Help explain unusual GET requests from spider/downloader

Forum Moderators: open

Message Too Old, No Replies

Help explain unusual GET requests from spider/downloader

GET /' and GET /MSOffice/cltreq.asp?

Wizcrafts

5:16 pm on Oct 11, 2003 (gmt 0)

I noticed these unusual GET requests that got 404'd yesterday:

"GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2605&STRMVER=4&CAPREQ=0 HTTP/1.1" 404 1625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

"GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2605&STRMVER=4&CAPREQ=0 HTTP/1.1" 404 1625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

"GET /a HTTP/1.0" 404 1606 "-" "Computer_and_Automation_Research_Institute_Crawler spider@spider.ilab.sztaki.hu"

"GET /'/ HTTP/1.0" 404 1606 "-" "Mozilla/3.0 (compatible)"

Can anybody explain what these folks/bots are looking for? I am really curious why anybody would search for a file named /', ot /a? It looks like the first two are phishing for office or FrontPage components, right? I don't have a FP site.

Thanks in advance, Wiz

keyplyr

6:12 pm on Oct 11, 2003 (gmt 0)

The top 2:

This used to really bug me. It's (probably) a user at work surfing the web while still in MSOffice, possibly pulling your site down to desktop to avoid being caught by their company. Office will send requests for these types of files. FrontPage will exhibit similiar activity.

The 3rd one: has been called a friendly bot in other discussions.

The last one seems to be the generic UA for almost anything. No idea about the /'/.

[edited by: keyplyr at 6:16 pm (utc) on Oct. 11, 2003]

Wizcrafts

6:16 pm on Oct 11, 2003 (gmt 0)

Thanks Keyplyr.

Do you know anything about the other party that requested /' and /a ?

Wiz

claus

6:17 pm on Oct 11, 2003 (gmt 0)

>> "GET /'/ HTTP/1.0"

-this could be a malformed link, although i see the referrer is blank:

<a href="http //www.example.com/'">

Computer and automation: [webmasterworld.com...]

Thread doesn't provide much info - i had it visiting myself once, didn't do anything about it.

/claus

Wizcrafts

11:10 pm on Oct 11, 2003 (gmt 0)

There is more to this story than this one line with GET /'

Here is what actually occured last night:


80.73.200.232 - - [10/Oct/2003:11:07:30 -0400] "GET / HTTP/1.0" 200 2162 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:31 -0400] "GET / HTTP/1.0" 200 2162 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:32 -0400] "GET /menu.html HTTP/1.0" 200 15428 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:32 -0400] "GET /index-2.html HTTP/1.0" 200 23747 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:33 -0400] "GET /sponsors.html HTTP/1.0" 200 2747 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /about_us.html HTTP/1.0" 200 4102 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /contact.html HTTP/1.0" 200 10827 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /fmsecurity.html HTTP/1.0" 200 17979 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /faqs.html HTTP/1.0" 200 46449 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /policies.html HTTP/1.0" 200 13010 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /brainbench_score.html HTTP/1.0" 200 6597 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /wiztunes/index.html HTTP/1.0" 200 2095 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /guestbook.html HTTP/1.0" 200 8597 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /disclaimers.html HTTP/1.0" 200 5147 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /sitemap.html HTTP/1.0" 200 2552 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /wizs_workshop_1.html HTTP/1.0" 200 24428 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:34 -0400] "GET /dotster.html HTTP/1.0" 200 4002 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /baudtest.html HTTP/1.0" 200 18194 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /index.html HTTP/1.0" 200 2162 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /links.html HTTP/1.0" 200 26285 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /my_rates.html HTTP/1.0" 200 7965 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /regsave.html HTTP/1.0" 200 12242 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:35 -0400] "GET /website_design.html HTTP/1.0" 200 11133 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /serv_zones.html HTTP/1.0" 200 5818 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /'/ HTTP/1.0" 404 1606 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /PeterStyles/index.shtml HTTP/1.0" 200 7002 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /security.html HTTP/1.0" 200 23277 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /my_resume.html HTTP/1.0" 200 12870 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /bait/honeypot.html HTTP/1.0" 200 5105 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:36 -0400] "GET /'/ HTTP/1.0" 404 1606 "-" "Mozilla/3.0 (compatible)"
80.73.200.232 - - [10/Oct/2003:11:07:42 -0400] "GET /contact-info.html HTTP/1.0" 200 9617 "-" "Mozilla/3.0 (compatible)"

Does this look like a harvester or what? Just html files and he visited my honeypot.

Wiz

wilderness

11:20 pm on Oct 11, 2003 (gmt 0)

Does this look like a harvester or what?

Wiz
You stand to gain any benefit from a Russian IP range?

edited by Wilderness:

NO.
Answered my own question in your profile.
Flint, Mich.

You anywhere near Swartz Creek :)

Wizcrafts

11:39 pm on Oct 11, 2003 (gmt 0)

Hi Wilderness!

I already did a lookup on his IP and added him to my deny-from rules. I am just curious about the two requests for /'.

Yes, I am about 15 minutes East of Swartz Creek, along I-69, by I-475. And you?

Wiz

wilderness

12:48 am on Oct 12, 2003 (gmt 0)

The sale I had online (for a customer) was today at the MSU Pavillion.
This is their 2nd year at MSU.

Previously the two part sale (which began in 1955) was held in Adrian and before that at Northville and Adrian.

The gent who runs it is some character. 83YO lived in Durand his entire life and been in the horse business since he was young. Bred and raced the 1981 Hambletonian winner.

All this WAY OFF topic for this forum.
My apologies to the masses.

Don

Peeress

4:08 pm on Oct 13, 2003 (gmt 0)

The 3rd one: has been called a friendly bot in other discussions.

In my case, that 3rd one just fell into my bot trap so it's banned.

Date: Mon, 13 Oct 2003 00:48:48
The ip address ^195\.111\.1\.2$ has been banned on Mon Oct 13 00:48:48 2003
The associated user agent was Computer_and_Automation_Research_Institute_Crawler spider@spider.ilab.sztaki.hu

coyote

1:22 am on Oct 14, 2003 (gmt 0)

Wiz, Mozilla/3.0 (compatible) is not a valid browser UA and is a spambot. Banning by UA would be a better long-term solution vs. just banning the IP.

Computer_and_Automation_Research_Institute_Crawler <snip> just fell into my bot trap so it's banned.

Good to know, Peeress, you should repost that in the thread I started on the crawler. I'll ban that one by IP range even though it was well-behaved when it visited my site, it obviously has bugs and/or is more malicious than it seemed.