I've also seen this very recently: identical files requested from numerous web hosts and colos all over the map. Some sort of zombienet?

They're probing for vulnerabilities.

I've been blocking the requests for the past 24 hours. That appears to be when they started and are consistent. I'll block one IP, another one comes in. I'm kind of having fun with them. ;)

RoundCube Webmail
[isc.sans.org...]

There is a vulnerability in RoundCube Webmail that is currently being exploited if you haven't applied the RoundCube patches.

Security update for 0.2-beta
[sourceforge.net...]

That ISC post refers to the old user-agent, "Toata dragostea mea pentru diavola".

They're now using "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5".

This thing is so incredibly busy today that it's actually quite useful at revealing compromised servers and client computer networks. If they don't back off, they're going to expose the whole botnet!

Hundreds of hits from their new Firefox User-Agent just today -- and on very small sites. Obviously, there's no central 'bot coordination in real-time.

You can block the IP when you get a request for the exact URL-path "/nonex¦stensh¦t" (shown slightly obscured here, substitute "i" for the "¦", and yes, it's still mis-spelled) or block by requested URL-path matching the above or containing "/msgimport".

For most Webmasters (who aren't using RoundCube mail), the only advantage to doing so is if you can serve up a tiny 403 response to them, just to get them off your server with minimum bandwidth wasted.

Jim

Actually that UA just ripped through about 30 minutes ago...

Toata dragostea mea pentru diavola

Looking for...

/readme.txt

337 attempted hits since Jan4 to Jan 11. Some even have roundcubemail in the attempt. More reference included for reference.

fgrep msgimport /private/var/log/apache2/access_log ¦ nl

1 [04/Jan/2009:08:12:20 -0500] "GET /roundcubemail-0.1/bin/msgimport HTTP/1.1" 404 229
2 [04/Jan/2009:08:12:20 -0500] "GET /roundcubemail/bin/msgimport HTTP/1.1" 404 225
3 [04/Jan/2009:08:12:20 -0500] "GET /roundcubemail-0.2/bin/msgimport HTTP/1.1" 404 229
4 [04/Jan/2009:08:12:20 -0500] "GET /roundcube-0.1/bin/msgimport HTTP/1.1" 404 225
5 [04/Jan/2009:08:12:21 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 404 219
6 [04/Jan/2009:08:12:21 -0500] "GET /mail/bin/msgimport HTTP/1.1" 404 216
7 [04/Jan/2009:08:12:21 -0500] "GET /bin/msgimport HTTP/1.1" 404 211
8 [04/Jan/2009:08:12:21 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 404 221
9 [04/Jan/2009:21:25:02 -0500] "GET /roundcube//bin/msgimport HTTP/1.1" 404 222
10 [05/Jan/2009:18:19:10 -0500] "GET /roundcube//bin/msgimport HTTP/1.1" 404 222

It's a veritable treasure trove for finding blockable ranges.

I'm feeling left out, not a single hit.

Send me a URL and I'll add a redirect to a file. Maybe you'll get lucky. ;)

Toata dragostea mea pentru diavola

This has just attempted to access the following on two different domains from 91.121.80.nnn (OVH servers France):

/include/install.lock
/art/include/install.lock
/album/include/install.lock
/cpg/include/install.lock
/coppermine/include/install.lock
/copperminegallery/include/install.lock
/Coppermine/include/install.lock
/gallery/include/install.lock
/galerie/include/install.lock
/Gallery/include/install.lock
/galeria/include/install.lock
/pictures/include/install.lock
/photogallery2/include/install.lock
/photos/include/install.lock
/photoalbum/include/install.lock
/photo/include/install.lock
/photobook/include/install.lock
/news/include/install.lock

Full user agent: Toata dragostea mea pentru diavola(diavola is a girl and this is not a pbot or a browser)

Only one IP Address: 92.243.2.* (xvm-2-*.ghst.net) from GANDI servers in France.

It looked for all the files mentioned above and got 404s. It also requested the default root file for each of my sites. In total it requested 117 files in eight seconds on February 1st and then left never to return.

I miss the days when the UA was so obvious. Dating back to October, 2008, when it was Toata, etc., without the parenthetical, hosts using it would hit all of our Class C's IPs numerically/consecutively. Of course, those IPs running webservers would log it.

Files as mentioned, plus others (partial listing):

/domain_default_page/index.html
/vhcs2/domain_default_page/index.html
/mantisbt/login_page.php
/tracker/login_page.php
/bugs/login_page.php

Hosts/Zombies hailing from (partial listing):

Kuala Lumpur; Netherlands; Ft. Lauderdale; Indonesia; Czech Republic; and the perpetual plague upon our houses: FDCservers

Here's a new variant:

UA: "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

74.62.155.nn "GET /roundcube/CHANGELOG
74.62.155.nn "GET /mail/CHANGELOG
74.62.155.nn "GET /webmail/CHANGELOG
74.62.155.nn "GET /roundcubemail/CHANGELOG
74.62.155.nn "GET /rcmail/CHANGELOG
74.62.155.nn "GET //CHANGELOG
74.62.155.nn "GET /rc/CHANGELOG
74.62.155.nn "GET /email/CHANGELOG
74.62.155.nn "GET /mail2/CHANGELOG
74.62.155.nn "GET /Webmail/CHANGELOG
74.62.155.nn "GET /components/com_roundcube/CHANGELOG
74.62.155.nn "GET /squirrelmail/CHANGELOG
74.62.155.nn "GET /vhcs2/tools/webmail/CHANGELOG
74.62.155.nn "GET /round/CHANGELOG

Does anyone still use Win98?

I often wonder why some of these idiots give their bots use such an obviously fake OS.

I still get Win-98 users. Even get MSIE-5.x users. Can't block them 'cause the clients complain. :(

Trouble is they are (mostly?) http/1.0 so the headers are shot. Very tricky!

Slightly different variation on the basic UA:

Toata dragostea mea pentru diavola(diavola is a girl,and this is not an pbot or browser...)

It requested all the usual files listed above, and got 404s or 301s for all of them.