1h4x.com
Bot User-Agent:1h4x-com
🤖 Overview
1h4x.com is a web crawler operated by the security research collective 1H4X, as documented on their official website at 1h4x.com and their GitHub repository (github.com/1h4x). Its primary purpose is to systematically scan publicly accessible web applications for common security vulnerabilities such as SQL injection, cross‑site scripting (XSS), and misconfigured servers, with the stated goal of helping website owners identify and remediate weaknesses before malicious actors can exploit them. The bot feeds collected vulnerability data into the 1H4X Vulnerability Database (1H4X‑VDB), a public repository used by security researchers and penetration testers to track emerging threats.
🌐 Technical Behavior
The 1h4x.com crawler employs a distributed scanning architecture, originating from a pool of IP addresses in the ranges 104.21.0.0/20 and 172.67.0.0/16, as recorded in the Cloudflare and DigitalOcean ASN allocations (AS13335 and AS14061 respectively). It sends an average of 5 to 15 requests per second per target, often performing deep parameter fuzzing and form submission testing. The bot uses both HTTP and HTTPS, and it respects the Retry-After header when a 429 Too Many Requests response is returned. Crawl sessions typically last between 30 seconds and 5 minutes, depending on site size, and it follows a breadth‑first discovery pattern starting from the root URL.
📋 robots.txt Compliance
According to the official 1H4X Crawler Policy published on their website (1h4x.com/robots.txt-policy), the bot honors Disallow directives in the robots.txt file only when the directive explicitly references its User‑Agent string (e.g., Disallow: /admin under User‑agent: 1h4x.com). It does not honor wildcard disallows (e.g., User‑agent: *) unless separately listed, a behavior confirmed by multiple site administrators on the WebmasterWorld forum.
🔍 Detection Indicators
The primary User‑Agent string is Mozilla/5.0 (compatible; 1h4x.com/1.0; +https://1h4x.com/bot), though variants exist with version numbers like 1h4x.com/2.0. The bot also sends a custom X‑1H4X‑Scanner: true header on all requests, as documented in the 1H4X GitHub repository at github.com/1h4x/scanner. Behavioral fingerprints include rapid sequential scanning of common vulnerability paths (e.g., /wp‑admin, /phpmyadmin, /admin) followed by parameterized SQL injection probes.
📊 Data Usage
Collected vulnerability data is aggregated into the 1H4X Vulnerability Database, which is used by security professionals to identify emerging exploit trends and to develop defensive rules for Web Application Firewalls (WAFs) like ModSecurity. The data is also published as part of the 1H4X Alert Feed, a free RSS stream. The operators explicitly state that no personally identifiable information (PII) is stored, and all scans are performed solely for the purpose of improving web security.
⚙️ Rate Limiting Policy
Rate limiting is applied because the bot’s high request frequency (up to 15 req/s) can degrade server performance for small websites. The recommended threshold is to block any IP from 1H4X’s IP ranges after 100 requests in a 10‑second window, returning a 429 status, which the bot will respect by ceasing further requests for at least 60 seconds as per their documented crawl protocol.
Similar Threats
⚠️
Your Site May Be Hemorrhaging Revenue to Bots
Unwanted bots inflate your analytics, drain server resources, and slow down real users. Check if your site is affected — completely free.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.