Forum Moderators: open
IPs:
Block: 62.80.124.0 - 62.80.127.255
Hits from: 62.80.126.*, 62.80.125.* (one each in range)
User-Agent:
Mozilla/5.0 (compatible; [forumseek.net...] BOT_2.1; +http://www.forumseek.net)
Referer:
[forumseek.net...]
Frequency:
8 hits in 4 seconds to one site at 2:58 am GMT
16 hits in 11 seconds to same site at 4:27 am GMT
First hit on default (home) page then the rest a blind search for folders that are not on the site. Second attempt hit each folder twice but in random sequence.
Folders:
/community/
/forums/
/forum/
/vbulletin/
/board/
/phpbb/
/phpBB/
Domain Creation Date: 23-dec-2008
The hits I originally gave were only those recorded as 404's prior to the IPs being blocked.
Attempts were made both to example.com:80 and www.example.com:80 and all hits included the port in the url.
Other non-existent files/folders hit were:
/cgi-bin/yabb/YaBB.cgi
/cgi-bin/yabb/YaBB.pl
/foro/
/foros/
Total hits per IP were 12 and 24 (not as originally given 8 and 16). The files/folders given were the only hits from either IP. There were no attempts to fetch CSS, JS, images etc.
No attempt to fetch robots.txt.
It's possible (though probably not) that the site was chosen because it has a forum - except the forum is conducted by mailing list not by web.
inetnum: 193.238.60.0 - 193.238.63.255
netname: MEGASPACE
descr: Megaspace IS GmbH
country: DE
/
/community/
/forums/
/forum/
/vbulletin/
/board/
/phpbb/
/phpBB/
/cgi-bin/yabb/YaBB.pl
/cgi-bin/yabb/YaBB.cgi
/foro/
/foros
Not sure it will always include the UA and there are other nasties looking for loopholes, so I've banned it by script folder-name as well, since I don't have any of them on the server.
