Security Incidents mailing list archives

Reallyl fouled up scans from linux15.ebar.dtu.dk

From: "Joshua J. Kugler" <isd () as uaf edu>
Date: Tue, 22 May 2001 11:38:22 -0800

This morning, Webalizer went nuts with a whole bunch of "Warning: Truncating 
oversized request field [line number]" messages.  Over 450K worth.  An 
investigation of my Apache logs shows requests like these:

130.225.77.30 - - [11/May/2001:12:17:26 -0800] "GET 
/sic/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stuweb.shtml
 
HTTP/1.0" 401 4292 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)"

A lot of the requests are good, it looks like he was trying to traverse the 
tree.  Every now and then, there are requests of the form:

/~EgggNoggg/Testing/?D=A

Is the ?D=A testing for some hole?

Here are some other odd ones
130.225.77.30 - - [11/May/2001:11:33:06 -0800] 
"GET/~havolina/%20%20%20%20%20%20%20http://www.cicv.fr/creation_artistique/online/orlan/index.html 
HTTP/1.0" 404 386 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)"

130.225.77.30 - - [11/May/2001:11:34:37 -0800] "GET /~ftrtp/?N=A HTTP/1.0" 
200 698
130.225.77.30 - - [11/May/2001:11:34:37 -0800] "GET /~ftrtp/?N=A HTTP/1.0" 
200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
0.1)"
130.225.77.30 - - [11/May/2001:11:34:40 -0800] "GET /~ftrtp/?M=D HTTP/1.0" 
200 698
130.225.77.30 - - [11/May/2001:11:34:40 -0800] "GET /~ftrtp/?M=D HTTP/1.0" 
200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
0.1)"
130.225.77.30 - - [11/May/2001:11:34:42 -0800] "GET /~ftrtp/?S=D HTTP/1.0" 
200 698
130.225.77.30 - - [11/May/2001:11:34:42 -0800] "GET /~ftrtp/?S=D HTTP/1.0" 
200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
0.1)"
130.225.77.30 - - [11/May/2001:11:34:45 -0800] "GET /~ftrtp/?D=D HTTP/1.0" 
200 698
130.225.77.30 - - [11/May/2001:11:34:45 -0800] "GET /~ftrtp/?D=D HTTP/1.0" 
200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
0.1)"

Yes, I realized these are 11/May.  These must have been buried under some 
other error messages in Webalizer, so I didn't catch them until now. Sorry.

Any pointers would be great

j----- k-----

-- 
Joshua Kugler
Associated Students of the University of Alaska Fairbanks
Information Services Director
isd () as uaf edu
907-474-7601

Current thread:

Reallyl fouled up scans from linux15.ebar.dtu.dk Joshua J. Kugler (May 22)
- Re: Reallyl fouled up scans from linux15.ebar.dtu.dk Daniel Martin (May 23)
- RE: Reallyl fouled up scans from linux15.ebar.dtu.dk Daniel CHIRITA (May 23)