You may need to discuss this offline with someone familiar with your host. Raw access logs will always give the same information.

The short answer is: Yes, it's a robot. I've got
149.210.128.0/17
(TransIP) blocked for bad behavior.

No, I don't know what's up with 149. Notes say Early Registrations Under ARIN, but half of it seems to be Europe. And not in the kind of /16 blocks that you associate with established universities.

It look like someone is testing your server for the shellshock bug.

You can read some here [theregister.co.uk...]

Thanks for the replies. What both of you said sounds a little scary.

I read the article in The Register (thanks for the link). But I don't have time right now to do anything else. As far as I know, there haven't been any problems with the server recently. It's a small company, though, so when I get a chance I may contact them about it. In the meantime, if anyone else knows anything, please post it.
Thanks again

Block 149.210.128.0/17 with extreme prejudice. This is a VPS (Virtual Private Server) IP pool which IMO is high risk due to lack of admin oversight, much like AWS.

Better yet, block the Low Countries, they've been up to high jinx for centuries.

Echoing bhukkel, yep, it's related to the Bash-busting Shellshock. I first saw the probes/exploits on 02-21-15. Most hits include the log-bloating details in the OP. Others make it simple and try to echo:

Shellshock: Vulnerable

I've seen hits from the always-iffy Turkey and Morocco, but also from major, should-be-more-protected US corps:

host182.hosting.register.com (209.237.142.182)
ec2-54-69-209-253.us-west-2.compute.amazonaws.com (54.69.209.253)

"Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014." [en.wikipedia.org...]

Thanks for the replies and the information about which IP range to block. But if we're on shared servers, don't we have to depend on the hosting companies to fix the bugs and vulnerabilities for this threat?

if we're on shared servers, don't we have to depend on the hosting companies to fix the bugs and vulnerabilities for this threat?

Yes & No. The host *should* be current with security issues, but often is not... thus the threat gains significance. Blocking range, UA, request type, etc can often be a proactive measure you can take responsibility for. I know my host blocks BASH attacks, but I do as much as I can regardless.

But if we're on shared servers, don't we have to depend on the hosting companies to fix the bugs and vulnerabilities for this threat?

You can expect hosts to protect their own servers, since it's very much in their own interest to do so. Some hosts use mod_security (there may be IIS/Nginx equivalents) to block malign requests at the server level. But it never hurts to block the same visitor more than one way.

Yes I agree that we should do what we can to protect our indivdual sites. But as i learned about 7 or 8 years ago, things can happen on a shared server that are beyond our control:

What happened is that one day I noticed that several of the pages on one of my sites had completely disappeared from Google's search results. Then the next day several more pages disappeared. This was on a site that had about 30 pages, all of them static html.

In ckecking my logs, I saw that googlebot had completely disappeared from the logs about a week earlier. Previously it had always crawled at least a dozen pages everyday. I hadn't changed anything in a good while, and there was nothing in .htaccess or robots.txt to explain why it had stopped coming.

I REALIZED THAT GOOGLEBOT WAS BEING BLOCKED FROM MY SITE BY SOMETHING THAT HAD HAPPENED SOMEWHERE ELSE ON THE SERVER.

I was already unhappy with that hosting company because of frequent server outages, and so I decided that the best solution was to move the site to a new host as quickly as possible. After I did so, googlebot immediately began crawling the site again, and within a couple of weeks all of the pages had re-appeared in the search results in their old rankings.

I still don't know what happened on that server to cause googlebot to be blocked from my site. I just hope it never happens again.

I find it helpful to visit Google Webmaster Tools & Bing Webmaster Tools almost every day to check the status of several of my site's resources. You can see how Googlebot or Bingbot "sees" your pages. This would have alerted you of the issue with your host earlier instead of finding out after your pages started dropping out of the search indexes.

If you don't already have a GWT or BWT account you should consider opening them. They are free.

Thanks keyplyr-- I have WebmasterTools now, but didn't at that time. I wasn't watching very closely because it never occurred to me that something like that would ever happen.