Zombie scan?


#1

My traffic has picked up over the last few days and the log files look a bit strange. The hits come steadily in, hitting different categories and pages, come in waves, all from seemingly unique IP addresses. I’m posting a sample of the log file here (IP’s replaced to protect the already compromised):

127.0.0.1 - - [26/Jun/2006:18:10:36 -0700] “GET /?m=200604 HTTP/1.1” 200 19763 “http://nodomain.com” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
127.0.0.1 - - [26/Jun/2006:18:10:36 -0700] “GET /?m=200603 HTTP/1.1” 200 14102 “http://nodomain.com” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
127.0.0.1 - - [26/Jun/2006:18:10:38 -0700] “GET /?m=200602 HTTP/1.1” 200 14977 “http://nodomain.com” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
127.0.0.1 - - [26/Jun/2006:18:10:41 -0700] “GET /?m=200601 HTTP/1.1” 200 28534 “http://nodomain.com” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
127.0.0.1 - - [26/Jun/2006:18:10:44 -0700] “GET /?m=200605 HTTP/1.1” 200 45411 “http://nodomain.com” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
127.0.0.1 - - [26/Jun/2006:18:10:45 -0700] “GET /?m=20060603 HTTP/1.1” 200 15245 “http://nodomain.com” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
127.0.0.1 - - [26/Jun/2006:18:10:45 -0700] “GET /?m=20060620 HTTP/1.1” 200 14912 “http://nodomain.com” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
127.0.0.1 - - [26/Jun/2006:18:10:46 -0700] “GET /?m=20060621 HTTP/1.1” 200 16074 “http://nodomain.com” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
127.0.0.1 - - [26/Jun/2006:18:10:50 -0700] “GET /?m=20060624 HTTP/1.1” 200 14012 “http://nodomain.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

I’ve done DNS lookup on some of the ip’s in the log, and they appear to be valid broadband providers in the US and Canada. Is it possible they are being spoofed? If it is some kind of zombie crawl of the site, are there any methods that might be effective against it?

I also noticed a referral from http://yourguest.com.ru/test.php

I translated the page (and main page) on Babelfish and it seems (translation is rough) to be the web interface for some sort of spam engine with quotes about the freedom of advertisers. Anyone heard of it?

*** Update ***

Ok, the more of their site I translate the more these guys are really getting on my nerves. Babelfish translation on one of their forms:

“Url your Dora of that shaken already on khost or url of the site of victim (http://site.com/)”

They seem to be mapping my site to attempt to spam it later on. I can’t see them running a botnet from a web interface, so I’m assuming the IP’s are spoofed until proven otherwise. Still looking for ideas on how to combat this.