Cross Site Scripting attack from botnet

The last few weeks I have noticed some odd activity across all of our websites.  A single IP will crawl all our the pages in the site and attempt to inject a URL into the forms.  After some google searches for the offending IPs I came across this post which contained all the addresses scanning my sites.  

The IPs that were crawling my pages where:

UserAgent for all:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Some sample entries out of my web-server logs

This information above is being injected directly into pages with forms as inputs and passed to the server via GET.  From the post I linked to alot of people have reported this activity.  Hopefully somebody can ultimately get busted (probably not though). 

Seems people are doing a variety of things to stop this from blocking the entire list of addresses to checking time between page request.  In my situation as far as I can tell this is nothing more than a nuisance.  I will continue to post Ip addresses in hopes that others can find this information useful like I did!

Tagged: , , , ,