homepage Welcome to WebmasterWorld Guest from 184.73.52.98
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Help explain unusual GET requests from spider/downloader
GET /' and GET /MSOffice/cltreq.asp?
Wizcrafts




msg:397528
 5:16 pm on Oct 11, 2003 (gmt 0)

I noticed these unusual GET requests that got 404'd yesterday:

"GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2605&STRMVER=4&CAPREQ=0 HTTP/1.1" 404 1625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

"GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2605&STRMVER=4&CAPREQ=0 HTTP/1.1" 404 1625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

"GET /a HTTP/1.0" 404 1606 "-" "Computer_and_Automation_Research_Institute_Crawler spider@spider.ilab.sztaki.hu"

"GET /'/ HTTP/1.0" 404 1606 "-" "Mozilla/3.0 (compatible)"

Can anybody explain what these folks/bots are looking for? I am really curious why anybody would search for a file named /', ot /a? It looks like the first two are phishing for office or FrontPage components, right? I don't have a FP site.

Thanks in advance, Wiz

 

keyplyr




msg:397529
 6:12 pm on Oct 11, 2003 (gmt 0)

The top 2:

This used to really bug me. It's (probably) a user at work surfing the web while still in MSOffice, possibly pulling your site down to desktop to avoid being caught by their company. Office will send requests for these types of files. FrontPage will exhibit similiar activity.

The 3rd one: has been called a friendly bot in other discussions.

The last one seems to be the generic UA for almost anything. No idea about the /'/.

<edit to correct typo>

[edited by: keyplyr at 6:16 pm (utc) on Oct. 11, 2003]

Wizcrafts




msg:397530
 6:16 pm on Oct 11, 2003 (gmt 0)

Thanks Keyplyr.

Do you know anything about the other party that requested /' and /a ?

Wiz

claus




msg:397531
 6:17 pm on Oct 11, 2003 (gmt 0)

>> "GET /'/ HTTP/1.0"

-this could be a malformed link, although i see the referrer is blank:

<a href="http //www.example.com/'">

Computer and automation: [webmasterworld.com...]

Thread doesn't provide much info - i had it visiting myself once, didn't do anything about it.

/claus

Wizcrafts




msg:397532
 11:10 pm on Oct 11, 2003 (gmt 0)

There is more to this story than this one line with GET /'

Here is what actually occured last night:

80.73.200.232 - - [10/Oct/2003:11:07:30 -0400] "GET / HTTP/1.0" 200 2162 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:31 -0400] "GET / HTTP/1.0" 200 2162 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:32 -0400] "GET /menu.html HTTP/1.0" 200 15428 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:32 -0400] "GET /index-2.html HTTP/1.0" 200 23747 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:33 -0400] "GET /sponsors.html HTTP/1.0" 200 2747 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /about_us.html HTTP/1.0" 200 4102 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /contact.html HTTP/1.0" 200 10827 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /fmsecurity.html HTTP/1.0" 200 17979 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /faqs.html HTTP/1.0" 200 46449 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /policies.html HTTP/1.0" 200 13010 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /brainbench_score.html HTTP/1.0" 200 6597 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /wiztunes/index.html HTTP/1.0" 200 2095 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /guestbook.html HTTP/1.0" 200 8597 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /disclaimers.html HTTP/1.0" 200 5147 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /sitemap.html HTTP/1.0" 200 2552 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /wizs_workshop_1.html HTTP/1.0" 200 24428 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /dotster.html HTTP/1.0" 200 4002 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /baudtest.html HTTP/1.0" 200 18194 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /index.html HTTP/1.0" 200 2162 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /links.html HTTP/1.0" 200 26285 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /my_rates.html HTTP/1.0" 200 7965 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /regsave.html HTTP/1.0" 200 12242 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /website_design.html HTTP/1.0" 200 11133 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /serv_zones.html HTTP/1.0" 200 5818 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /'/ HTTP/1.0" 404 1606 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /PeterStyles/index.shtml HTTP/1.0" 200 7002 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /security.html HTTP/1.0" 200 23277 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /my_resume.html HTTP/1.0" 200 12870 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /bait/honeypot.html HTTP/1.0" 200 5105 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /'/ HTTP/1.0" 404 1606 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:42 -0400] "GET /contact-info.html HTTP/1.0" 200 9617 "-" "Mozilla/3.0 (compatible)"

Does this look like a harvester or what? Just html files and he visited my honeypot.

Wiz

wilderness




msg:397533
 11:20 pm on Oct 11, 2003 (gmt 0)

Does this look like a harvester or what?

Wiz
You stand to gain any benefit from a Russian IP range?

edited by Wilderness:

NO.
Answered my own question in your profile.
Flint, Mich.

You anywhere near Swartz Creek :)

Wizcrafts




msg:397534
 11:39 pm on Oct 11, 2003 (gmt 0)

Hi Wilderness!

I already did a lookup on his IP and added him to my deny-from rules. I am just curious about the two requests for /'.

Yes, I am about 15 minutes East of Swartz Creek, along I-69, by I-475. And you?

Wiz

wilderness




msg:397535
 12:48 am on Oct 12, 2003 (gmt 0)

The sale I had online (for a customer) was today at the MSU Pavillion.
This is their 2nd year at MSU.

Previously the two part sale (which began in 1955) was held in Adrian and before that at Northville and Adrian.

The gent who runs it is some character. 83YO lived in Durand his entire life and been in the horse business since he was young. Bred and raced the 1981 Hambletonian winner.

All this WAY OFF topic for this forum.
My apologies to the masses.

Don

Peeress




msg:397536
 4:08 pm on Oct 13, 2003 (gmt 0)

The 3rd one: has been called a friendly bot in other discussions.

In my case, that 3rd one just fell into my bot trap so it's banned.

Date: Mon, 13 Oct 2003 00:48:48
The ip address ^195\.111\.1\.2$ has been banned on Mon Oct 13 00:48:48 2003
The associated user agent was Computer_and_Automation_Research_Institute_Crawler spider@spider.ilab.sztaki.hu

coyote




msg:397537
 1:22 am on Oct 14, 2003 (gmt 0)

Wiz, Mozilla/3.0 (compatible) is not a valid browser UA and is a spambot. Banning by UA would be a better long-term solution vs. just banning the IP.

Computer_and_Automation_Research_Institute_Crawler <snip> just fell into my bot trap so it's banned.

Good to know, Peeress, you should repost that in the thread I started on the crawler. I'll ban that one by IP range even though it was well-behaved when it visited my site, it obviously has bugs and/or is more malicious than it seemed.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved