Fake Baidu bot posing as normal user....

See IP blacklisted here: http://myip.ms/view/blacklist/3701146061/Blacklist_IP_220.155.1.205
Stumbled upon it in a harvester list.
See: http://www.projecthoneypot.org/ip_220.155.1.205
No flags here: http://urlquery.net/report.php?id=194060

polonus


Thanks for posting the info and links, Polonus!


Hi CharleyO,

Trying to inform about how to get information to support a sinkhole for users that pose as fake searchbots and also as content spammers.
Here we have a recent example from the Netherlands: 178.21.113.211 vps926.directvps dot nl Netherlands Unknown Spam Bot masking himself as a normal user 3 20 Sep 2012, 23:27
Host:vps926.directvps dot nl sniffs for IE using using browser check

*@cc_on!@*/

, all other browsers will ignore this comment

Is this IP on a Blacklist ?: Yep On the same range comment spammers, like http://www.projecthoneypot.org/ip_178.21.113.43
and http://www.projecthoneypot.org/ip_178.21.113.138

polonus

Here we have an attack IP: http://hosts-file.net/?s=31.170.161.185
What is being performed from there, has been logged here: http://www.bizimbal.com/odb/details.html?id=977943
wp-content/plugins/botshell.txt attack and spraed.txt a consolidated flood attack
Use as a server: http://www.plotip.com/ip/31.170.161.185

polonus

Here we see other offensive actions performed from this IP: http://www.bizimbal.com/odb/details.html?id=1242040
There a backdoor exploit for a vulnerability under all pages for the Mystique theme is being probed…

Studying these logs for what they contain, security researchers will know actual Metasploit code is being exploited.
The website owner/admin should be made aware that the software is vulnerable to such attacks…
bug dorks are guidelines for those that test these probes.
Websecurity savvy users should be aware of these timthumb 2012 issues: -http://sbcrew.wap.sh/bugs.txt

polonus

Here an example of a bad bot IP, proximic-info-spider, see: http://www.mywot.com/en/scorecard/proximic.com?utm_source=addon&utm_content=popup-donuts
34 23.22.128.94 ec2-23-22-128-94.compute-1.amazonaws dot com USA Proximic Web Crawler - Website Extractor 1 24 Sep 2012, 07:04
See: http://www.botsvsbrowsers.com/ip/23.22.128.?/index.html & see: http://myip.ms/view/blacklist/387350622/Blacklist_IP_23.22.128.94

polonus