[ale] Irritating OmniExplorer_Bot web bot

Jerald Sheets jsheets at yahoo.com
Tue Jan 3 15:29:24 EST 2006 

A quick fix would be to add a deny line to your firewall  
configuration, if you're firewalling, to drop him until you can get  
that done.

Jerald M. Sheets jr.
Sr. UNIX Systems Administrator
The Weather Channel Interactive
404.293.8762



On Jan 3, 2006, at 2:52 PM, Charles Brian Quinn wrote:

> Fellow Alers,
>
> I came in this morning to find one of my servers not responding to any
> requests.  After a reboot, a top shows my box has been pegged for a  
> long
> time.  The culprit was found in the apache2 combined logs (for  
> webstats):
>
> 64.127.124.130 - - [03/Jan/2006:14:43:08 -0500] "GET
> /gallery2/main.php? 
> g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_return=http%3A% 
> 2F%2Fwww.seebq.com%2Fgallery2%2Fv%2Fitaly%2Fsalone% 
> 2FSalone_Internazionale_del_Mobile_105.jpg.html%3Fg2_imageViewsIndex 
> %3D1&g2_returnName=photo
> HTTP/1.1" 403 282 "-" "OmniExplorer_Bot/5.35
> (+http://www.omni-explorer.com) WorldIndexer"
> 64.127.124.130 - - [03/Jan/2006:14:43:11 -0500] "GET
> /gallery2/main.php? 
> g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_ret 
> urn=http%3A%2F%2Fwww.seebq.com%2Fgallery2%2Fv%2Fitaly%2Fsalone% 
> 2FSalone_Internazionale_del_Mobile_105.jpg.html%3Fg2_imageViewsIndex 
> %3D1&g2_returnName=photo
> HTTP/1.1" 403 282 "-" "OmniExplorer_Bot/5.35
> (+http://www.omni-explorer.com) WorldIndexer"
>
> It looks like this bot tried to deep index (index - yeah right) my
> entire site, and went through the gallery2 software I installed and
> tried to sign up (register as a user) under each page, add things  
> to its
> cart, etc. etc. repeatedly, while apache2 kept serving up requests and
> spawning new instances to keep up with the "DDOS" style attack.
>
> It is ignoring my robots.txt file, and continues to hammer my site  
> after
> forbidding apache access to it (note the 403s in the log file above).
>
> I'm about to re-emerge apache2 with tcpd support (tcp-wrappers) and  
> add
> that entire subnet to the /etc/hosts.deny .
>
> Annoying.  http://www.omni-explorer.com/ has more information, but
> google tells some other horror stories.
>
> Just an FYI.
> -- 
> Charles Brian Quinn
> www.seebq.com
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list