Unusual GET requests
Hmmm, this is probably offtopic, but I can't seem to find anything online which explains this and I've never seen it before. Maybe someone else here has seen this in their logs or has any idea what would do this? Its obviously trying to gather some sort of information, could it be a prelude to some sort of DoS or exploit thats not publically known yet? 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /pad-Files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /PAD-FILES HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /Pad-Files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /pad-files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /PAD-FILE HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-file HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /pad-File HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /Pad-File HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PadFiles HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /Padfiles HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PADFILES HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /padfiles HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PadFile HTTP/1.1" 404 320 "- " "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Padfile HTTP/1.1" 404 320 "- " "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADFILE HTTP/1.1" 404 320 "- " "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /padfile HTTP/1.1" 404 320 "- " "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Pads HTTP/1.1" 404 317 "-" " libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADS HTTP/1.1" 404 317 "-" " libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pads HTTP/1.1" 404 317 "-" " libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /Pad HTTP/1.1" 404 316 "-" "l ibwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /PAD HTTP/1.1" 404 316 "-" "l ibwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pad HTTP/1.1" 404 316 "-" "l ibwww-perl/5.65" -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
At 8:59 PM -0400 10/21/03, Brian Bruns wrote:
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /pad-Files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /PAD-FILES HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /Pad-Files HTTP/1.1" 404 322 "-" "libwww-perl/5.65"
That's VeriSign's new spell corrector DNS wildcard. :-) -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
Though it appears that you've been able to collect some off-list factoids, I think that a little open forum speculation regarding the squawking in your logs might be beneficial to others on the list, so as follows is my $0.02(nego). It's my patently paranoid impression that the gloveless probing you're seeing is the work of a curious and sleazy little spider, called by way of perl to scour your playground for PAD-files. While PAD files can be used to contribute to a philanthropic information-sharing/snaring schema, drilling down several links into a page served up by such a query makes quickly available a buffet of email addresses. This, coupled with the always suspicious poking being done by a cable user, suggests that the spider is being brought to you by a compromised host at the other end of that modem, for the purposes of harvesting email addresses, and...you guessed it...spamming. My advice to you is to hound the offender's ISP, and have fun doing it. :) ymmv, --ra -- K. Rachael Treu, CISSP rara at navigo dot com rara at sleepdeficit dot com ..this blurb has been brought to you by the letters 'v' and 'i'.. On Tue, Oct 21, 2003 at 08:59:22PM -0400, Brian Bruns said something to the effect of:
Hmmm, this is probably offtopic, but I can't seem to find anything online which explains this and I've never seen it before.
Maybe someone else here has seen this in their logs or has any idea what would do this?
Its obviously trying to gather some sort of information, could it be a prelude to some sort of DoS or exploit thats not publically known yet?
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /pad-Files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /PAD-FILES HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /Pad-Files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /pad-files HTTP/1.1" 404 322 "-" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /PAD-FILE HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-file HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /pad-File HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /Pad-File HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PadFiles HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /Padfiles HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PADFILES HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /padfiles HTTP/1.1" 404 321 " -" "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PadFile HTTP/1.1" 404 320 "- " "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Padfile HTTP/1.1" 404 320 "- " "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADFILE HTTP/1.1" 404 320 "- " "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /padfile HTTP/1.1" 404 320 "- " "libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Pads HTTP/1.1" 404 317 "-" " libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADS HTTP/1.1" 404 317 "-" " libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pads HTTP/1.1" 404 317 "-" " libwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /Pad HTTP/1.1" 404 316 "-" "l ibwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /PAD HTTP/1.1" 404 316 "-" "l ibwww-perl/5.65" 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pad HTTP/1.1" 404 316 "-" "l ibwww-perl/5.65"
-------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
participants (3)
-
Brian Bruns
-
Kee Hinckley
-
Rachael Treu