

T-Online International AG
mailto:abuse@t-online.de
Tel.: 06151/680-0
abuse-Team

Kind regards
Deutsche Telekom AG
Security Team Ulm

webdevsf

2:40 pm on Jul 28, 2003 (gmt 0)

Does doing this kind of stuff really help you? I never ban IPs unless its a horrendous attack that takes up large MB of bandwidth, and occurs on more than one day. What % of hits a day do you feel are composed by these kinds of spiders?

Usually, they are probing you for security flaw, and then they go away if they can't find it. If they can find it, its too late anyway...

I'm sure a lot these people who are doing this (sending rogue spiders, formmail spammers) are NOT going to be on static IPs.

Your htaccess ban doesn't really help, in that they can just switch IPs by logging in and out of their ISP. Furthermore, someone else who may legitimately want to use your service will be blocked by your IP ban.