nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unusual GET requests

From: Rachael Treu <rara () navigo com>
Date: Wed, 22 Oct 2003 18:36:21 -0500

Though it appears that you've been able to collect some off-list 
factoids, I think that a little open forum speculation regarding 
the squawking in your logs might be beneficial to others on the 
list, so as follows is my $0.02(nego).

It's my patently paranoid impression that the gloveless probing 
you're seeing is the work of a curious and sleazy little spider, 
called by way of perl to scour your playground for PAD-files.  
While PAD files can be used to contribute to a philanthropic 
information-sharing/snaring schema, drilling down several links 
into a page served up by such a query makes quickly available a 
buffet of email addresses.

This, coupled with the always suspicious poking being done by a 
cable user, suggests that the spider is being brought to you by 
a compromised host at the other end of that modem, for the purposes 
of harvesting email addresses, and...you guessed it...spamming.

My advice to you is to hound the offender's ISP, and have fun doing it.
:)

ymmv,
--ra

--
K. Rachael Treu, CISSP          rara at navigo dot com
                                rara at sleepdeficit dot com
..this blurb has been brought to you by the letters 'v' and 'i'..


On Tue, Oct 21, 2003 at 08:59:22PM -0400, Brian Bruns said something to the effect of:


Hmmm, this is probably offtopic, but I can't seem to find anything online
which explains this and I've never seen it before.

Maybe someone else here has seen this in their logs or has any idea what
would do this?

Its obviously trying to gather some sort of information, could it be a
prelude to some sort of DoS or exploit thats not publically known yet?

68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /pad-Files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /PAD-FILES HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /Pad-Files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /pad-files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /PAD-FILE HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-file HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /pad-File HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /Pad-File HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PadFiles HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /Padfiles HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PADFILES HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /padfiles HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PadFile HTTP/1.1" 404
320 "-
" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Padfile HTTP/1.1" 404
320 "-
" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADFILE HTTP/1.1" 404
320 "-
" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /padfile HTTP/1.1" 404
320 "-
" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Pads HTTP/1.1" 404 317
"-" "
libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADS HTTP/1.1" 404 317
"-" "
libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pads HTTP/1.1" 404 317
"-" "
libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /Pad HTTP/1.1" 404 316
"-" "l
ibwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /PAD HTTP/1.1" 404 316
"-" "l
ibwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pad HTTP/1.1" 404 316
"-" "l
ibwww-perl/5.65"

--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org
ICQ: 8077511
Previous By Date Next
Previous By Thread Next

Current thread: