Cross Site Scripting attack from botnet

The last few weeks I have noticed some odd activity across all of our websites.  A single IP will crawl all our the pages in the site and attempt to inject a URL into the forms.  After some google searches for the offending IPs I came across this post which contained all the addresses scanning my sites.  

The IPs that were crawling my pages where:

195.70.10.128
202.154.57.36
81.169.140.109
195.238.1.60

UserAgent for all:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Some sample entries out of my web-server logs

http%3A%2F%2Fhonamfishing.co.kr%2Fphpmysqladmin%2Flibraries%2Foduzov%2Fneloze%2F80
http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Fnepicu%2Fegul%2F
http%3A%2F%2Fwww.felixtorresycia.com%2Fadmin%2Fcorreo%2Fenaq%2Fecib%2F
http%3A%2F%2Fwww.northfans.ch%2Fforum%2Fadmin%2Fsettings%2Fgucor%2Fujusu%2F
http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Filosi%2Fdohigal%2F
http%3A%2F%2Fwww.altaiseer-eg.com%2Far%2Farticles%2Fjed%2Fumut%2F

This information above is being injected directly into pages with forms as inputs and passed to the server via GET.  From the post I linked to alot of people have reported this activity.  Hopefully somebody can ultimately get busted (probably not though). 

Seems people are doing a variety of things to stop this from blocking the entire list of addresses to checking time between page request.  In my situation as far as I can tell this is nothing more than a nuisance.  I will continue to post Ip addresses in hopes that others can find this information useful like I did!

Tagged: , , , ,