|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Unusual GET requests
Though it appears that you've been able to collect some off-list factoids, I think that a little open forum speculation regarding the squawking in your logs might be beneficial to others on the list, so as follows is my $0.02(nego). It's my patently paranoid impression that the gloveless probing you're seeing is the work of a curious and sleazy little spider, called by way of perl to scour your playground for PAD-files. While PAD files can be used to contribute to a philanthropic information-sharing/snaring schema, drilling down several links into a page served up by such a query makes quickly available a buffet of email addresses. This, coupled with the always suspicious poking being done by a cable user, suggests that the spider is being brought to you by a compromised host at the other end of that modem, for the purposes of harvesting email addresses, and...you guessed it...spamming. My advice to you is to hound the offender's ISP, and have fun doing it. :) ymmv, --ra -- K. Rachael Treu, CISSP rara at navigo dot com rara at sleepdeficit dot com ..this blurb has been brought to you by the letters 'v' and 'i'.. On Tue, Oct 21, 2003 at 08:59:22PM -0400, Brian Bruns said something to the effect of: > > Hmmm, this is probably offtopic, but I can't seem to find anything online > which explains this and I've never seen it before. > > Maybe someone else here has seen this in their logs or has any idea what > would do this? > > Its obviously trying to gather some sort of information, could it be a > prelude to some sort of DoS or exploit thats not publically known yet? > > 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /pad-Files HTTP/1.1" 404 > 322 > "-" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /PAD-FILES HTTP/1.1" 404 > 322 > "-" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /Pad-Files HTTP/1.1" 404 > 322 > "-" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-files HTTP/1.1" 404 > 322 > "-" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /pad-files HTTP/1.1" 404 > 322 > "-" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /PAD-FILE HTTP/1.1" 404 > 321 " > -" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-file HTTP/1.1" 404 > 321 " > -" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /pad-File HTTP/1.1" 404 > 321 " > -" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /Pad-File HTTP/1.1" 404 > 321 " > -" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PadFiles HTTP/1.1" 404 > 321 " > -" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /Padfiles HTTP/1.1" 404 > 321 " > -" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PADFILES HTTP/1.1" 404 > 321 " > -" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /padfiles HTTP/1.1" 404 > 321 " > -" "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PadFile HTTP/1.1" 404 > 320 "- > " "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Padfile HTTP/1.1" 404 > 320 "- > " "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADFILE HTTP/1.1" 404 > 320 "- > " "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /padfile HTTP/1.1" 404 > 320 "- > " "libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Pads HTTP/1.1" 404 317 > "-" " > libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADS HTTP/1.1" 404 317 > "-" " > libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pads HTTP/1.1" 404 317 > "-" " > libwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /Pad HTTP/1.1" 404 316 > "-" "l > ibwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /PAD HTTP/1.1" 404 316 > "-" "l > ibwww-perl/5.65" > 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pad HTTP/1.1" 404 316 > "-" "l > ibwww-perl/5.65" > > -------------------------- > Brian Bruns > The Summit Open Source Development Group > Open Solutions For A Closed World / Anti-Spam Resources > http://www.sosdg.org > ICQ: 8077511 >
|