Forum Moderators: phranque
66.90.10.6 - - [10/Apr/2003:08:52:28 -0700] "GET /about_thewall.html HTTP/1.1" 404 2133 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
The pathway methodology I use is to have them capitalized as though each word were the beginning of a sentence.
Ex: About_TheWall.html
I've noticed quite a few of these 404 error codes.
In this Cut & Paste culture it would seem that only a human could have changed those pathways to all lower case typing them in?
Yea!? Nay!?
It pulls up my custom 404 page, but still it bothers me.
Input?
Pendanticist.
Note different IP Number from earlier post.
211.99.203.215 - - [11/Apr/2003:17:23:39 -0700] "GET /about_site.html HTTP/1.1" 404 2133 "-" "Zeus 2.6"
211.99.203.215 - - [11/Apr/2003:17:23:39 -0700] "GET /about_awards.html HTTP/1.1" 404 2133 "-" "Zeus 2.6"
211.99.203.215 - - [11/Apr/2003:17:23:39 -0700] "GET /about_webmasters.html HTTP/1.1" 404 2133 "-" "Zeus 2.6"
211.99.203.215 - - [11/Apr/2003:17:23:39 -0700] "GET /about_translate.html HTTP/1.1" 404 2133 "-" "Zeus 2.6"
211.99.203.215 - - [11/Apr/2003:17:23:39 -0700] "GET /about_thewall.html HTTP/1.1" 404 2133 "-" "Zeus 2.6"
Yes, I have Zues in my .htaccess. However, I'm thinking the 'corrupt' pathways superceded any denials I may have in place. <-Logical Guess
Thanks.
Pendanticist.
Happy to reply to one of your posts!
I have seen this to.... and, as is the case here, it always- ALWAYS- seems to resolve to a APNIC host. (211.99.203.215 is a-1 dialup net- Beijing,China... 66.90.10.6 however is Florida)
In any case, it is my beleif that these are poorly writted bots or spiders. I talked with Jim Morgan about this, and that is what he thought.
Not easy to trap with a UA block, but you can block them with an IP (once you notice them!)
dave
Happy to reply to one of your posts!
:) Thank You carfac.
I have seen this to.... and, as is the case here, it always- ALWAYS- seems to resolve to a APNIC host. (211.99.203.215 is a-1 dialup net- Beijing,China... 66.90.10.6 however is Florida)
Am I reading you correctly here? Florida is in the East, but not the far east. <chuckle> Or is my ignorace showing?
In any case, it is my beleif that these are poorly writted bots or spiders. I talked with Jim Morgan about this, and that is what he thought.
Poorly written for sure if it changes something as simple as the Case (Upper/Lower) of a pathway. It sure is aggrevating.
Tell me, how does Zues figure in then?
Safe to assume someone may have tweaked it somehow?
Not easy to trap with a UA block, but you can block them with an IP (once you notice them!)
Blocking by IP does bloat the file, but I guess that's all we have to work with.
Thanks again.
<added from overnight activity>
194.242.43.77 - - [13/Apr/2003:04:11:52 -0700] "GET /aboriginal_native-a HTTP/1.0" 404 2133 "www.blahblah.com" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"A new IP Number. Ok, fine....for now.
I'm more interested in the GET. Just like all the others it is lower case, albiet fundamentally incorrect. That index is actually a-o...which suggests to me that somewhere, somehow perhaps my site has been replicated? As opposed to typed in manually that is.
I mean, by all indications, this individual actually clicked on a link? Correct? If so, that suggests distribution of some fashion and that can certainly compound this entire situation.
</added from overnight activity>Pendanticist.
>>> Florida is in the East, but not the far east. <chuckle>
Yeah I messed up. I wrote that before I ran a whois on the first IP. But EVERY one I have ever seen is all FAR EAST! (Maybe a spammer on vacation in Orlando?)
>>> written for sure if it changes something as simple as the Case (Upper/Lower)
I had assumed that im might have something to do with the differences in the Oriental languages and Western languages. I do not know any Oriental languages, but I GUESS they do not have capitalization (I do not know for sure, and would love to be corrected if I am wrong!) Anyway, if they do NOT have caps, maybe for some it is just something they do not think about. OR at some point in the routines as their bot gobbles URL's, it has to go to all lower to "digest" the URL's... Just guessing here...
>>>>> Tell me, how does Zues figure in then
I do not know... I just know I have had Zeus banned for YEARS and not given it too much though....
>>>> New IP 194.242.43.77
THIS one I have seen before.... and have banned. They are a "broker" of artwork... they scan all over for who has or is selling what, and then try to put buyers and sellers together for a %. TOTTALY Useless.... I have the class C:
#Art Market (France)
^194\.242\.43
Blocked.
Here is my list of blocked lower-case dorks (as I called them in my block file):
#### LOwer Case Dorks
^24\.56\.8\.117$
^61\.195\.246\.208$
^61\.196\.49\.158$
^61\.198\.138\.70$
^61\.210\.215
^61\.211\.13[0-1]
^64\.217\.25\.179$
^66\.28\.23\.147$
^66\.28\.68\.237$
^66\.28\.139\.25$
^66\.28\.233\.165$
^66\.82\.9\.48$
^66\.131\.92\.82$
^81\.23\.192
^193\.121\.103\.167$
^207\.31\.251\.148$
^208\.201\.244\.129$
^210\.84\.180\.26$
^211\.124\.7\.107$
^212\.140\.116\.125$
^219\.165\.214\.152$
^219\.63\.84\.23$
^220\.28\.134\.24$
^220\.35\.164\.45$
dave
Just saw a weird one- just the OPPOSITE!
This was a request (from a RIPE account, in the Netherlands) that asked for a page that should be mixed case IN ALL CAPS.
It takes all kinds, I guess!
dave
How would I phrase my questions to the ISP's of those who come to my domain via the aforementioned method?
1). Using the premise of tracking down this situation for the express purpose of removing it from the Internet before it proliferates any farther.
2). Should use somewhat technical terminology, that I don't know a blamed thing about.
Feel free to sticky me if you wish, just know that I am quite serious.
Pendanticist.
I went after a couple of epople... a couple of times. Never got any saticfaction, and, really, they were kind of minor infractions. That is how I would view this.... unless they are going for 300+ pages, I would probably not even bother the ISP. (Well, I am not in the mood to bother anyone anymore. Once they pass my threshhold- BAM- I block them!)
That is just what I would do.
I guess, if I were inclined to contact an ISP, I would just be very breif and businesslike about it. "I noticed in my log files a strange amount of hits of this sort from your ISP. Blah blah blah."
I did actually contact an ISP of sorts the other day... I saw a TON of hits from an IP that resolved to a company most noted for giving out little gold statues in March. Them I did contact, and it turned out they were doing some research using one of my sites. I did that one purely for ego! :)
dave
I'm not interested in the users, other than as a vehicle to the source of the problem. Wherever that may be.
I'm seeing increased use from various parts of the World and you saw one All Capped. That tells me something.
It has also peaked the interest of a well known University here in the US and I am currently awaiting first contact from one of the bigger ISP's in the US. (I couldn't wait and drafted my own letter that I can't post here.)
Tell me something. Have you 'ever' seen these in your files?
In addition to what we've been discussing, every instance of this situation has those two extensions listed in my access_log files . . . . exactly as shown. That suggests distribution to me.
Pendanticist.
