in Meddling, MT.Net |

Unknown bot detected

This morning I was looking through the webserver logs for MT.Net when I noticed the following three successive hits from yesterday:

91.120.21.161 – – [24/Sep/2009:07:34:15 -0400] “GET /category/Checking%20In/ HTTP/1.1” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
24.77.243.153 – – [24/Sep/2009:07:34:17 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.43.232.165 – – [24/Sep/2009:07:34:22 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Highly suspicious, right? Three different IPs hit the same obscure link at the same time, all with identical browser strings?

Then there were these hits from this morning:

77.94.32.33 – – [25/Sep/2009:06:42:14 -0400] “GET /2009/09/22/ HTTP/1.0” 200 15894 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:27 -0400] “GET /2009/09/23/ HTTP/1.0” 200 17625 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:34 -0400] “GET /wp-login.php?action=register HTTP/1.0” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
190.175.0.151 – – [25/Sep/2009:06:43:09 -0400] “GET /wp-login.php?action=register HTTP/1.1” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”


One IP apparently spiders the site, then tries to register. The other comes out of nowhere and also tries to register. In fact, the first hit the 190 IP ever had on my website was the register link – very suspicious! I’m either seeing an anonymizer or some unknown, unidentified bot with unknown intentions.

I don’t mind bots spidering my site but I do mind when they do not identify themselves as such. Hell, I don’t even mind people using an anonymizer to read my blog, but jumping straight to the register link leads me to believe this visit was less than cordial.

For now I’ve banned most of the IPs involved with this little caper but it might be smart for others to keep an eye out for these kinds of tricks.

Published