I am an admin for an Invision IPB.x v2 BB and over the last few days we have been hammered by spammers creating new accounts and posting new topics or replying to existing topics with various posts containing various links.  Most IPs seem to originate from Russia/China/Far East with a few from Europe and USA.  We already have a nifty mod written by another administrator which runs every 15 minutes and checks the result to a question asked at registration with a drop down answer.  The result of this question is stored against the user, and the 15 minute job checks for users with the wrong answer – if found it deletes the user and all posts associated with it.

Unfortunately some users still report the spam posts to an admin/mod and it has got quite tiresome, so I investigated further into fail2ban.  I already use it to check the SSH logs for invalid attempts, so I thought I would expand it to monitor Apache logs.

I retrieved the logs from a spammer at registration and compared them to a legitimate registration and found a few differences:

Legitimate registration:

x.x.x.x – – [05/Jan/2011:11:50:42 +0000] “GET /index.php?act=Reg&CODE=00 HTTP/1.1” 200 11197 “http://forum.alfa145.com/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:42 +0000] “GET /index.php?act=task HTTP/1.1” 200 43 “http://forum.alfa145.com/index.php?act=Reg&CODE=00” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:43 +0000] “GET /style_images/jam/css_pp_header.gif HTTP/1.1” 200 763 “http://forum.alfa145.com/index.php?act=Reg&CODE=00” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:45 +0000] “POST /index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1 HTTP/1.1” 200 13647 “http://forum.alfa145.com/index.php?act=Reg&CODE=00” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:45 +0000] “GET /jscripts/ipb_register.js HTTP/1.1” 200 11959 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:45 +0000] “GET /style_images/jam/spacer.gif HTTP/1.1” 200 43 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:46 +0000] “GET /index.php?act=task HTTP/1.1” 200 43 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:50 +0000] “GET /index.php?s=&act=xmlout&do=check-user-name&name=aj_test&__=1294228302933 HTTP/1.1” 200 8 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:50 +0000] “GET /style_images/jam/aff_tick.gif HTTP/1.1” 200 904 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:53 +0000] “GET /index.php?s=&act=xmlout&do=check-display-name&name=aj_test&__=1294228305808 HTTP/1.1” 200 8 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:04 +0000] “GET /index.php?s=&act=xmlout&do=check-email-address&email=adamcarter81@gmail.com&__=1294228316725 HTTP/1.1” 200 0 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:08 +0000] “GET /index.php?s=&act=xmlout&do=check-email-address&email=adamcarter81@gmail.com&__=1294228321304 HTTP/1.1” 200 0 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:34 +0000] “GET /index.php?s=&act=xmlout&do=check-email-address&email=adamcarter81@gmail.com&__=1294228346849 HTTP/1.1” 200 0 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:34 +0000] “GET /index.php?s=&act=xmlout&do=check-user-name&name=aj_test&__=1294228346851 HTTP/1.1” 200 8 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:34 +0000] “POST /index.php HTTP/1.1” 200 10566 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:34 +0000] “GET /index.php?s=&act=xmlout&do=check-display-name&name=aj_test&__=1294228346852 HTTP/1.1” 200 5 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:36 +0000] “GET /style_images/jam/aff_cross.gif HTTP/1.1” 200 331 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:36 +0000] “GET /index.php?act=task HTTP/1.1” 200 43 “http://forum.alfa145.com/index.php” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”

Spammer registration:

[root@server7941 forum.alfa145.com]# cat 20110105-access.log | grep 213.108.2.6
213.108.2.6 – – [05/Jan/2011:09:26:53 +0000] “GET / HTTP/1.0” 200 102979 “http://remroom.ru” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:53 +0000] “GET /index.php?showforum=6 HTTP/1.0” 200 89602 “http://forum.alfa145.com/index.php?showforum=6” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:54 +0000] “GET /index.php?act=post&do=new_post&f=6 HTTP/1.0” 200 50674 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:55 +0000] “GET /index.php?act=Reg&CODE=00&coppa_pass=1 HTTP/1.0” 200 50934 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:55 +0000] “POST /index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1 HTTP/1.0” 200 60189 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:58 +0000] “POST /index.php HTTP/1.0” 200 49269 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?act=Reg&CODE=03&uid=5949&aid=bb2b7bf1f1c7e654f005e6921268a32a HTTP/1.0” 200 0 “http://remroom.ru” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?&act=login&CODE=autologin&fromreg=1 HTTP/1.0” 200 41758 “http://forum.alfa145.com/index.php?&act=login&CODE=autologin&fromreg=1” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?act=login&CODE=00 HTTP/1.0” 200 51314 “http://forum.alfa145.com/index.php?act=login&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:47 +0000] “POST /index.php?act=Login&CODE=01 HTTP/1.0” 200 41342 “http://forum.alfa145.com/index.php?act=login&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:47 +0000] “GET /index.php? HTTP/1.0” 200 106492 “http://forum.alfa145.com/index.php?” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:48 +0000] “GET /index.php?act=UserCP&CODE=00 HTTP/1.0” 200 61359 “http://forum.alfa145.com/index.php?act=UserCP&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:48 +0000] “GET /index.php?act=UserCP&CODE=01 HTTP/1.0” 200 69116 “http://forum.alfa145.com/index.php?act=UserCP&CODE=01” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:49 +0000] “POST /index.php?auth_key=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=UserCP&CODE=01” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:49 +0000] “GET /index.php?act=usercp&member_id=&CODE=01&___msg=settings_updated&md5check=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 69398 “http://forum.alfa145.com/index.php?act=usercp&member_id=&CODE=01&___msg=settings_updated&md5check=a2abe06ea8aaa81dd26edea5856c91f4” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “GET /index.php?act=UserCP&CODE=22 HTTP/1.0” 200 75050 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “POST /index.php?act=UserCP&CODE=23 HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “GET /index.php?act=UserCP&CODE=22 HTTP/1.0” 200 75264 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:51 +0000] “GET /index.php?act=UserCP&CODE=24 HTTP/1.0” 200 62602 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “POST /index.php?auth_key=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 41383 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “GET /index.php?act=UserCP&CODE=24 HTTP/1.0” 200 62714 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “GET /index.php HTTP/1.0” 200 106492 “http://forum.alfa145.com/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:53 +0000] “GET /index.php?showforum=6 HTTP/1.0” 200 96591 “http://forum.alfa145.com/index.php?showforum=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:54 +0000] “GET /index.php?act=post&do=new_post&f=6 HTTP/1.0” 200 79182 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:55 +0000] “POST /index.php? HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:55 +0000] “GET /index.php?showtopic=18782 HTTP/1.0” 200 81015 “http://forum.alfa145.com/index.php?showtopic=18782” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

So immediately obvious was the referrer field was set to the same as the GET request in the spammer’s registration, so using fail2ban I created a new Jail and used the following regex to monitor Apache’s access log:

failregex = ^<HOST> -.*GET.*coppa_pass.* 200 .*coppa_pass.*$

I set it to ban after 1 match and so far it seems to be working – about 10 IPs get banned an hour and our 15 minute spammer clean up job has reported no user accounts have been deleted since running fail2ban, and new legitimate users have been created since.  Until the next spammer outbreak…

IPB Information on the latest spam outbreak here

[root@server7941 forum.alfa145.com]# cat 20110105-access.log | grep 213.108.2.6
213.108.2.6 – – [05/Jan/2011:09:26:53 +0000] “GET / HTTP/1.0” 200 102979 “http://remroom.ru” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:53 +0000] “GET /index.php?showforum=6 HTTP/1.0” 200 89602 “http://forum.alfa145.com/index.php?showforum=6” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:54 +0000] “GET /index.php?act=post&do=new_post&f=6 HTTP/1.0” 200 50674 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:55 +0000] “GET /index.php?act=Reg&CODE=00&coppa_pass=1 HTTP/1.0” 200 50934 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:55 +0000] “POST /index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1 HTTP/1.0” 200 60189 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:58 +0000] “POST /index.php HTTP/1.0” 200 49269 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?act=Reg&CODE=03&uid=5949&aid=bb2b7bf1f1c7e654f005e6921268a32a HTTP/1.0” 200 0 “http://remroom.ru” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?&act=login&CODE=autologin&fromreg=1 HTTP/1.0” 200 41758 “http://forum.alfa145.com/index.php?&act=login&CODE=autologin&fromreg=1” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?act=login&CODE=00 HTTP/1.0” 200 51314 “http://forum.alfa145.com/index.php?act=login&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:47 +0000] “POST /index.php?act=Login&CODE=01 HTTP/1.0” 200 41342 “http://forum.alfa145.com/index.php?act=login&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:47 +0000] “GET /index.php? HTTP/1.0” 200 106492 “http://forum.alfa145.com/index.php?” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:48 +0000] “GET /index.php?act=UserCP&CODE=00 HTTP/1.0” 200 61359 “http://forum.alfa145.com/index.php?act=UserCP&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:48 +0000] “GET /index.php?act=UserCP&CODE=01 HTTP/1.0” 200 69116 “http://forum.alfa145.com/index.php?act=UserCP&CODE=01” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:49 +0000] “POST /index.php?auth_key=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=UserCP&CODE=01” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:49 +0000] “GET /index.php?act=usercp&member_id=&CODE=01&___msg=settings_updated&md5check=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 69398 “http://forum.alfa145.com/index.php?act=usercp&member_id=&CODE=01&___msg=settings_updated&md5check=a2abe06ea8aaa81dd26edea5856c91f4” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “GET /index.php?act=UserCP&CODE=22 HTTP/1.0” 200 75050 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “POST /index.php?act=UserCP&CODE=23 HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “GET /index.php?act=UserCP&CODE=22 HTTP/1.0” 200 75264 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:51 +0000] “GET /index.php?act=UserCP&CODE=24 HTTP/1.0” 200 62602 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “POST /index.php?auth_key=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 41383 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “GET /index.php?act=UserCP&CODE=24 HTTP/1.0” 200 62714 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “GET /index.php HTTP/1.0” 200 106492 “http://forum.alfa145.com/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:53 +0000] “GET /index.php?showforum=6 HTTP/1.0” 200 96591 “http://forum.alfa145.com/index.php?showforum=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:54 +0000] “GET /index.php?act=post&do=new_post&f=6 HTTP/1.0” 200 79182 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:55 +0000] “POST /index.php? HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:55 +0000] “GET /index.php?showtopic=18782 HTTP/1.0” 200 81015 “http://forum.alfa145.com/index.php?showtopic=18782” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

Rsync for Windows – what a great tool. CWRSync – The package that is rsync for Windows (bundled with Cygwin, OpenSSH, OpenSSL, Rsync). Pretty easy to install (latest version here).
Can be a PITA to set up correctly. I am trying to rsync from Windows Server 2003 to my Centos VPS via SSH, which after a few hours of head bashing finally works. The command line help could be a little bit more infomative!

There is a batch file template included, and the forums can be found on the download site linked to above, and of course Google. The gist of getting this to work is along the lines of:

SET HOME=%HOMEDRIVE%%HOMEPATH%

(Sets environment variable)

 cd "c:\program files\cwrsync\bin"
 ssh-keygen -t rsa -N ''

(just go with the defaults, or change the file location)

Copy the SSH keys to your server:

C:\Program Files\cwRsync\bin>rsync -avz -e "./ssh -p xxxxx" "./id_rsa.pub" user@hostname.com:.ssh/authorized_keys

xxxxx=port SSH is listening on if changed away from default

Restart SSH on the server and it should pick up the new keys

To then sync stuff, try the following syntax which worked for me:

C:\Program Files\cwRsync\bin>rsync -av --chmod u+rwx -e "./ssh -i id_rsa -p xxxxx" user@hostname.com:/var/www/ "/cygdrive/d/backup/www"

xxxxx=port SSH is listening on if changed away from default

Change the paths as requred and you should be good to go. This works quite nicely, especially when scheduled as a scheduled task.