BotTracer; (+http://www.informacja.pl) scanning [Your URL here]

Forum Moderators: open

Message Too Old, No Replies

BotTracer; (+http://www.informacja.pl) scanning [Your URL here]

Okay so this is just creepy.

Pfui

1:44 am on Mar 6, 2009 (gmt 0)

We've all seen bots galore use our own URLs as faux referers. Or their own URLs as logspam. But this is the first time I've ever seen one use my URL in the UA. I kid you not. After the ellipsis (also in the UA), what I've marked as "example" was my primary domain:

jowisz.az.pl
BotTracer; (+http://www.informacja.pl) scanning... example.com

robots.txt? NO

FWIW
Both the botrunner (also a nameserver) and the bot's URL are in the same Polish IP block: 62.146.68.nn. "informacja.pl" is a 'search engine and web directory' (so sayeth Google translation).

A.K.A.
Mozilla/5.0 (compatible; BotTracer/2.0; +http://www.informacja.pl)

P.S.
I don't know how they do the domain-in-UA thing, and it's easy enough to block via mod_rewrite any number of ways. But dang. Seeing your domain in a bad bot's UA? Too weird.

enigma1

11:55 am on Mar 6, 2009 (gmt 0)

It's very simple to setup the UA field. Along with the rest of the headers (host, method etc). They simply pass the user-agent header. Here is an RFC spec
[w3.org...]
It takes few lines of code to setup all headers and emulate pretty much anything (browsers,spiders etc). So a bot searches for a keyword over internet, locates the domains and pages sets up the UA. Now I believe they know how to setup proper UAs so the question is more on the intention of the selected UA that's bogus.

My theory is, they attempt to establish some sort of identification using these requests, that can be used later on. For instance if your server/host exposes in some way the logged information, they can force SEs to index it and then use it to find a back-door to the cpanel or monitor the logs for errors and statistics, or propagate the information for malicious purposes.

Pfui

8:48 pm on Mar 6, 2009 (gmt 0)

Oh, man. It's even creepier than I thought. Thanks. I think:)

dstiles

12:03 am on Mar 7, 2009 (gmt 0)

I got one today, also from IP 62.146.68.nn.

I'm also finding quite a few instances of target domains in proxy header fields. These are about to form another spur on the trap.

GaryK

12:26 am on Mar 7, 2009 (gmt 0)

DomainCrawler/1.0 (info@domaincrawler.com; [domaincrawler.com...]
This isn't quite the same, but I've been getting UAs with my domain names in them for well over two years. They're fed a steady diet of 403s, but don't seem to mind as they keep coming back for more.