Welcome to WebmasterWorld Guest from 54.167.174.11

Forum Moderators: open

Message Too Old, No Replies

Is this a site being scraped?

   
3:43 am on Nov 9, 2004 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I found this in the site stats, and since that site was being swiped from before for a long while, I'm wondering if that's what this is

/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0

3:43 am on Nov 9, 2004 (gmt 0)

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member



No, that's frontpage extensions.
3:51 am on Nov 9, 2004 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I know, that's why I asked here. But that entire site was being downloaded by someone using Front Page last fall to swipe my kw and copy, and I don't even have FP extensions installed on any of my hosting. So how could FP extensions be showing up like that.
3:54 am on Nov 9, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



So how could FP extensions be showing up like that.

Ask you server admin to do a trace on it.

4:07 am on Nov 9, 2004 (gmt 0)

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Marcia, what was the response code by the server? Post the entire line from the log file.
4:08 am on Nov 9, 2004 (gmt 0)

10+ Year Member



I see something similar in my access_log files all the time. Usually its something like:

GET /vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6403&STRMVER=4&CAPREQ=0
GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6403&STRMVER=4&CAPREQ=0

.. followed by the usual user agents, Mozilla (compatible; yadda..quack 4.01 ..

Sometimes this is followed by requests for form-mail stuff, all sent from
the same server. I have no form-mail at all.

I took a random .gif image and renamed it owssvr.dll,
(over the protestations of my operating system) and
uploaded that into my /vti-bin/ folder at the host.

That's so whoever it is doesn't go away completely empty handed.
I was going to take a .jpg image and rename it
cltreq.asp but I don't have an /MSOffice folder on my site.

Any suggestions? How about a table of random numbers?

- Larry

4:16 am on Nov 9, 2004 (gmt 0)

10+ Year Member



I forgot something:

With the sole exception of my perverted owssvr.dll file,
all the bogus requests return a 404 error.
Except for some tiny bandwidth, no harm done I suppose.

I would really like to know who does this and why in any case.
Somebody suggested email spammers once. and I'm hoping it isn't something even worse.

-LH

5:02 am on Nov 9, 2004 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I've got no /vti-bin/ on my hosting, but this is a different issue. I looked for the IP number, then remembered about checking it out at Sam Spade. It's a Verizon DSL user.

>>I'm hoping it isn't something even worse.

What I'm now figuring this is, seeing it's an ISP and looking again seeing that it's one section of the site, is that it was the pages being grabbed. Yahoo must have just updated, the site moved up from #3 to #1 for that keyword. So whoever it is must have decided they like it because apparently they went through that whole particular subdirectory on the site.

I'll have to keep tabs now, and I'm no techie but remembering the months of aggravation last year, if it's the same party, rather than disallow the whole IP again, it might be time to get a little creative.

5:20 am on Nov 9, 2004 (gmt 0)

10+ Year Member



This thread [webmasterworld.com] and the link therein indicate that it's microsoft office with "web discussions" enabled.