This blog is NOFOLLOW Free!

Archive for January, 2011

TrendMicro bot kills your server; how to ban it

We recently ran in a very, very big trouble. The server that hosts the only TRUE local marketplace for services was down almost every 48 hours, and we didn’t knew why. The server load data showed some tremendous values; there where some open processes that were eating a lot from the server’s 8Gb memory; and we simply didn’t understand why. The guys from the hosting company were equally unaware.

When we had to cope for the third  time in a row with such an incident, I decided to study the log files and I was amazed to discover that in the hours preceding every single incident the server was “attacked” from 3 IPs, coming from the same C-class: 216.104.15.* There were a lot of automated tools that were requesting non-existant pages from our website, by running into an infinite loop that was requesting something like this:

www…/list-services/js/functions.js
www…/list-services/js/js/functions.js
www…/list-services/js/js/js/functions.js

It was obvious that these requests were coming from some sort of search bot too stupid to understand the <base> tag.

Digging more into this, I discovered that this C-class pertains to Trend Micro, a shitty anti-virus producer. Then, searching more on Google, I found out that this shitty anti-virus installs on users’ computers a bullshit tool that “verifies” if/whether a website spreads malware or not. Unfortunately, their tool seems to be quite stupid, since it cannot correctly parse the HTML code of a page.

That’s why I decided to ban with .htaccess all the requests coming for the said C-class. And digging even more, I discovered that they are using a second class, too: 150.70.64.* and that a lot of people are starting to complain about them.