I am an admin for an Invision IPB.x v2 BB and over the last few days we have been hammered by spammers creating new accounts and posting new topics or replying to existing topics with various posts containing various links. Most IPs seem to originate from Russia/China/Far East with a few from Europe and USA. We already have a nifty mod written by another administrator which runs every 15 minutes and checks the result to a question asked at registration with a drop down answer. The result of this question is stored against the user, and the 15 minute job checks for users with the wrong answer – if found it deletes the user and all posts associated with it.
Unfortunately some users still report the spam posts to an admin/mod and it has got quite tiresome, so I investigated further into fail2ban. I already use it to check the SSH logs for invalid attempts, so I thought I would expand it to monitor Apache logs.
I retrieved the logs from a spammer at registration and compared them to a legitimate registration and found a few differences:
Legitimate registration:
x.x.x.x – – [05/Jan/2011:11:50:42 +0000] “GET /index.php?act=Reg&CODE=00 HTTP/1.1” 200 11197 “http://forum.alfa145.com/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:42 +0000] “GET /index.php?act=task HTTP/1.1” 200 43 “http://forum.alfa145.com/index.php?act=Reg&CODE=00” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:43 +0000] “GET /style_images/jam/css_pp_header.gif HTTP/1.1” 200 763 “http://forum.alfa145.com/index.php?act=Reg&CODE=00” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:45 +0000] “POST /index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1 HTTP/1.1” 200 13647 “http://forum.alfa145.com/index.php?act=Reg&CODE=00” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:45 +0000] “GET /jscripts/ipb_register.js HTTP/1.1” 200 11959 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:45 +0000] “GET /style_images/jam/spacer.gif HTTP/1.1” 200 43 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:46 +0000] “GET /index.php?act=task HTTP/1.1” 200 43 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:50 +0000] “GET /index.php?s=&act=xmlout&do=check-user-name&name=aj_test&__=1294228302933 HTTP/1.1” 200 8 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:50 +0000] “GET /style_images/jam/aff_tick.gif HTTP/1.1” 200 904 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:50:53 +0000] “GET /index.php?s=&act=xmlout&do=check-display-name&name=aj_test&__=1294228305808 HTTP/1.1” 200 8 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:04 +0000] “GET /index.php?s=&act=xmlout&do=check-email-address&email=adamcarter81@gmail.com&__=1294228316725 HTTP/1.1” 200 0 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:08 +0000] “GET /index.php?s=&act=xmlout&do=check-email-address&email=adamcarter81@gmail.com&__=1294228321304 HTTP/1.1” 200 0 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:34 +0000] “GET /index.php?s=&act=xmlout&do=check-email-address&email=adamcarter81@gmail.com&__=1294228346849 HTTP/1.1” 200 0 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:34 +0000] “GET /index.php?s=&act=xmlout&do=check-user-name&name=aj_test&__=1294228346851 HTTP/1.1” 200 8 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:34 +0000] “POST /index.php HTTP/1.1” 200 10566 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:34 +0000] “GET /index.php?s=&act=xmlout&do=check-display-name&name=aj_test&__=1294228346852 HTTP/1.1” 200 5 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:36 +0000] “GET /style_images/jam/aff_cross.gif HTTP/1.1” 200 331 “http://forum.alfa145.com/index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
x.x.x.x – – [05/Jan/2011:11:51:36 +0000] “GET /index.php?act=task HTTP/1.1” 200 43 “http://forum.alfa145.com/index.php” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”
Spammer registration:
[root@server7941 forum.alfa145.com]# cat 20110105-access.log | grep 213.108.2.6
213.108.2.6 – – [05/Jan/2011:09:26:53 +0000] “GET / HTTP/1.0” 200 102979 “http://remroom.ru” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:53 +0000] “GET /index.php?showforum=6 HTTP/1.0” 200 89602 “http://forum.alfa145.com/index.php?showforum=6” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:54 +0000] “GET /index.php?act=post&do=new_post&f=6 HTTP/1.0” 200 50674 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:55 +0000] “GET /index.php?act=Reg&CODE=00&coppa_pass=1 HTTP/1.0” 200 50934 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:55 +0000] “POST /index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1 HTTP/1.0” 200 60189 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:58 +0000] “POST /index.php HTTP/1.0” 200 49269 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?act=Reg&CODE=03&uid=5949&aid=bb2b7bf1f1c7e654f005e6921268a32a HTTP/1.0” 200 0 “http://remroom.ru” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?&act=login&CODE=autologin&fromreg=1 HTTP/1.0” 200 41758 “http://forum.alfa145.com/index.php?&act=login&CODE=autologin&fromreg=1” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?act=login&CODE=00 HTTP/1.0” 200 51314 “http://forum.alfa145.com/index.php?act=login&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:47 +0000] “POST /index.php?act=Login&CODE=01 HTTP/1.0” 200 41342 “http://forum.alfa145.com/index.php?act=login&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:47 +0000] “GET /index.php? HTTP/1.0” 200 106492 “http://forum.alfa145.com/index.php?” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:48 +0000] “GET /index.php?act=UserCP&CODE=00 HTTP/1.0” 200 61359 “http://forum.alfa145.com/index.php?act=UserCP&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:48 +0000] “GET /index.php?act=UserCP&CODE=01 HTTP/1.0” 200 69116 “http://forum.alfa145.com/index.php?act=UserCP&CODE=01” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:49 +0000] “POST /index.php?auth_key=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=UserCP&CODE=01” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:49 +0000] “GET /index.php?act=usercp&member_id=&CODE=01&___msg=settings_updated&md5check=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 69398 “http://forum.alfa145.com/index.php?act=usercp&member_id=&CODE=01&___msg=settings_updated&md5check=a2abe06ea8aaa81dd26edea5856c91f4” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “GET /index.php?act=UserCP&CODE=22 HTTP/1.0” 200 75050 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “POST /index.php?act=UserCP&CODE=23 HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “GET /index.php?act=UserCP&CODE=22 HTTP/1.0” 200 75264 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:51 +0000] “GET /index.php?act=UserCP&CODE=24 HTTP/1.0” 200 62602 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “POST /index.php?auth_key=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 41383 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “GET /index.php?act=UserCP&CODE=24 HTTP/1.0” 200 62714 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “GET /index.php HTTP/1.0” 200 106492 “http://forum.alfa145.com/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:53 +0000] “GET /index.php?showforum=6 HTTP/1.0” 200 96591 “http://forum.alfa145.com/index.php?showforum=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:54 +0000] “GET /index.php?act=post&do=new_post&f=6 HTTP/1.0” 200 79182 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:55 +0000] “POST /index.php? HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:55 +0000] “GET /index.php?showtopic=18782 HTTP/1.0” 200 81015 “http://forum.alfa145.com/index.php?showtopic=18782” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
So immediately obvious was the referrer field was set to the same as the GET request in the spammer’s registration, so using fail2ban I created a new Jail and used the following regex to monitor Apache’s access log:
failregex = ^<HOST> -.*GET.*coppa_pass.* 200 .*coppa_pass.*$
I set it to ban after 1 match and so far it seems to be working – about 10 IPs get banned an hour and our 15 minute spammer clean up job has reported no user accounts have been deleted since running fail2ban, and new legitimate users have been created since. Until the next spammer outbreak…
IPB Information on the latest spam outbreak here
213.108.2.6 – – [05/Jan/2011:09:26:53 +0000] “GET / HTTP/1.0” 200 102979 “http://remroom.ru” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:53 +0000] “GET /index.php?showforum=6 HTTP/1.0” 200 89602 “http://forum.alfa145.com/index.php?showforum=6” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:54 +0000] “GET /index.php?act=post&do=new_post&f=6 HTTP/1.0” 200 50674 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:55 +0000] “GET /index.php?act=Reg&CODE=00&coppa_pass=1 HTTP/1.0” 200 50934 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:55 +0000] “POST /index.php?act=Reg&coppa_user=0&termsread=1&coppa_pass=1 HTTP/1.0” 200 60189 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:26:58 +0000] “POST /index.php HTTP/1.0” 200 49269 “http://forum.alfa145.com/index.php?act=Reg&CODE=00&coppa_pass=1” “Opera/9.0 (Windows NT 5.1; U; en)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?act=Reg&CODE=03&uid=5949&aid=bb2b7bf1f1c7e654f005e6921268a32a HTTP/1.0” 200 0 “http://remroom.ru” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?&act=login&CODE=autologin&fromreg=1 HTTP/1.0” 200 41758 “http://forum.alfa145.com/index.php?&act=login&CODE=autologin&fromreg=1” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:46 +0000] “GET /index.php?act=login&CODE=00 HTTP/1.0” 200 51314 “http://forum.alfa145.com/index.php?act=login&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:47 +0000] “POST /index.php?act=Login&CODE=01 HTTP/1.0” 200 41342 “http://forum.alfa145.com/index.php?act=login&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:47 +0000] “GET /index.php? HTTP/1.0” 200 106492 “http://forum.alfa145.com/index.php?” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:48 +0000] “GET /index.php?act=UserCP&CODE=00 HTTP/1.0” 200 61359 “http://forum.alfa145.com/index.php?act=UserCP&CODE=00” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:48 +0000] “GET /index.php?act=UserCP&CODE=01 HTTP/1.0” 200 69116 “http://forum.alfa145.com/index.php?act=UserCP&CODE=01” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:49 +0000] “POST /index.php?auth_key=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=UserCP&CODE=01” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:49 +0000] “GET /index.php?act=usercp&member_id=&CODE=01&___msg=settings_updated&md5check=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 69398 “http://forum.alfa145.com/index.php?act=usercp&member_id=&CODE=01&___msg=settings_updated&md5check=a2abe06ea8aaa81dd26edea5856c91f4” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “GET /index.php?act=UserCP&CODE=22 HTTP/1.0” 200 75050 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “POST /index.php?act=UserCP&CODE=23 HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:50 +0000] “GET /index.php?act=UserCP&CODE=22 HTTP/1.0” 200 75264 “http://forum.alfa145.com/index.php?act=UserCP&CODE=22” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:51 +0000] “GET /index.php?act=UserCP&CODE=24 HTTP/1.0” 200 62602 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “POST /index.php?auth_key=a2abe06ea8aaa81dd26edea5856c91f4 HTTP/1.0” 200 41383 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “GET /index.php?act=UserCP&CODE=24 HTTP/1.0” 200 62714 “http://forum.alfa145.com/index.php?act=UserCP&CODE=24” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:52 +0000] “GET /index.php HTTP/1.0” 200 106492 “http://forum.alfa145.com/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:53 +0000] “GET /index.php?showforum=6 HTTP/1.0” 200 96591 “http://forum.alfa145.com/index.php?showforum=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:54 +0000] “GET /index.php?act=post&do=new_post&f=6 HTTP/1.0” 200 79182 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:55 +0000] “POST /index.php? HTTP/1.0” 200 0 “http://forum.alfa145.com/index.php?act=post&do=new_post&f=6” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
213.108.2.6 – – [05/Jan/2011:09:31:55 +0000] “GET /index.php?showtopic=18782 HTTP/1.0” 200 81015 “http://forum.alfa145.com/index.php?showtopic=18782” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”