"Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0)" bot in China regularly starts HTTP downloads

klickverbot asked:

Since about two months, a software package (~20 MiB, .tar.gz) we host on AWS is downloaded ~600 times a day by somebody using the bogus UA string from the title. The HTTP referrer is set to a legitimate page that contains a link to that download.

I have yet to run a more detailed analysis, but the IP always seems to be from China, with no reverse lookup record set up. And interestingly, the connection is invariably closed after approximately ~1MB.

The whole thing amounts to several tens of gigabytes of traffic per month – a small amount in the grand scheme of things, obviously, but still enough that I wonder what might be going on, assuming that we are not the only ones “crawled” by that bot.

Have you ever seen something similar on your systems? An idea what kind of bot might be running amok here?

My answer:

Windows 2000? I’d just ban and forget about it. Nobody has any business running Windows 2000 anymore anyway. (Though I’m sure many of us know of one still running somewhere…)

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.