|
Author: G.Jennings (21 Apr 13 9:48am)
This is about a known bot that varies it's IP addresses but uses the same User Agent. Just thought I'd share.
I have a website with three things on it: 1) a static (HTML) main page; 2) a PHP blog (my own code); and 3) a PHP page that allows comments.
The latter page, due to a mistake, allowed HTML in the comments by any visitor (no registration, no cookies, no javascript) the code was supposed to strip all HTML tags. Except the one time I made a code mistake! and a comment spammer happened to come along and tested the form. The logs show it clearly. The page was read, a POST was made, the page was read -- the spammer obviously read back it's spam -- and 99 spam comments were posted in a matter of minutes. All from different IP addresses... but with the same UA.
It looked like the spammer moved on, then, as the POSTs stopped. But no. The spammer invited "friends" to read that page. That page with the spammer's spam -- all porno links -- kept getting hundreds of reads for two days, that's how I discovered it.
(In an odd coincidence, the PHP mistake was made day one, the spammer detected it day two, and I detected them day four.)
I fixed the code. And I ban all reads by that User Agent.
It is now ten days later and that page it still getting reads by bots -- always with different IP addresses but with that same UA -- and they are all issued 404s, yet still they come!
In addition, my static HTML page, every once in a while, gets multiple reads with differing referrers, but with that same UA. (Nine within 3 seconds with 4 different referrers for example.)
(In a perhaps related thing is that my base site, '/', gets read, every once in a while, three times in a row with an odd referrer using an odd (uncommon and old) UA. Very strange and obviously looking for an exploit.)
|
Welcome to Project Honey Pot | Login