WEIRD Bots/User in Logs - Webmaster General forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

WEIRD Bots/User in Logs

Is this anything to be worried about?

AprilS

7:56 pm on May 21, 2004 (gmt 0)

10+ Year Member

I've been noticing the weirdest thing in our logs today. It seems like almost all of the people/bots have URLs as their name.

HTTP/1.1" 200 0 "http:example.com/?page=domain_multiple&session_id=ugmimbwzixitwdko" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98"

HTTP/1.1" 200 0 "http:example.it/coaching/how.html" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98"

HTTP/1.1" 200 0 "http:example2.com?page=domain_multiple&session_id=ugmimbwzixitwdko" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98"

HTTP/1.1" 200 0 "http:example3.comfiles/searchresults.html" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98"

HTTP/1.1" 200 0 "http:example.de/map/index.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98"

I could provide MANY more like these. Even though they are all showing different URLs... they all have the same IP Address. It is so weird because each one is going through all of our pages.

Has anyone seen anything like this... and do you know if it is a threat?

[edited by: tedster at 10:19 pm (utc) on May 21, 2004]
[edit reason] remove specifics [/edit]

bakedjake

8:23 pm on May 21, 2004 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

You're going to have those specifics snipped, might as well do it yourself.

It looks like referrer spam to me. A very popular, and useful, spam tool.

Either ban the IP, or go have a drink. Nothing you can do about it.

Romeo

8:34 pm on May 21, 2004 (gmt 0)

10+ Year Member

Hi AprilS,

this seems to be an obscure bot with a badly faked UA string [note the missing closing bracket "... (... Windows 98"] and using randomly choosen faked REFERERs.
In any case, if it has to hide this way, is is most likely not a legitimate bot.

A whois on the IP address can shows origin:
inetnum:
netname:
country:
descr:
admin-c:
tech-c:
person:
e-mail:
.....: and more information not shown here

You now could (1) ask this person about the purpose of his bot, or (2) just ban this nasty abuser.
To save your time I would suggest to skip step (1) [which would be wise in case this is a spam address harvesting bot] and just proceed right to action (2) ... :-)

Regards,
R.

[edited by: tedster at 10:23 pm (utc) on May 21, 2004]
[edit reason] remove specifics [/edit]

AprilS

10:05 pm on May 21, 2004 (gmt 0)

10+ Year Member

Thank you Romeo and Bakedjake. That was a new one on me and I didn't understand why someone would even want to do that...but I just read up on "referrer spam" and now I understand.

For those that want to know..I was able to block by simply adding the following line to my .htaccess file (minus the quotes and with the actual IP address of course):

"Deny from ***.***.***.***"

Thanks again!

[edited by: tedster at 10:25 pm (utc) on May 21, 2004]