About 8 months after their first visit, my server gets another visit from the Bitcoin pickpockets.

It's another IP address this time (again an VPN exit node), but the user agent string is exactly the same:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0

The requested filenames are identical, except for 4 new files/folders (3 of them highlighted in red in the picture below). The order of request is different from the first time.
It seems they made a small update to their script. The scan is much faster this time: about 4 minutes long compared to about 40 minutes the first time.

If you have observed this too or have a remark, please post a comment.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status