Sqworm

Forum Moderators: DixonJones

Message Too Old, No Replies

Sqworm

Banned it, but was it?

Stefan

7:01 pm on Jul 28, 2004 (gmt 0)

Just noticed a visit from: Sqworm/2.9.85-BETA (beta_release; 20011115-775; i686-pc-linux-gnu

I checked a few threads that I found in WW, but I'm still unsure of what the thing is doing. I banned the IP# anyway, so I'm mostly just curious.

bcolflesh

7:03 pm on Jul 28, 2004 (gmt 0)

[webmasterworld.com...]

Stefan

7:07 pm on Jul 28, 2004 (gmt 0)

Belong to websense. It's an employers workplace tool to prevent surfing during working hours.

I read that before, checked the websense site, and still don't get it. It was only after .htm's. How is that preventing surfing by employees?

bcolflesh

7:10 pm on Jul 28, 2004 (gmt 0)

It works like a proxy filter - the site request goes through websense, if it matches any of the employers block rules, the client is blocked.

Stefan

9:15 pm on Jul 28, 2004 (gmt 0)

Many thanks, bcolflesh.

I'll have to read up on it. To be truthful, I still don't understand the mechanics of those sqworm .htm hits, ignoring .jpgs etc, and whether it was filtering me out or letting things through, or what. I'll have to do some research on proxy filters.

Jah guide
Stef

mcneely

5:27 pm on Aug 8, 2004 (gmt 0)

All of the ip's that we've looked at resolve to this

NS1.MILW.TWTELECOM.NET 216.136.95.2
NS1.IPLT.TWTELECOM.NET 64.132.94.250
NS1.SNAN.TWTELECOM.NET 168.215.165.186
NS1.ORNG.TWTELECOM.NET 168.215.210.50

regarding Sqworm/2.9.85-BETA
It comes in and does alot of poking around and on the last visit it used 32155bytes

There were some so-called un-resolvable ip addresses related to this but after some digging, they were eventually returned to the servers above.

WebSense based supposedly in Colorado on *Level 3 servers:
NS.WEBSENSE.COM 63.212.171.129
NS2.WEBSENSE.COM 216.34.197.101
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

Time Warner, though listed as being based in somewhere in the east resolves to the level 3 severs in Colorado as well
City: Littleton
StateProv: CO
PostalCode: 80124
Country: US

What I have been able to determine here is that though these may appear to be two separate entities, The primary server space is owned by Level 3, and the Time Warner people are leasing the primary DNS assigned ip's and then the lesser (WebSense) NS assignments are being leased from Time Warner in turn.

Just my two sense worth.
Our conclusion is that point of origin is WebSense running from server space being leased from Time Warner who in turn leases from Level 3 communications

Stefan

10:22 pm on Aug 9, 2004 (gmt 0)

regarding Sqworm/2.9.85-BETA
It comes in and does alot of poking around

Yeah, that's the way it seemed to me. It was only interested in htm files, none of the jpgs that went with them etc. It looked like it was scraping, not acting as a proxy or filter, but I don't really know what it was doing. I haven't noticed it again since I banned the IP.

Sqworm

Banned it, but was it?

Stefan

bcolflesh

Stefan

bcolflesh

Stefan

mcneely

Stefan

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week