1

I have received 47 000 hits in the past couple of hours from a single domain. I researched FunWebProducts but it seems to be some kind of a plugin, not sure how this is possible?

89.70.25.120 - - [03/Sep/2012:07:19:12 +0200] "POST /user/login HTTP/1.0" 200 18127 "http://xxxyyyzzzsitename.com/user/login" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; MRA 4.6 (build 01425); .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
89.70.25.120 - - [03/Sep/2012:07:19:13 +0200] "POST /user/login HTTP/1.0" 200 18127 "http://xxxyyyzzzsitename.com/user/login" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; MRA 4.6 (build 01425); .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
89.70.25.120 - - [03/Sep/2012:07:19:14 +0200] "POST /user/login HTTP/1.0" 200 18127 "http://xxxyyyzzzsitename.com/user/login" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; MRA 4.6 (build 01425); .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
giorgio79
  • 1,747
  • 9
  • 25
  • 36
  • 1
    That looks like a spam bot to me. It could be a brute force bot but I'd want to see more traffic to be sure. Whenever you see "MSIE 6.0" these days, it's nearly always a bot. – Ladadadada Sep 03 '12 at 06:13
  • How could we possibly know why *anyone* is flooding your server? – John Gardeniers Sep 03 '12 at 07:37
  • I am more curious why FunWebProducts would do such a thing. I guess if an individual wants a reason they will surely find one :D FunWebProducts looked like a legit product...I now understand this may have been a fake header for a spamcrapper. – giorgio79 Sep 03 '12 at 08:55

1 Answers1

6

Don't ever trust the User-Agent string. It is ridiculously easy to fake.

And if you haven't banned that IP address already, go do it now.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940