MSN now snooping anonymously

In a very strange occurrence, my website got visited from what appears to be an MSN spider that didn’t identify itself (fake user agent has been highlighted below):

65.55.231.117 – – [22/Oct/2009:10:02:07 -0400] “GET /robots.txt HTTP/1.1” 200 24 “-” “Mozilla/4.0”
65.55.231.117 – – [22/Oct/2009:10:02:07 -0400] “GET /wp-content/uploads/2009/10/oculan-screenshot-300×230.png HTTP/1.1” 200 120896 “-” “Mozilla/4.0”
65.55.210.80 – – [22/Oct/2009:10:02:20 -0400] “GET /page/2/?q=node%2F1699 HTTP/1.1” 200 29922 “-” “msnbot/1.1 (+http://search.msn.com/msnbot.htm)”
65.55.230.228 – – [22/Oct/2009:10:08:13 -0400] “GET /robots.txt HTTP/1.1” 200 24 “-” “Mozilla/4.0”
65.55.230.228 – – [22/Oct/2009:10:08:13 -0400] “GET /2009/10/15/big-names-in-sources-of-suspicious-traffic/ HTTP/1.1” 200 10502 “-” “Mozilla/4.0”

65.55.230.228 resolves to msnbot-65-55-230-228.search.msn.com. 65.55.231.117 is a Microsoft address but doesn’t have an entry in DNS.

Just to make sure someone wasn’t spoofing the MSN namespace, I checked the whois record for these host. Sure enough, they belong to Microsoft:
Continue reading →

Another mystery bot example

Here’s another example of bizarre hits. Two hits for this six-year-old page coming in within 30 minutes of each other:

138.162.8.57 – – [15/Oct/2009:12:12:16 -0400] “GET /2003/07/28/blimps-and-other-things-bizarre/ HTTP/1.1” 200 5094 “-” “Mozilla/4.0 (compatible;)”

[snip]

138.163.106.72 – – [15/Oct/2009:12:44:33 -0400] “GET /2003/07/28/blimps-and-other-things-bizarre/ HTTP/1.1” 200 5094 “-” “Mozilla/4.0 (compatible;)”

The first resolves to gate2-jacksonville.nmci.navy.mil and the second resolves to gate2-bremerton.nmci.navy.mil. It looks like there’s a full-scale botnet attack going on behind the DoD firewalls right now.

Big names in sources of suspicious traffic

Wow. I knew there were some heavy hitters involved in the mysterious web traffic I’ve been seeing, but I had no idea of the scope of the web visitors. Check out this list:

figment22.gs.com
stl-proxy-07.boeing.com
cache4.nccr.epa.gov
proxyAladdin.meteo.fr
gate1-norfolk.nmci.navy.mil
gate3-norfolk.nmci.navy.mil
gate4-norfolk.nmci.navy.mil
gate6-norfolk.nmci.navy.mil
Continue reading →

More clues in the government botnet mystery

The plot thickens in the government botnet mystery I recently wrote about. This morning I got hits from the Navy-Marine Corps-Internet, specifically a host identified as gate3-norfolk.nmci.navy.mil:

Again, it started off innocently with a Google search, with the browser properly identified:

138.162.0.41 – – [15/Oct/2009:08:36:27 -0400] “GET /2008/12/19/beware-the-police-protective-fund/ HTTP/1.1” 200 6377 “http://www.google.com/search?hl=en&source=hp&q=police+protective+fund&aq=f&oq=&aqi=g10” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)”

A few more hits down, I see the random jumping around I’d seen before:

138.162.0.41 – – [15/Oct/2009:08:36:30 -0400] “GET /2008/12/20/a-mange-in-a-wager/ HTTP/1.1” 200 4191 “-” “Mozilla/4.0 (compatible;)”
138.162.0.42 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/29/goodbye-bplog-hello-drupal/ HTTP/1.1” 200 14042 “-” “Mozilla/4.0 (compatible;)”
138.162.0.44 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/27/action-packed_weekend/ HTTP/1.1” 200 4371 “-” “Mozilla/4.0 (compatible;)”
138.162.0.43 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/24/keys_keys_keys/ HTTP/1.1” 200 5531 “-” “Mozilla/4.0 (compatible;)”
138.162.0.45 – – [15/Oct/2009:08:36:31 -0400] “GET /2008/12/18/progress/feed/ HTTP/1.1” 200 1973 “-” “Mozilla/4.0 (compatible;)”

My site is apparently being indexed by computers on a government-run network, but the question is exactly what is indexing it? Is this some sort of proxy technology that government gateways are now using, sampling websites that government users are viewing to ensure that these websites don’t have questionable content? Or, is this a botnet of compromised government computers as I recently suggested? Or (tinfoil hats, please), is this a secret spidering project run by a three-letter agency that uses the gateways of various government departments as cover?

The bottom line is these hits are inconsistent with a human browser. Beyond that I’m not sure what to make of them.

U.S. Government networks thoroughly penetrated

I saw this in my webserver logs today, from the U.S. Nuclear Regulatory Agency. Clearly it’s a botnet bot.

148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /wp-content/themes/mtdotnet
/images/kubrickfooter.jpg HTTP/1.1” 200 2443 “http://www.markturner.net/2009/10/01/michael-jordans-net-worth/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/10/02/oculan-in-the-news/feed/ HTTP/1.1” 200 797 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/10/02/u2-yesterday-and-today/ HTTP/1.1” 200 6617 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/09/30/juggling-breakthrough/feed/ HTTP/1.1” 200 2083 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/09/30/netflixs-plan-to-take-over-the-world/ HTTP/1.1” 200 6419 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:45 -0400] “GET /2009/10/02/u2-yesterday-and-today/feed/ HTTP/1.1” 200 1375 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:45 -0400] “GET /2003/07/27/action-packed-weekend/feed/ HTTP/1.1” 200 1260 “-” “Mozilla/4.0 (compatible;)”

Continue reading →

Michael Jordan’s net worth

For some reason, MT.Net has been deluged with Yahoo searches for “Michael Jordan’s net worth.” This leads folks to my earlier musing about the legends surrounding Jordan.

Yahoo is running this story on their front page about His Airness buying a rather large house in Jupiter, Florida. There is a tiny link under the headline “Michael Jordan’s Costly Mansion” that runs the search. So essentially MT.Net is one step away from being linked to from Yahoo’s home page.

(And for those of you who were wondering, Michael Jordan’s net worth is estimated to be somewhere north of $400 million.)

Botnet

It’s definitely a botnet I’m seeing. Since it has a common HTTP_USER_AGENT I have banned that agent. If you’re a human and you’re still using IE6, you’re out of luck, dude.

Unknown bot detected

This morning I was looking through the webserver logs for MT.Net when I noticed the following three successive hits from yesterday:

91.120.21.161 – – [24/Sep/2009:07:34:15 -0400] “GET /category/Checking%20In/ HTTP/1.1” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
24.77.243.153 – – [24/Sep/2009:07:34:17 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.43.232.165 – – [24/Sep/2009:07:34:22 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Highly suspicious, right? Three different IPs hit the same obscure link at the same time, all with identical browser strings?

Then there were these hits from this morning:

77.94.32.33 – – [25/Sep/2009:06:42:14 -0400] “GET /2009/09/22/ HTTP/1.0” 200 15894 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:27 -0400] “GET /2009/09/23/ HTTP/1.0” 200 17625 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:34 -0400] “GET /wp-login.php?action=register HTTP/1.0” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
190.175.0.151 – – [25/Sep/2009:06:43:09 -0400] “GET /wp-login.php?action=register HTTP/1.1” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Continue reading →

MT.Net mystery solved

I think I solved the mystery I was seeing on MT.Net, so now I can tell you what happened.

I’m using the SABRE WordPress plugin to block bot users from wreaking havoc on the MT.Net blogosphere. Earlier this week, a supposed bot passed the SABRE math test, so I decided to crank up the CAPTCHA feature of SABRE to further weed out bots. (Now, I don’t know if it actually was a bot that registered or simply some bored Russian, but I wanted to see what the CAPTCHA did anyway.)
Continue reading →

MT.Net maintenance ahead

I found an “unexpected inconsistency” with MT.Net today. Can’t go into details yet but I’ve been pondering it this afternoon and can’t think of any reason it should be occurring.

MT.Net may go dark briefly while I try a few things to fix it. Stay tuned.