Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: What bot is that? - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What bot is that?
Hi folks,

since a few weeks, one of my webservers with an unprotected comment form is receiving weird POSTs..
about five per day. The content is always only a 13 digit hex number, currently at 590b4ba3859d7.
The user agent string is always the same Firefox 7 on WinXP.
"Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
The weird thing is.. the POSTs come from IPs all over the world, but are strictly incremental,
so it's either some kind of timestamp, or centrally coordinated.

Has anyone seen the same behaviour, and maybe found out what bot is doing that, and for what purpose?


41 Posts
Can you share a pcap? Xme

459 Posts
ISC Handler
I've started a capture, might take an hour or two for the next bot hit.

Apache log is: - - [07/May/2017:21:44:04 +0200] "POST /anmeldung.php HTTP/1.1" 302 210 "" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"

last two weeks had 164 hits from 155 IPs

last submissions are:

so the name is an ever-increasing hex number, the email field is filled with random mail adresses I don't know, so probably filled from a spam list..

41 Posts
No, we cannot their is some procedure that we need to follow. reachiso

1 Posts

Sign Up for Free or Log In to start participating in the conversation!