GSLFbot


Who is GSLFBOT?

gslfbot

This bot, GSLFbot, does not respect our robots.txt directive and has been banned.

IP’s encountered:

A bad robot hit 2012-03-31 (Sat) 18:00:05
address is 50.16.28.173, agent is GSLFbot

A bad robot hit /trap/ 2012-03-31 (Sat) 20:00:15
address is 184.73.75.144, agent is GSLFbot

Since these folks are being sneeky in copying our data, they get the ban.

Update: 3 April 2012

If you are using Mod Security 2.X or above, this is the rule we are using to block this website copier. It just drains bandwidth and does not provide any benefit to the webmaster.

SecRule HTTP_User-Agent "GSLFbot" "deny,log,status:403"

This will give the bot a 403 Forbidden server response code and log the visit.

Update: 4 April 2012

A request for a standard .htacess ban for this bot. Your wish is our command, here is an example. This will produce a Forbidden server response code.


Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^GSLFbot
RewriteRule ^.* - [F,L]

This should keep GSLFbot at bay.

Update: 5 April 2012

If you are getting hit with base64_decode hack attempts from this bot. One thing you can do to minimize the possible damage is to shut it off in your php.ini file.

If you are using an Apache/PHP server, access your server and open the file php.ini. Locate this line:

disable_functions =

manually add “base64_decode” to the line to disable that function. Example:

disable_functions = base64_decode,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Save the file and make sure you restart your Apache server to have the changes take effect.

# service httpd restart

Update: Another new IP for GSLFBOT

107.21.137.115 - - [01/Apr/2012:07:17:18 -0400] "GET / HTTP/1.1" 200 2512 "" "GSLFbot"


5 Comments.

  1. Yeah, this same bot was found wrecking havok on our servers, but I stopped short of banning the IP addresses cause I realized that they are Amazon EC2 IP addresses. Probably a better solution would be to report their behavior to Amazon Abuse.

    http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse

  2. Anon, in what way were they wreaking havoc? I’ve just started seeing this bot appear in our logs as well.

  3. yup! Me too april 2012! Clickbot! How to deny from .htaccess?

  4. This is a bad bot. The person behind it puts a eval_code64 script in any email forms you have on your site. Thank sends. At times it will bring your server down others it just seat behind your site. Taken information from your vistiors. Check your php files for eval codes.

  5. I have seen this bot in my logs as well, I see this IP today with user agent GSLFBot – 23.20.138.203.

    I have seen this GSLFBot on other logs as well with different IP’s

    This one is clicking on all my affiliate product links, Amazon, eBay over and over again.

    I using Quick Deny on the server enough to block?