Last Updated: 2018-07-21 15:25:58 UTC
by Didier Stevens (Version: 1)
About 8 months after their first visit, my server gets another visit from the Bitcoin pickpockets.
It's another IP address this time (again an VPN exit node), but the user agent string is exactly the same:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
The requested filenames are identical, except for 4 new files/folders (3 of them highlighted in red in the picture below). The order of request is different from the first time.
It seems they made a small update to their script. The scan is much faster this time: about 4 minutes long compared to about 40 minutes the first time.
If you have observed this too or have a remark, please post a comment.
If you have more information or corrections regarding our diary, please share.