M$ Attacks Slated

Slated.org has a post about finding a cross-site scripting attack from M$’s network. I checked my log, too.

grep ^207.46 access.log > M$.log
grep bingbot M$.log|wc
5467 82005 975524
wc M$.log
8137 154312 1733632 M$.log

So, a lot are bingbot but a lot are not… Someone is still using IE6 there:
grep MSIE\ 6 M$.log|wc
1134 33067 340898
grep MSIE\ 6 M$.log|sed -e s/\ .*$//|sort|uniq|wc
105 105 1481

The most popular story on my blog that M$ read?
grep GET\ /2011/03/15/why-ie6-thrives-in-china M$.log|wc
12 238 2493

Why IE6 Thrives in China
“Back in 2007, IE6 had a large share everywhere. M$ and its friends decided to lean on the government of China to combat illegal copying of M$’s software. They sparked a prosecution that put away an organized criminal outfit for years. The result is that there exist, out there, many millions of CDs of XP with IE6 and no one is updating the version… Talk about unintended consequences. M$ was trying to get everyone to go legal and buy the latest koolaid. Instead they have frozen XP and IE6 in time, creating a generation of users of PCs that are unfamiliar with M$’s current products.”

Chuckle. I could just block their subnet but this is just too much fun. I guess I will have to start reading Slated to see what ticked off M$ so much. Perhaps I am not trying hard enough…

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

6 Responses to M$ Attacks Slated

  1. Dr Loser says:

    Seriously, if you think this is an actual problem, let me know.

    I’ve got nothing better to do next week, and I have access to all the relevant logs, etc.

    Yrs affectionately, etc

    a-peterd@microsoft.com

  2. Dr Loser says:

    Just done a reverse IP look-up on case 1:

    msnbot-207-46-12-154.search.msn.com

    Right. Now, first things first. If it’s msnbot, it’s probably a legacy system of some sort. (I use msnbot, but then by definition I am a legacy.)

    I do not, as a developer, have direct access to search.msn.com. Leaving conspiracy theories to one side, I don’t think many other people outside either the Phoenix or the Chicago domains do, either.

    Bringing conspiracy theories back in, it’s possible that you are looking at a “cross-site scripting attack from M$’s network,” in which case you have yourself an exclusive scoop. As we say in Microsoft, ship it!.

    On the other hand you are probably either looking at an out-dated web-bot, running on Windows Server 2003, or you are looking at some hideous failure of a developer like me who relies on this stuff to test their world-conquering software and just plain fergot to turn it off overnight.

    I’d suspect the former, but in all honesty it isn’t particularly noteworthy either way.

  3. Dr Loser says:

    (For Windows 2010 server, substitute Windows 2008).

  4. Dr Loser says:

    OK, interesting.

    I believe it’s documented somewhere that Windows Server 2003 gets lazy and declares itself as IE6.

    However, I’m a little confused as to your comparison here. (Bear with me; end of a long week.)

    Are you saying that there are two user agent strings here, which differentiate two different sources?

    Which one are you taking issue with? The first one? Off the top of my head, that’s a Windows 2003 server.

    Or the second one? That looks much more like a Windows 2010 server. Bingbot used to be called msnbot until about April 2010.

    I think it’s a fair guess that the second one is legitimate, and btw Bing is just like Google and Yahoo and the rest and we do, indeed, respect robots.txt. (To an insane degree, if you ask me, but there you go.)

    I’m still assuming that the first one is Windows 2003 server, as an operating principle.

    Now, both of these can reasonably be assumed to be web-bots. (And it would be insane to suggest any direct human intervention.) But what I take from your post is that you are concerned about

    “finding a cross-site scripting attack from M$’s network.”

    I am mildly unconvinced that this is at all likely in the general case. I am rather more convinced that it is spectacularly unlikely in your case. No offence, Robert, but you’re not exactly the Ayatollah, are you?

    Anyhow, I happen to work within the Bing Empire, and I would quite happily try and figure this stuff out for you. If only because it would help us out. And before you mutter about helping M$ out: consider that it would also help all those other web-sites out that the bingbot (or corss-site scripting attack, terminology of choice or as appropriate) is supposedly spamming.

    I could do with a few more specifics, though. Forgive me. I am a bear of very little brain.

  5. Dr Loser wrote, “It’s a web-bot”

    The user-agent string says MSIE 6.0; Windows NT 5.2:

    “207.46.12.154 – – [17/Jul/2011:05:51:33 +0000] “GET /2010/10/05/slooowwwwiiiiinnnnnngggggg-doooowwwwnnnn/ HTTP/1.1” 200 12867 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SLCC1; .NET CLR 1.1.4322; .NET CLR 2.0.40607; .NET CLR 3.0.30729; .NET CLR 3.5.30707; MS-RTC LM 8)”

    The bingbot stuff looks like this:
    “207.46.199.46 – – [17/Jul/2011:18:35:00 +0000] “GET /2011/03/27/how-many-people-use-gnulinux-lots/ HTTP/1.1” 200 12846 “-” “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)”

    Doesn’t look the same to me.

  6. Dr Loser says:

    It’s a web-bot, Robert. “I guess I will have to start reading Slated to see what ticked off M$ so much.”

    Don’t anthropomorphise it. And if you’re going to anthropomorphize it, how do you know it’s ticked off? Perhaps the Redmond Beast really likes you, after all.

    And it isn’t run from a web-browser, and you know it. It’s run from what I would expect to be Server 2008 boxen, although I was under the impression that only Server 2003 announces itself as IE6.

Leave a Reply