Web Log hits from psycheclone

wordpress

#1

I’m going to go out on a limb and say the thousands of hits on my site in the last few days were probably due to the DDOS attack and not the instant popularity of my site… :frowning:

Anyway - has anyone else checked their web reports and found a browser “psycheclone” listed as their #1 browser hit?

I’ve googled the name, but not hit much. The wiki was empty on this subject… so now it’s time to ask ya’ll if you have any info.

Cheers and I’m glad to be back online, DDOS attackers suck.


#2

I’ve seen a few of these too, but only about 5 or 6. Given that this thread is the top Google result for “psycheclone”, I doubt I’m going to find anything :confused:


#3

I have matrixstats which is usually up to date on robots and it lists psycheclone as a robot; I’ve had a few hits from it myself.

Chris Longley
www.chrislongley.com


#4

I’ve had a few hits from this robot as well, just the name alone makes me think its a scraper bot.

Since I couldn’t find any info on it I blocked its IP address using .htaccess across most of my sites.


Web Hosting Reviews | Shonky’s Blog | Hot Product Directory


#5

Yes, I also got those ‘psycheclone’ hits on my website. Just wonder what is that. Could it be some kind of spam software or wat. Only a few days it take up hundreds of hits on my web pages. Hope it is not some kind of virus.


#6

I started noticing e-mail being sent to strange account names on my mail server recently. I remembered just today that I added some script to one of my web sites that takes the client IP address and the date and encodes it into a text name, then adds the domain name and places it in the home page as a mailto: link. I can then decode the values later.

Today a spam was sent to an account that indicates 208.66.195.9 harvested this address on 6/2/2006. I checked my server logs to confirm this, and sure enough, there it was.

2006-06-02 10:32:06 208.66.195.9 - 80 GET /robots.txt - 200 0 psycheclone -
2006-06-02 10:32:06 208.66.195.9 - 80 GET /index.html - 200 0 psycheclone -

I searched for “pyscheclone” and found this thread. I am assuming this is some sort of high speed web-bot that can be configured for email harvesting.


#7

The IP addresses that psycheclone uses belongs to Mc Colo Corporation of Newark, DE, a vertual hosting service. The narrower IP address range used belongs to a private UK company called Dital Infinity LTD. It hits every link on a website, and repeat the practice many times to generate a large number of hits. If it is a bot, then it must have some bugs. May be it is looking some weakness in a web site.


#8

We saw this psycheclone agent too, but from another IP in that range: 208.66.195.7

It seems it is buggy, too, because it does not correctly decode the & in URLs (which causes a warning due to incorrect link in our application, which is how I noticed it in the first place).

Luckily we do not provide e-Mail addresses outside the password protected area :slight_smile:


#9

Ugh,

make that & in my previuos post.

It seems this forum does not escape HTML???


#10

The range they’re using at present is listed as NET-208-66-195-0-1 and is registered to Digital Infinity Ltd (digitalinfinity.org) in Moscow, not the UK. E-mail goes via estboxes.com (Googling shows lots of spam related stuff).

I’m blocking them now…

Chris

www.csamuel.org


#11

Thanks for correction. I have tried to correct the misspelled name of Digital Infinity, but somehow the edit function failed. My hosting agent has notified me that psycheclone is now officially listed as a “bot” and we can find its details in
http://www.botsvsbrowsers.com/details/38021/index.html . Since psycheclone starts from looking into robots.txt, I am trying to block it by editting robots.txt; if the user of the bot changes its setting, it probably can ignore robots.txt!


#12

No worries. I just banned their entire address space by adding:

deny from 208.66.195.0/28

to my .htaccess file, so it doesn’t matter what they call it (until they change provider).

cheers,
Chris


www.csamuel.org


#13

lol, it will ignore your robots.txt; it’s a spam bot, and they don’t care about conventions. Even worse: a spam bot could read your robots.txt and find out where you have interesting stuff you want to keep “secret”.

I’m also blocking this IP now; not in .htaccess, but directly with my firewall. Hoping that it doesn’t spread via Zombie hosts.

ServerSite Linux – a full-featured webserver on a LiveCD


#14

I got 25% of my hits last week from psycheclone… I’d like to use this blocking tactic but am a novice, I can only see .htaccess files in my password protected directories not on my main site.

Normally I would ‘save as’ an edited version but I’m having problems saving a system file i.e. no filename just the .htaccess extension.

If anyone could provide advice about how to save it and what to put in it I’d really appreciate it. Ta


#15

My website is hosted by a low cost hosting service. I cannot block the incoming IP address by myself. Since last night, after I edited the robot.txt, there has been only one attempt by psycheclone and it backed off immediately after connecting to my web site. However, I am not sure it is due to my editing of robot.txt or due to something else. Two days ago I e-mailed Mc Colo Corporation, the hosting service for Digital Infinity LTD that is sending out this psycheclone, and advised them that their client is doing something funny. If Mc Colo Corporation has taken some action, then everyone’s hits from psycheclone should be reduced dramatically today. It will be interesting to receive reports about psycheclone attack of June 12, 2006!


#16

I use a sort of DDoS detection in my php that limits any visitors to X visits per X seconds and bans them for X seconds if they are over that, it seems to work very well against the crawlers that I hate. BUT for registered visitors I have a much lower limit so it wont affect them at all unless they are doing something like downloading the entire site or reloading browser with 40 tabs windows open. And I get emailed when it happens with info on user cookie, url etc, just in case.

Also have in my .htaccess some redirects to common formmail.pl links that will rewrite the request to another ban php script that adds their IP to the .htaccess ban list, in combination with a robots.txt file that forbids access to some URLs (which are hidden near the top of the page HTML) you can pick up a nice range of banned IPs over time of “hacks” that disobey the robots.txt and IPs that are scanning for flaws. Plus I get the emailed info including any existence of a user cookie in case a user accidentally bans himself (which has never happened in 5 years so far).

If anyone wants my stuff, I’ll post it somewhere on here if I can find a section for it. Maybe help me fix any bugs it might have.


#17

It sounds like a very interesting system.

I, for one, would be interested in having a look at the source, but I am not sure I could actually do much with it, as PHP is not a language I am particulary familiar with (yet). My background is in conventional, non web-based languages, such as C/C++ Object Pascal etc.

Mark


Save [color=#CC0000]$50[/color] on DreamHost hosting using promo code [color=#CC0000]SAVEMONEY[/color] ( Click for promo code details )


#18

I’ve been getting some hits from psycheclone. I did a search and this board came up. It wasn’t a lot of hits, so I’m not too worried.
It would be nice to know what it’s actually for.


#19

[quote]Normally I would ‘save as’ an edited version but I’m having problems saving a system file i.e. no filename just the .htaccess extension.

If anyone could provide advice about how to save it and what to put in it I’d really appreciate it. Ta
[/quote]
I’m almost certain that if you put the filename in quotes it will save exactly as you tell it.

secondly,

I do know a touch of php, I’d be interested in seeing that

[+]brickballs


#20

It isn’t too much code and it isn’t an ultimate solution, but they work pretty well for medium sized sites (I have a forum with 100+ regular daily visitors).

IP flood detection, DDoS detector for PHP
URL based IP ban with htaccess and PHP