These bots could either try to execute a remote script on your server to try to hack your server (if the URL they provide points to a valid hostname), or they try to do a redirect via your script to hide some activity. In that case they are using you more or less like a proxy. I don't know your configuration or what type scripts you use, but IMHO it is safe to block these IPs. They are not visiting your site because they like your content.

Thanks for responding. I will probably just block them for now and see how it goes.

Keep in mind that if it is a botnet (and it probably is), blocking those IPs is pretty futile; all you're doing is blocking the dynamic IP address which some computer happened to be assigned to at the moment it happened to be compromised.

Tomorrow, that IP will belong to somebody else. Next month, that guy's computer will be cleaned up when he buys a Mac. ( :) ) Either way, all you're doing is cutting off potential access to your web site, and swatting flies.

If your web site is secure, those attempts at redirects will not have any effect other than an error in the logs; if it's not secure, someone's gonna find a way in from an IP you haven't blocked yet. I'd make sure it's secure, and ignore them.

Thanks, that's a good point.

In terms of my website being secure, what kinds of things are you referring to?

Best regards

Well, there's an endless list of things you could do to become ever more secure, but for starters:

* Since you know they're trying to use you for redirects, make sure that that doesn't work

* If you control the base software on your server (Apache, OpenSSL, PHP, etc), make sure it's up-to-date with all the latest patches for your distro

* If you've written any scripts that take user input, make sure it's properly sanitized before you use it. Depending on what language you're in, that usually means things like removing HTML tags, and making sure that everything is properly quoted, so that a user can't enter a first name of "DROP DATABASE movabletype;" and have it do that.

* Read up on things like "SQL injection", "XSS" (cross-site scripting), and "CSRF" (cross-site request forgery), and follow best practices when you write code

* Make sure you never assume any data coming from the client is trustworthy. Don't assume that, just because they asked for page 26, that they in fact have access to page 26, because if they didn't "they couldn't have seen it on the menu". Remember that they can easily control every single byte they send to you. Assume they're lying.

Ok thanks for the tips.

If it's of any help, I should point out that the bot making the HTTP requests is not just accessing the redirect script. It is going through many pages from my website.

It's weird, the http requests, mostly in the same second, are all from the same IP in that session but with rotating (valid) user agent names!

Found this tip on another board:

// redirect attempted remote file include exploits
if (strpos(strtolower($_SERVER['QUERY_STRING']),'http:')!== false){
header("Location: http;//www.somereallynastyssite.com");
exit;
}

By putting this on the main include page of your site, it redirects these bots to a site they'll probably find undesirable :) Should also prevent their rubbish from wasting space in your logs.

I used to have these types of bots/people trying to get their stuff into my cache folders. Haven't gotten a single request since applying this code.

mod security will stop these attacks and much more.

It's very easy to install and configure(try jasontlitka.com rpm)