Coming from 103.51.103.0/24 I see a request "GET /.env HTTP/1.1" and then a "POST / HTTP/1.1" - they were blocked, but I'm curious what kind of UA is "IDBTE4M CODE87"?
I see the /.env request in a few older 2020 threads: [webmasterworld.com...] and [webmasterworld.com...] but this is lacking the rest of the UAs discussed there. Evolution? Mystery.
lucy24
10:06 pm on Jan 15, 2021 (gmt 0)
Haven’t set eyes on them yet, happily, though there’s a steady stream of requests for .env, mostly blocked. (Here, “mostly” seems to mean that they aren’t frequent enough to be blocked by request alone, especially since the great majority are blocked on other grounds, including but not limited to ever-popular UAs such as python-requests or curl or “Mozlila” [sic].)
IDBTE4M
Doesn't this bit make you think of emailers who have reason to think that “IDBTEAM” will be blocked? :) In fact I checked logs for both forms.
iamlost
6:05 pm on Jan 24, 2021 (gmt 0)
Apparent script kiddie or uni student building exploit scripts as ‘learning experience’ and posting them online for all and sundry.
Si_99
9:42 am on Feb 10, 2021 (gmt 0)
I've had a visit to one of my sites with a User Agent showing as IDBTE4M CODE87.
The IP address associated with this request was 51.161.14.70
The details of this IP are:
Host:51.161.14.70 ISP:OVH Hosting Country Code:CA Country Name:Canada Latitude:43.6319 Longitude:-79.3716
It would be interesting to know if this is the only source for these requests, so please post details of any other such visits so we can compare. Thanks!
watervale
4:01 pm on Feb 16, 2021 (gmt 0)
I've had a few of these visits to my sites recently from various IP addresses and networks: First one was from [2600:3c01::f03c:92ff:feca:f881] - Linode Then a couple from 13.76.177.48 - Microsoft One from 129.146.190.190 - Oracle And one from [2001:41d0:2:b478::1] - OVH As the OP said they all seem to request GET /.env followed by POST /
A quick nmap of one of them had a SSL certificate for blockschain.biz and possibly an open http proxy.
