Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 01:32 pm EDT

Geeklog Forums

Strange Bot Attack?


Status: offline

jmatt

Forum User
Junior
Registered: 01/06/03
Posts: 30
Location:Tatertown, KY, USA
I installed the Bad Behavior plugin yesterday. It didn't take long for it to start working. It caught a trackback spammer this morning. It caught something very strange yesterday.

I got hit with about 600 requests over a span of about 6 minutes (a fairly high rate for my piddly little site). Bad Behavior rejected them for the reason
Connection: TE present, not supported by MSIE

The headers looked like:

GET /blog/article.php?story=20030413215754388 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: keep-alive, TE, close
Accept: */*
Accept-Language: en
Authorization:
Host: jmatt.net
Referer: http://jmatt.net
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

A sample server log entry is:
24.218.99.188 - - [13/Mar/2006:19:11:06 -0500] "GET /blog/article.php?story=20030413215754388 HTTP/1.1 " 412 2712 "http://jmatt.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

One thing that's curious is the string of blanks (or nulls or unprintable characters) in the request in the log entry.

This was some kind of distributed attack. The requests came from a bunch of different IPs. I haven't done any precise counting, but for the few entries that I looked at, search showed 5-10 hits from that IP, so there may have been 50-100 different IPs involved.

I know the Bulgarians use this kind of distributed system. I haven't checked to see if any of these IPs are the same as ones they have used earlier. If it is them, I can't figure out what they're trying to do. It's not their typical referrer spam attack, since the referrer entry was my own host name. A few of the entries were comment.php requests, but most of them weren't, so it probably wasn't comment spam.

Has anybody else seen anything like this? Does anybody have any clue what this bot might have been trying to do?

 Quote

All times are EDT. The time is now 01:32 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content