91.200.12.73 - An ode to a tireless bot.

Monday, 25 April, Year 8 d.Tr. | Author: Mircea Popescu

The Project Honeypot has an ample file on it, of course. Ukrainian harvester, first seen about two years ago, last seen this week, before that straight spammer for about four years with a list of (mostly Korean) associated mail servers a mile long, etcetera.

So... what does it do ? Let's see.

$ wc -l trilema-apr2016.txt
2097579 trilema-apr2016.txt

$ grep -c "91.200.12.73" trilema-apr2016.txt
468

If you think that there's tens of thousands of these, suddenly logfiles a coupla million lines long doesn't sound like much, you know ? Anyway, let's try a narrative.

So, on March 31st at 8:16:30 the Tireless Bot loads trilema.com/2012/climax/">trilema.com/climax coming from nowhere and claiming to be running Chromei. At 9:23:25 it loads An era ends today. A new era starts today. coming from http://trilema.com/ which is a place it's never been. A second later it tries to post a commentii, and two seconds later it reloads the page.

Then at 9:25:34 goes back to Climax, and 09:29:24 it's back on the page it tried to spam. At no point during all this does it load any of the page design elements or anything. Then at 11:10:17 back on Climax, and at 11:14:21 back on An era ends today. Then same thing, 12:53:33 / 13:00:38.iii

Then, out of character, loads Awstats and stuff at 13:49:21, still calling itself Chrome and still coming from http://trilema.com ; and at 13:49:22 tries to post (still as "PHP/5.2.31"), and then checks. Twice, this time : once at 13:49:24 still as "PHP/5.2.31", then once more at 13:53:47, this time back to being Chrome. Then at 14:41:32 checks the previous attempt once more, and at 15:33:49, 17:17:47, and 19:03:54 checks this attempt. By 22:19:14 it moves on to MPEx - Status Report, where it tries to send a comment at 22:19:15 and then checks twice (at 22:19:16 as "PHP/5.3.56", at 22:21:52 as Chrome). And then moves back to Climax at 23:13:32, which it has time to try and post to before the day is out, in the usual manner.

This much brings us to the end of March, you see ? There's still all of April ahead of us! Out of curiosity I checked to see why its attempts to post fail. I found the IP blacklisted in my custom tailored antispam system in 2014iv! So no, its efforts didn't start in March current, nor in March last.

The attempts continue unabated, with variations in the PHP version installed (so far we've seen 5.2.31 and 5.3.56, but there's also 5.2.53, 5.3.18, 5.3.93, 5.2.05, 5.3.85, 5.3.64, 5.2.61, 5.2.70, 5.3.76, 5.2.83, 5.3.86, 5.2.90 and so on and so forth) but little variation in the user agent, until on April 9th it becomes "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.3.4000 Chrome/30.0.1599.101 Safari/537.36". You know, the "cloud browser", which apparently sucks because on April 11 we move on to "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" which turns to rv:34.0 within hours. We're then happy with this until the next day, when upgrading to rv:35.0 is de rigueur. Imagine the horror of this upgrade cycle, even the spammers pretending to be using the shit are stuck constantly modifying strings! Yet oddly enough, through thick and thin 20100101 stays 2010101.

This version serves us well until the 13th, on which it receives an adition : "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 AlexaToolbar/alxf-2.21"v. The Alexa toolbar nominally stays until April 14th (no doubt greatly if nominally improving the overall relevancy and pertinence of yet another Amazon service), at which point we're again upgrading, this time to "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" which in turn changes to "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" on the 18th and so on and so on and so on and so on AND SO ON. And so on.

By April 19th the Tireless Bot is still checking the Awstats article, who knows, maybe, and it's still trying to leave comments, this time on Five bucks for great justice. Who knows, maybe that one works. And if it doesn't - all the better, more stuff to check anyway. Same way as with any bureaucracy, amirite ?

Here's the source for your files, and remember you must have been amused as per Regulations of Insistence and Artificial Cognitive Products #574 dash W. Don't forget to leave your green copy of lulz with the girl at the entrance and remember to mail the crossword puzzle variant on the mauve (not the purple!) paper sometime before the cutoff (but not after the other cutoff!!1). Thank you.

———
  1. "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36" []
  2. This time it's "PHP/5.3.40" and no longer Chrome, lulz. []
  3. The deltas are 1:09:04 / 0:05:59 ; 1:44:43 / 1:44:57 ; 1:43:16 / 1:44:43. Such coincidental, you know ? []
  4. If you're curious it was

    name : moncler jackts
    email : lkmjpexpu@gmail.com
    url : www.littledresskits.co.uk/wp-content/uploads/cache/

    with an empty payload. []

  5. Speaking of which, get a load of this other peacock of a kalash :

    "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; Crazy Browser 5.3.58; Dealio Toolbar 3.4.42; Dealio Toolbar 2.3.65; Alexa Toolbar)"

    It comes from 89.34.126.145 which is actually a fixed cable address in Galati, Romania so for all we know it could even be an actual granny with TWO versions of something called the "Dealio Toolbar". The only strange is that the same IP identifies the running browser as "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; Dealio Toolbar 3.8.85)" at 03:13:22 ; as "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; Crazy Browser 5.3.58; Dealio Toolbar 3.4.42; Dealio Toolbar 2.3.65; Alexa Toolbar)" at 3:13:22 and as "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; Dealio Toolbar 3.8.85)" at the same 3:13:22 ; then as "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; MSN Optimized; GB; ZangoToolbar 6.5.14; .NET CLR 5.9.70)" at 3:13:23. Seems a little rich, doesn't it ?

    Especially as we've earlier that same day (April 6th) seen this exact IP claiming to be "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36" or doing strange like

    89.34.126.145 - - [06/Apr/2016:04:08:53 -0400] "GET /wp-content/themes/trilema/style.css HTTP/1.1" 200 10392 "http://navigator.cognitiveseo.com/parser/?rq=1NH5L5ogOd5k8ff8vAaZePhLnSCl9vfCeEn5Q%2Fz%2B1HEUDbIya21N%2F1x7Tg8NhrcuS6TZ5S2o%2Ff6n4mTdcaItusjsr77fTv0XS%2BBP0s4i%2F0b3%2FyQkS1Q4NQe2PXO1PSlUV37wYKpW86LFWh%2BvzyqrDQWkv%2FuczBqDK5wA82uphIcVVB2cyT1FZileR3ck%2BhAO2gWwHVmHc0Ae48IDr%2F1GRPJFq4usS7kyDuAN0thAYreek6EW35IgHSSdWBNIOzjxzeB%2FYps7s2Lr1MzMczwYi7sThRrNul7lLQpaWBWHjlc%2BgPdcmvBpoqN6bhwOT6mRpqY3WwSuNoj5kQa5zzhpuw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
    89.34.126.145 - - [06/Apr/2016:04:08:53 -0400] "GET /wp-content/themes/trilema/images/insigna-printre-primii.png HTTP/1.1" 200 267 "http://navigator.cognitiveseo.com/parser/?rq=1NH5L5ogOd5k8ff8vAaZePhLnSCl9vfCeEn5Q%2Fz%2B1HEUDbIya21N%2F1x7Tg8NhrcuS6TZ5S2o%2Ff6n4mTdcaItusjsr77fTv0XS%2BBP0s4i%2F0b3%2FyQkS1Q4NQe2PXO1PSlUV37wYKpW86LFWh%2BvzyqrDQWkv%2FuczBqDK5wA82uphIcVVB2cyT1FZileR3ck%2BhAO2gWwHVmHc0Ae48IDr%2F1GRPJFq4usS7kyDuAN0thAYreek6EW35IgHSSdWBNIOzjxzeB%2FYps7s2Lr1MzMczwYi7sThRrNul7lLQpaWBWHjlc%2BgPdcmvBpoqN6bhwOT6mRpqY3WwSuNoj5kQa5zzhpuw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
    89.34.126.145 - - [06/Apr/2016:04:08:53 -0400] "GET /wp-content/themes/trilema/images/insigna-trol.png HTTP/1.1" 200 259 "http://navigator.cognitiveseo.com/parser/?rq=1NH5L5ogOd5k8ff8vAaZePhLnSCl9vfCeEn5Q%2Fz%2B1HEUDbIya21N%2F1x7Tg8NhrcuS6TZ5S2o%2Ff6n4mTdcaItusjsr77fTv0XS%2BBP0s4i%2F0b3%2FyQkS1Q4NQe2PXO1PSlUV37wYKpW86LFWh%2BvzyqrDQWkv%2FuczBqDK5wA82uphIcVVB2cyT1FZileR3ck%2BhAO2gWwHVmHc0Ae48IDr%2F1GRPJFq4usS7kyDuAN0thAYreek6EW35IgHSSdWBNIOzjxzeB%2FYps7s2Lr1MzMczwYi7sThRrNul7lLQpaWBWHjlc%2BgPdcmvBpoqN6bhwOT6mRpqY3WwSuNoj5kQa5zzhpuw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
    89.34.126.145 - - [06/Apr/2016:04:08:53 -0400] "GET /wp-content/themes/trilema/images/insigna-1k.png HTTP/1.1" 200 269 "http://navigator.cognitiveseo.com/parser/?rq=1NH5L5ogOd5k8ff8vAaZePhLnSCl9vfCeEn5Q%2Fz%2B1HEUDbIya21N%2F1x7Tg8NhrcuS6TZ5S2o%2Ff6n4mTdcaItusjsr77fTv0XS%2BBP0s4i%2F0b3%2FyQkS1Q4NQe2PXO1PSlUV37wYKpW86LFWh%2BvzyqrDQWkv%2FuczBqDK5wA82uphIcVVB2cyT1FZileR3ck%2BhAO2gWwHVmHc0Ae48IDr%2F1GRPJFq4usS7kyDuAN0thAYreek6EW35IgHSSdWBNIOzjxzeB%2FYps7s2Lr1MzMczwYi7sThRrNul7lLQpaWBWHjlc%2BgPdcmvBpoqN6bhwOT6mRpqY3WwSuNoj5kQa5zzhpuw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
    89.34.126.145 - - [06/Apr/2016:04:08:53 -0400] "GET /avatar.png HTTP/1.1" 200 13024 "http://navigator.cognitiveseo.com/parser/?rq=1NH5L5ogOd5k8ff8vAaZePhLnSCl9vfCeEn5Q%2Fz%2B1HEUDbIya21N%2F1x7Tg8NhrcuS6TZ5S2o%2Ff6n4mTdcaItusjsr77fTv0XS%2BBP0s4i%2F0b3%2FyQkS1Q4NQe2PXO1PSlUV37wYKpW86LFWh%2BvzyqrDQWkv%2FuczBqDK5wA82uphIcVVB2cyT1FZileR3ck%2BhAO2gWwHVmHc0Ae48IDr%2F1GRPJFq4usS7kyDuAN0thAYreek6EW35IgHSSdWBNIOzjxzeB%2FYps7s2Lr1MzMczwYi7sThRrNul7lLQpaWBWHjlc%2BgPdcmvBpoqN6bhwOT6mRpqY3WwSuNoj5kQa5zzhpuw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
    85.9.20.151 - - [06/Apr/2016:04:08:53 -0400] "GET /2009/fumez/ HTTP/1.0" 200 72050 "http://trilema.com/2009/fumez/" "Mozilla/2.0 (compatible; MSIE 3.02; Windows CE; 240x320)"
    89.34.126.145 - - [06/Apr/2016:04:08:53 -0400] "GET /default_avatar.png HTTP/1.1" 200 3500 "http://navigator.cognitiveseo.com/parser/?rq=1NH5L5ogOd5k8ff8vAaZePhLnSCl9vfCeEn5Q%2Fz%2B1HEUDbIya21N%2F1x7Tg8NhrcuS6TZ5S2o%2Ff6n4mTdcaItusjsr77fTv0XS%2BBP0s4i%2F0b3%2FyQkS1Q4NQe2PXO1PSlUV37wYKpW86LFWh%2BvzyqrDQWkv%2FuczBqDK5wA82uphIcVVB2cyT1FZileR3ck%2BhAO2gWwHVmHc0Ae48IDr%2F1GRPJFq4usS7kyDuAN0thAYreek6EW35IgHSSdWBNIOzjxzeB%2FYps7s2Lr1MzMczwYi7sThRrNul7lLQpaWBWHjlc%2BgPdcmvBpoqN6bhwOT6mRpqY3WwSuNoj5kQa5zzhpuw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
    89.34.126.145 - - [06/Apr/2016:04:08:54 -0400] "GET /wp-content/themes/trilema/images/rss.jpg HTTP/1.1" 200 1455 "http://navigator.cognitiveseo.com/parser/?rq=1NH5L5ogOd5k8ff8vAaZePhLnSCl9vfCeEn5Q%2Fz%2B1HEUDbIya21N%2F1x7Tg8NhrcuS6TZ5S2o%2Ff6n4mTdcaItusjsr77fTv0XS%2BBP0s4i%2F0b3%2FyQkS1Q4NQe2PXO1PSlUV37wYKpW86LFWh%2BvzyqrDQWkv%2FuczBqDK5wA82uphIcVVB2cyT1FZileR3ck%2BhAO2gWwHVmHc0Ae48IDr%2F1GRPJFq4usS7kyDuAN0thAYreek6EW35IgHSSdWBNIOzjxzeB%2FYps7s2Lr1MzMczwYi7sThRrNul7lLQpaWBWHjlc%2BgPdcmvBpoqN6bhwOT6mRpqY3WwSuNoj5kQa5zzhpuw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"

    Cognitive SEO FTW, I guess. []

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

5 Responses

  1. > through thick and thin 20100101 stays 2010101

    That's not staying, that's wavering.

  2. Mircea Popescu`s avatar
    2
    Mircea Popescu 
    Tuesday, 26 April 2016

    Lol guess so huh.

  3. 20100101 is due to Mozilla. It used to be a meaningful date but then they stopped changing it becaue user agent sniffing bla bla kdfjbj wifubskd.

  4. Mircea Popescu`s avatar
    4
    Mircea Popescu 
    Saturday, 30 April 2016

    Aha.

  1. [...] is a run of the mill spambot, as discussed in more detail back in April. We'll call it type A because it does check after spamming. [↩]Typical behaviour : [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.