An Irish Botnet? Extremely strange and I have no idea what’s causing it.
Maybe someone might be able to enlighten me?
I’ve been observing some really, really strange behaviour while looking through my log files. Two posts that I put up a few months ago are getting a lot of traffic. 896 hits alone on one and 154 on the other. in the past three days. Now that is not a lot of hits really but I suppose it is for me. But it gets weirder than that.
All entries are HTTP GET requests as one would expect but each client does not get the entire post. It looks for all intents and purposes like a crawler or a spambot. But here is the really bizarre thing:
All the IP addresses are Irish! Eircom, Clearwire, BT and NTL. I can’t for the life of me figure it out. I’m 99% sure that they are all PC’s compromised with malware and attempting to scrape content – mainly because every request has the exact same useragent. In this case IE6 So is there an Irish only botnet out there?
Here are a few examples:
BT: 79.97.XXX.XXX [29/May/2008:16:10:27 +0100] “GET /2008/02/16/spotted-on-daftie HTTP/1.0″ 301 – “-”"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)”
Eircom: 86.44.XXX.XXX [29/May/2008:16:27:07 +0100] “GET /2008/02/16/spotted-on-daftie HTTP/1.0″ 301 – “-”"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)”
Other blog entries are also being targeted in the exact same manner as described above although not as often yet. And the UserAgent always claims to be Windows NT 5.1;1813. This makes them kind of easy to identify. A quick grep of the my blogs log gives me 1616 results and a grep of my main sites logs returns 30 and all those 30 were from Irish IP address attempting to connect to my long dead www.sweetnam.eu/blog URL.
Very strange.
Update – I enlightened myself! From a little digging about it appears that the AVG tool bar might be responsible.
http://www.webmasterworld.com/search_engine_spiders/3615360.htm
This actually stands to reason as AVG includes a link checker for search engine results. All the pages that I am getting a lot of hits for appear on the first two pages of a search for those terms on google.ie.
I knew AVG was popular here but not that popular! And the increasing traffic corresponds with AVG users being encouraged to up date to the newly released version 8.
22 queries. 0.494 seconds.
I noticed almost 1500 hits from that UA on inphotos.org today. 2376 yesterday. I think I’ll be blocking that UA soon.
Ouch, 7498 today on ocaoimh.ie, over 10,000 hits yesterday. Nasty beggar.
It’s a double edged sword Donncha.
If someone sees that result in their newly AVG mangled search engine page and they click the link to your site – they will get a 403 error courtesy of AVG. So blocking it (which was my first instinct!) is not an option
It is downright nasty behaviour by AVG.
Personally it means that every person searching fot ‘daft.ie’, ‘independence of the seas’, ‘nct’, ‘icon set’ etc, on their favourite search engine results in a hit on my server.
Despite the fact that they may never actually visit my site at all. Or anyones site who appears in their search results. Ergo, AVG is now costing me money. There is an irony there as I have a Windows Domain and as a result I can’t run the free version of AVG!