Security Incidents mailing list archives
Reallyl fouled up scans from linux15.ebar.dtu.dk
From: "Joshua J. Kugler" <isd () as uaf edu>
Date: Tue, 22 May 2001 11:38:22 -0800
This morning, Webalizer went nuts with a whole bunch of "Warning: Truncating oversized request field [line number]" messages. Over 450K worth. An investigation of my Apache logs shows requests like these: 130.225.77.30 - - [11/May/2001:12:17:26 -0800] "GET /sic/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stuweb.shtml HTTP/1.0" 401 4292 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)" A lot of the requests are good, it looks like he was trying to traverse the tree. Every now and then, there are requests of the form: /~EgggNoggg/Testing/?D=A Is the ?D=A testing for some hole? Here are some other odd ones 130.225.77.30 - - [11/May/2001:11:33:06 -0800] "GET/~havolina/%20%20%20%20%20%20%20http://www.cicv.fr/creation_artistique/online/orlan/index.html HTTP/1.0" 404 386 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)" 130.225.77.30 - - [11/May/2001:11:34:37 -0800] "GET /~ftrtp/?N=A HTTP/1.0" 200 698 130.225.77.30 - - [11/May/2001:11:34:37 -0800] "GET /~ftrtp/?N=A HTTP/1.0" 200 698 "-" "Mozilla 4.0 (compatible; HttpTool/ 0.1)" 130.225.77.30 - - [11/May/2001:11:34:40 -0800] "GET /~ftrtp/?M=D HTTP/1.0" 200 698 130.225.77.30 - - [11/May/2001:11:34:40 -0800] "GET /~ftrtp/?M=D HTTP/1.0" 200 698 "-" "Mozilla 4.0 (compatible; HttpTool/ 0.1)" 130.225.77.30 - - [11/May/2001:11:34:42 -0800] "GET /~ftrtp/?S=D HTTP/1.0" 200 698 130.225.77.30 - - [11/May/2001:11:34:42 -0800] "GET /~ftrtp/?S=D HTTP/1.0" 200 698 "-" "Mozilla 4.0 (compatible; HttpTool/ 0.1)" 130.225.77.30 - - [11/May/2001:11:34:45 -0800] "GET /~ftrtp/?D=D HTTP/1.0" 200 698 130.225.77.30 - - [11/May/2001:11:34:45 -0800] "GET /~ftrtp/?D=D HTTP/1.0" 200 698 "-" "Mozilla 4.0 (compatible; HttpTool/ 0.1)" Yes, I realized these are 11/May. These must have been buried under some other error messages in Webalizer, so I didn't catch them until now. Sorry. Any pointers would be great j----- k----- -- Joshua Kugler Associated Students of the University of Alaska Fairbanks Information Services Director isd () as uaf edu 907-474-7601
Current thread:
- Reallyl fouled up scans from linux15.ebar.dtu.dk Joshua J. Kugler (May 22)
- Re: Reallyl fouled up scans from linux15.ebar.dtu.dk Daniel Martin (May 23)
- RE: Reallyl fouled up scans from linux15.ebar.dtu.dk Daniel CHIRITA (May 23)