Is this a botnet attack?

Hi guys,

My server logs show this type of attempt over and over again, which has been going on for at least a month. Hackers are getting served a 403 every time. Is this a botnet attack, or is it something else? Examples of attempts shown below:

91.149.157.nn - - [29/May/2011:04:43:54 -0400] "GET /osc/admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b"
74.50.20.nn - - [29/May/2011:05:02:55 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)"
83.170.107.n - - [29/May/2011:05:02:58 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)"
217.171.213.nnn - - [29/May/2011:08:40:19 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)"
91.103.4.n - - [29/May/2011:10:36:13 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
213.137.57.n - - [29/May/2011:10:36:22 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
173.201.35.nnn - - [29/May/2011:20:41:09 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)"
41.211.2.nn - - [29/May/2011:20:43:38 -0400] "GET /admin/file_manager.php/login.php HTTP/1.0" 403 4243 "-" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)"
85.114.137.nn - - [29/May/2011:20:44:32 -0400] "GET /osc/admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)"
178.33.146.nnn - - [29/May/2011:22:27:10 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/4.61 (Macintosh; I; PPC)"

82.198.81.nnn - - [28/May/2011:07:49:04 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b"
168.143.5.nn - - [28/May/2011:11:04:44 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
217.171.213.nnn - - [28/May/2011:19:33:08 -0400] "GET /osc/admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
216.14.127.nn - - [28/May/2011:20:46:06 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0"
173.193.55.nnn - - [28/May/2011:00:28:42 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
94.23.204.nnn - - [28/May/2011:00:29:28 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0"

217.171.213.nnn - - [27/May/2011:20:25:25 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

205.234.187.nn - - [26/May/2011:08:46:35 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0"
87.106.252.n - - [26/May/2011:10:16:29 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)"
91.221.70.nn - - [26/May/2011:10:16:56 -0400] "GET /admin/file_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)"
82.195.150.nnn - - [26/May/2011:10:27:48 -0400] "GET /admin/banner_manager.php/login.php HTTP/1.1" 403 4243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

The IPs are from all over the place. The user agents seem to be a recycled set. I only see the SeaMonkey on these types of hack attempts. So, are these attempts actually coming in from compromised machines? Should I notify the abuse departments?

-- grandma genie

Is this a botnet attack?

admin/file_manager.php/login.php

grandma genie

wilderness

dstiles

grandma genie

incrediBILL

g1smd

wilderness

dstiles

wilderness

wilderness

dstiles

wilderness

wilderness

dstiles

wilderness

dstiles

pageoneresults

dstiles

g1smd

pageoneresults

dstiles

pageoneresults

dstiles

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week