mozilla - Crawler, Spider, and User Agent ID forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

mozilla

What will they think of next?

lucy24

9:09 pm on Jul 25, 2024 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Over the span of a couple of hours, three sites were swept by a flurry of page-only requests. All different IPs, all different UAs--except that the entire thing, whatever it happened to be, was lower-case: chrome, firefox, ios and so on. As it happens, one of the three sites has a handful of elderly pages in CamelCase, which were correctly requested. So the mis-casing is limited to the Name Your Robot script, for which I devoutly hope they paid through the nose.

On the two smaller sites they got all pages; on my “real” site they apparently got tired after a few dozen--although they did come back the next day to request robots.txt twice.

Looking back over logs and headers, I find a scattered handful of lower-case requests, rarely more than one a day, all blocked due to a simple header deficit.

The latest addition to my shared htaccess is thus

BrowserMatch ^mozilla bad_agent=lowercase

So if they come back to my main site to try to steal the rest of the horses, they will be SOL. Good sturdy padlock.

Like I said: What will they think of next?

SumGuy

1:11 am on Jul 29, 2024 (gmt 0)

Top Contributors Of The Month

Post some IP's. I want to get an idea where this sort of stuff comes from.

lucy24

4:19 am on Jul 29, 2024 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Post some IP's.

Nothing to post, or I would have done so. There are literally no two from the identical IP, rarely even from the same range, so we’re talking botnet. Some from the Usual Suspects such as AWS or Google Fiber, but others from IPs I don’t remember seeing before.

Looking up a few at random, I find quite a few involving GeekyWorks, whoever the heck that is. (Quick google tells me they're based in, of all places, Pune, though the IPs are scattered across the US.)

That’s why I focused on the identifiable component of the UA instead.

I further find that the only attempts after I blocked them by name have been for robots.txt, where they got--or should have got--the minimalist Disallow Everything doled out to bad_agent.

Pfui

1:00 pm on Aug 10, 2024 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Here are the lowercase-fakers' IPs I've seen (including the much-despised HostRoyale which is tic-like in its hosted exploits' tenacity). All four hits were botnet-like and within the same approx. two hour period in late July. In order of appearance:

Dino Solutions
Hit #1 (the OG of lowercase)
66.56.92.7x
mozilla/5.0 (linux; android 7.1.1; xperia build/nde63x) applewebkit/533.14 (khtml, like gecko) chrome/55.0.1761.330 mobile safari/600.0

Hit #2 (1 minute later)
66.56.89.9x
mozilla/5.0 (compatible; msie 10.0; windows nt 6.2; trident/6.0)

US Net
Hit #3 (15 minutes later)
198.240.74.14x
mozilla/5.0 (macintosh; u; intel mac os x 7_1_1) gecko/20130401 firefox/60.1

HostRoyale
Hit #4 (2 hours later)
162.251.137.25x
mozilla/5.0 (windows; windows nt 10.0; win64; x64) applewebkit/601.33 (khtml, like gecko) chrome/52.0.2663.335 safari/534.8 edge/11.24815

(so the question remains: was the coder lazy or just stupid?)

lucy24

5:50 pm on Aug 10, 2024 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

was the coder lazy or just stupid?

Never attribute to laziness that which can be adequately explained by ... Oh, whoops, that’s not how the saying goes, is it.

Possibly both, if the botrunner thought you had to manually type in each bogus UA string, as opposed to copy-and-pasting off a list.

Sandros

11:23 pm on Aug 10, 2024 (gmt 0)

(so the question remains: was the coder lazy or just stupid?)

Just a lazy guy i thing too. :)

Kendo

12:15 am on Aug 11, 2024 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Post some IP's

May be a waste of time. A current test that I am running to discover who hits new domains has shown that there were not as many unique visitors as first thought. After the first hit a few kept returning using rotated IP addresses, same churn of requests over and over again, most likely using TOR or a VPN.

Dropping a cookie for their browser might help identify them.

lucy24

2:02 am on Aug 11, 2024 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

After the first hit a few kept returning using rotated IP addresses, same churn of requests over and over again, most likely using TOR or a VPN.

How do you identify them as the same visitors? I don’t see a lot of bots using cookies.

Kendo

11:42 am on Aug 13, 2024 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

How do you identify them

Identical user-agent and sequence of requests.