Web Log hits from psycheclone

I'm going to go out on a limb and say the thousands of hits on my site in the last few days were probably due to the DDOS attack and not the instant popularity of my site... :(

Anyway - has anyone else checked their web reports and found a browser "psycheclone" listed as their #1 browser hit?

I've googled the name, but not hit much. The wiki was empty on this subject... so now it's time to ask ya'll if you have any info.

Cheers and I'm glad to be back online, DDOS attackers suck.

I've seen a few of these too, but only about 5 or 6. Given that this thread is the top Google result for "psycheclone", I doubt I'm going to find anything :/

I have matrixstats which is usually up to date on robots and it lists psycheclone as a robot; I've had a few hits from it myself.

Chris Longley
www.chrislongley.com

I've had a few hits from this robot as well, just the name alone makes me think its a scraper bot.

Since I couldn't find any info on it I blocked its IP address using .htaccess across most of my sites.

Yes, I also got those 'psycheclone' hits on my website. Just wonder what is that. Could it be some kind of spam software or wat. Only a few days it take up hundreds of hits on my web pages. Hope it is not some kind of virus.

I started noticing e-mail being sent to strange account names on my mail server recently. I remembered just today that I added some script to one of my web sites that takes the client IP address and the date and encodes it into a text name, then adds the domain name and places it in the home page as a mailto: link. I can then decode the values later.

Today a spam was sent to an account that indicates 208.66.195.9 harvested this address on 6/2/2006. I checked my server logs to confirm this, and sure enough, there it was.

2006-06-02 10:32:06 208.66.195.9 - 80 GET /robots.txt - 200 0 psycheclone -
2006-06-02 10:32:06 208.66.195.9 - 80 GET /index.html - 200 0 psycheclone -

I searched for "pyscheclone" and found this thread. I am assuming this is some sort of high speed web-bot that can be configured for email harvesting.

The IP addresses that psycheclone uses belongs to Mc Colo Corporation of Newark, DE, a vertual hosting service. The narrower IP address range used belongs to a private UK company called Dital Infinity LTD. It hits every link on a website, and repeat the practice many times to generate a large number of hits. If it is a bot, then it must have some bugs. May be it is looking some weakness in a web site.

We saw this psycheclone agent too, but from another IP in that range: 208.66.195.7

It seems it is buggy, too, because it does not correctly decode the & in URLs (which causes a warning due to incorrect link in our application, which is how I noticed it in the first place).

Luckily we do not provide e-Mail addresses outside the password protected area :-)

Ugh,

make that & in my previuos post.

It seems this forum does not escape HTML????

The range they're using at present is listed as NET-208-66-195-0-1 and is registered to Digital Infinity Ltd (digitalinfinity.org) in Moscow, not the UK. E-mail goes via estboxes.com (Googling shows lots of spam related stuff).

I'm blocking them now..

Chris

Thanks for correction. I have tried to correct the misspelled name of Digital Infinity, but somehow the edit function failed. My hosting agent has notified me that psycheclone is now officially listed as a "bot" and we can find its details in
http://www.botsvsbrowsers.com/details/38021/index.html . Since psycheclone starts from looking into robots.txt, I am trying to block it by editting robots.txt; if the user of the bot changes its setting, it probably can ignore robots.txt!

No worries. I just banned their entire address space by adding:

deny from 208.66.195.0/28

to my .htaccess file, so it doesn't matter what they call it (until they change provider).

cheers,
Chris

lol, it *will* ignore your robots.txt; it's a spam bot, and they don't care about conventions. Even worse: a spam bot could read your robots.txt and find out where you have interesting stuff you want to keep "secret".

I'm also blocking this IP now; not in .htaccess, but directly with my firewall. Hoping that it doesn't spread via Zombie hosts.

ServerSite Linux – a full-featured webserver on a LiveCD

I got 25% of my hits last week from psycheclone... I'd like to use this blocking tactic but am a novice, I can only see .htaccess files in my password protected directories not on my main site.

Normally I would 'save as' an edited version but I'm having problems saving a system file i.e. no filename just the .htaccess extension.

If anyone could provide advice about how to save it and what to put in it I'd really appreciate it. Ta

My website is hosted by a low cost hosting service. I cannot block the incoming IP address by myself. Since last night, after I edited the robot.txt, there has been only one attempt by psycheclone and it backed off immediately after connecting to my web site. However, I am not sure it is due to my editing of robot.txt or due to something else. Two days ago I e-mailed Mc Colo Corporation, the hosting service for Digital Infinity LTD that is sending out this psycheclone, and advised them that their client is doing something funny. If Mc Colo Corporation has taken some action, then everyone's hits from psycheclone should be reduced dramatically today. It will be interesting to receive reports about psycheclone attack of June 12, 2006!

I use a sort of DDoS detection in my php that limits any visitors to X visits per X seconds and bans them for X seconds if they are over that, it seems to work very well against the crawlers that I hate. BUT for registered visitors I have a much lower limit so it wont affect them at all unless they are doing something like downloading the entire site or reloading browser with 40 tabs windows open. And I get emailed when it happens with info on user cookie, url etc, just in case.

Also have in my .htaccess some redirects to common formmail.pl links that will rewrite the request to another ban php script that adds their IP to the .htaccess ban list, in combination with a robots.txt file that forbids access to some URLs (which are hidden near the top of the page HTML) you can pick up a nice range of banned IPs over time of "hacks" that disobey the robots.txt and IPs that are scanning for flaws. Plus I get the emailed info including any existence of a user cookie in case a user accidentally bans himself (which has never happened in 5 years so far).

If anyone wants my stuff, I'll post it somewhere on here if I can find a section for it. Maybe help me fix any bugs it might have.

In reply to:
I use a sort of DDoS detection in my php that limits any visitors to X visits per X seconds and bans them for X seconds if they are over that

It sounds like a very interesting system.

I, for one, would be interested in having a look at the source, but I am not sure I could actually do much with it, as PHP is not a language I am particulary familiar with (yet). My background is in conventional, non web-based languages, such as C/C++ Object Pascal etc.

Mark

I've been getting some hits from psycheclone. I did a search and this board came up. It wasn't a lot of hits, so I'm not too worried.
It would be nice to know what it's actually for.

In reply to:
Normally I would 'save as' an edited version but I'm having problems saving a system file i.e. no filename just the .htaccess extension.

If anyone could provide advice about how to save it and what to put in it I'd really appreciate it. Ta

I'm almost certain that if you put the filename in quotes it will save exactly as you tell it.

secondly,

In reply to:
I use a sort of DDoS detection in my php that limits any visitors to X visits per X seconds and bans them for X seconds if they are over that,

I do know a touch of php, I'd be interested in seeing that

[+]brickballs

It isn't too much code and it isn't an ultimate solution, but they work pretty well for medium sized sites (I have a forum with 100+ regular daily visitors).

IP flood detection, DDoS detector for PHP
URL based IP ban with htaccess and PHP

I thought it was funny that psyclone ignored my robots.txt and got lost in my calendar. It just kept clicking links off into the future. It would be really funny if we all made some infinite link trap for bots that ignore robots.txt. That would teach them. :)

Edited by Darren996 on 06/15/06 05:27 PM (server time).

It wont teach them, they could care less and probably enjoy taking your bandwidth, filling your logs with junk, distorting your stats and slowing down the server more than you enjoy wasting their time - if they use zombies then there is zero cost to them.

I don't care. I'll put in random email addresses to government officials and make all my pages plain text. :)

! Good idea, especially if you carefully choose people who have some sort of influence in the right areas - WORLDWIDE!

I just noticed a bunch of entries in my log from psycheclone as of an hour ago. It looks like it did obey robots.txt, however.

I edited my robots.txt to forbid psycheclone on 6/11. That night it came in once and was bounced. Then it came back again on 6/18 and bounced again, with my website generating an forbiden.htm error. Within this whole thread there is another web manager reporting that psycheclone seems to obey robots.txt. It seems to me that a simple html file like robots.txt (suppose to be just a reminder to indexing softwares) will be able to block a spybot like psycheclone. It is possible that the hosting company reads robots.txt and blocks unwanted bots for their clients since they do not provide a tool for clients to block IP addresses directly.

In reply to:
It is possible that the hosting company reads robots.txt and blocks unwanted bots for their clients

I really doubt that this is happening.

In reply to:
since they do not provide a tool for clients to block IP addresses directly.

They do actually. You can block individual IP addresses (or IP blocks) using a simple .htaccess file.

Mark

ta, that worked!

=D

[+]brickballs

Looks like it has been busy. I was wondering why the sitemaps python script was generating results for RARELY visited pages on my site (when I only have it add based on the past two days of logs). I checked the logs and saw this bot as well.

psycheclone traces back to Moskow http://visualroute.visualware.com/ you can find the hosting company digital infinity

hey guys, Guess I'm a little too new to dream host and .htaccess files. how do you set a ip ban in it from your site? so i can block this robot as well. I have 100 hits in 18 days already. So I'm trying to get my site back under control. Any help would be great.

In reply to:
how do you set a ip ban in it from your site?

I think you'll find the following wiki article useful.

http://wiki.dreamhost.com/index.php/KB_/_Unix_/_.htaccess_files#Deny.2FAllow_Certain_IP_Addresses

Mark

thanks a TON... that site is VERY helpful. Thats bans are fillings up, and the idiots are going away. ::) thanks a million

I'm trying to use the php approach from above - trouble is some of my sites are driven by wordpress. So when I edit index.php as follows my site just generates an empty screen. So what am I doing wrong here?

<?php
$svr=$_SERVER['HTTP_USER_AGENT'];
if (stristr($svr,"psycheclone")==TRUE){
header("Location: http://mccolo.com/english/contact.html");
}else{
define('WP_USE_THEMES', true);
require('./wp-blog-header.php');
}
?>

Web Log hits from psycheclone