My site is getting attacked by an unusual method. They come every day, with different IP addresses, each IP address only doing 3 server requests each IP each day. These all add up to a lot of bandwidth. From 2017 Jan 17 to 2017 Jan 29 I have had 4,284 server requests. 1,341 IP addresses, as far as host and whois lookups can find, are involved.
The odd thing is that there is no referrer info, so they are not referrer spammers. As well, they never post, so they are not comment spammers. The user agent is always the same, Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1, which is pretty anonymous. I am really not sure what they want and why they are scraping my site. There is really no information from these three requests, as they are repetitive. It looks like a badly written bot, a bot designed to simply waste my resources, to make me crazy, or all three. Did I make someone in the Interweb really angry? Probably.
IP addresses almost never repeat, are very rarely vary by the last octet, or even the third octet. They are “in the wind”. You can easily see the ferocity of a possible bot attack, where infected zombie computers and phones around the world unite to disable a specific site. This is the power of a DDS. What to do against such attack? How do you even counter this?
Their requests are always the same 3: get my login, get my http, and then go after my Drupal site:
[22/Jan/2017:09:12:07 GET /wp-login.php HTTP/1.1 404 –
[22/Jan/2017:09:12:08 GET / HTTP/1.1 301 231
[22/Jan/2017:09:12:08 GET /root/ HTTP/1.1 200 44078
I am tracking them…
This bot is interesting because it uses the same UA and does fake GETs to mimic a human, but loads js and php code, but no text and images. This is clearly a bot. Because they do load more than just your site login, it seems like there is other activity. I look up these IPs and they are all Russian, some from:
5.248.141.110kyivstar.net
85.140.0.17 Mobile TeleSystems, PJSC, Volga, Ru
Officially killed it all. Goodbye, bad bot.
References
UA: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1 is not a valid Firefox version
RewriteCond %{HTTP_USER_AGENT} Firefox\/40\.1
http://security.stackexchange.com/questions/134741/unknown-bot-using-firefox-40-1-user-agent
https://www.webmasterworld.com/search_engine_spiders/4767589.htm
http://pastebin.com/G0CiuLVC
Hey.. I´m having totally exact the same problem like you! I also guessed before it´s a huge botnet or similar. In my case the attackers are also from Afrika, India, Russia and so on..
In my case i get 5 reguests via ip. POST and GET. On xmlrpc.php and the wp-login.php…
ButIi already had a ip deny, so they always run an error page. I have round about 50 websites and each gets at least 1-3 such request times 5.
i already blocked a lot ip adresses like for example
xxx.xxx.0.0/16
so its a huge range i block.. but still sometimes the can pass the block if they have different ip adresses. really annoying.
but good to know I’m not the only one.
[Don: Hey Steffen, Yes, they have been badgering me for over a year. I tried many methods, but IP based bans do not work. There are way too many. I sent you my silver bullet solution. Cheers, Don]