Strange and stupid attack on create_account.php?

[stevel]

On two osC sites I run, I have been seeing an odd thing in the access logs over the past month or so. Lots of entries such as this:

 

"POST /https://www.example.com/create_account.php?osCsid=a6e7a6d824d69ec16cb66d1c67c53c2b HTTP/1.0"

 

Note that the file specification includes https: and the hostname, which it would not for a normal attempt to create an account. The osCsid is always the same (even across the two sites) and the referrer is the identical string. There are no previous page loads from the IPs in question. Of course, these always get a 404 error. The IPs vary widely (not any one region of the world.)

 

So far I have been unsucessful at capturing the POST parameters they are using, though I'm not sure that would tell me anything useful. On one of my more active sites, this is the #1 "not found" error for the month, with nearly 1000 attempts. On the other site the attempts have slacked off and pretty much gone away

 

Anyone else see this in their logs? I am inclined to think that this is a botnet programmed by someone incompetent, since a request of this nature would NEVER succeed.