Welcome to WebmasterWorld Guest from 54.226.246.160

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Possible bot

     

Readie

9:15 am on Jun 26, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Hey guys,

Got a user agent popping up in my access logs 21,863 times within a 3 week period - noticed it due to the S.N.O.W.4 suffix:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET4.0C; .NET CLR 3.5.30729; MS-RTC LM 8; .NET4.0E; S.N.O.W.4; S.N.O.W.4)

All requests originate from the same IP address: 95.172.68.155

Behaviour pattern makes me suspect it's a bot. If it is a bot, it's a pretty rude one. Ignoring robots.txt and doing things like this (Referer and UA grepped out):

95.172.68.155 - - [23/Jun/2013:02:55:25 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:55:52 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:56:47 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:56:57 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:57:08 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:57:19 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:57:26 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:58:02 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"
95.172.68.155 - - [23/Jun/2013:02:58:16 +0100] "GET /lightbox/css/jquery.lightbox-0.5.css HTTP/1.1"

Anyone got any more information on this one?

wilderness

3:56 pm on Jun 26, 2013 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Nothing from me on the UA, however the IP and the backbone range are server farms.

dstiles

7:18 pm on Jun 26, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



95.172.68.0 - 95.172.71.255
95.172.68.0/22
Internap - block as server farm.
I have 18 ranges for internap, all blocked.

Specifically, 95.172.68.155 has dozens of open ports. If it's not really a server it certainly looks like a bot or even a compromised machine.

Readie

9:50 pm on Jun 26, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Cheers for the info guys. Blocked now :)
 

Featured Threads

Hot Threads This Week

Hot Threads This Month