Actually I posted the wrong IP. Looking in the light of morning the 31,758 lines of MS Office stuff started out like this:
207.213.217.31 www.smarteryellowpages.com - [31/Jan/2005:11:48:26 -0800] "GET / HTTP/1.1" 302 167 "http://www.google.com/search?hl=en&q=SMARTER+YELLOW+PAGES&btnG=Google+Search"; "Mozilla/4.0 (compatible; MSIE 6.0; MSNIA; Windows 98; Hotbar 4.1.2.0; .NET CLR 1.1.4322)" 207.213.217.31 www.smarteryellowpages.com - [31/Jan/2005:11:48:27 -0800] "GET /index.cfm HTTP/1.1" 200 9434 "http://www.google.com/search?hl=en&q=SMARTER+YELLOW+PAGES&btnG=Google+Search"; "Mozilla/4.0 (compatible; MSIE 6.0; MSNIA; Windows 98; Hotbar 4.1.2.0; .NET CLR 1.1.4322)" I had not noticed the following line before. They are looking for the DLL owssver.dll in _vti_bin Anyone know what owssver.dll does? 207.213.217.31 www.smarteryellowpages.com - [31/Jan/2005:11:48:27 -0800] "GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1" 302 233 "" "Mozilla/4.0 (compatible; MSIE 6.0; MSNIA; Windows 98; Hotbar 4.1.2.0; .NET CLR 1.1.4322)" 207.213.217.31 www.smarteryellowpages.com - [31/Jan/2005:11:48:28 -0800] "GET /_vti_bin/index.cfm HTTP/1.1" 200 230 "" "Mozilla/4.0 (compatible; MSIE 6.0; MSNIA; Windows 98; Hotbar 4.1.2.0; .NET CLR 1.1.4322)" 207.213.217.31 www.smarteryellowpages.com - [31/Jan/2005:11:48:28 -0800] "GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1" 302 233 "" "Mozilla/4.0 (compatible; MSIE 6.0; MSNIA; Windows 98; Hotbar 4.1.2.0; .NET CLR 1.1.4322)" 207.213.217.31 www.smarteryellowpages.com - [31/Jan/2005:11:48:28 -0800] "GET /MSOffice/index.cfm HTTP/1.1" 302 233 "" "Mozilla/4.0 (compatible; MSIE 6.0; MSNIA; Windows 98; Hotbar 4.1.2.0; .NET CLR 1.1.4322)" What the /MSOffice/index.cfm stuff does is to burn time until the browser figures out there is no such folder. So 31,000 /MSOffice/index.cfm's appear to be acting like a DOS attack. Fortunately it didn't work. best, paul >Subject: Block a Spyder / DOS Attack? >From: Adam Haskell <[EMAIL PROTECTED]> >Date: Tue, 1 Feb 2005 09:26:55 -0500 >Thread: >http://www.houseoffusion.com/cf_lists/index.cfm/method=messages&threadid=37994&forumid=4#192542 > >Quick google search turns up it is caused by MS office most lilely >frontpage or someone using office to view part of the website, maybe >excel files or word files?? No SQL injection more annoyance than >anything else. > > >Adam H > > >On Mon, 31 Jan 2005 21:15:32 -0800, Paul Smith <[EMAIL PROTECTED]> >wrote: > > This guy (64.242.88.50) is back again. 14,702 times and counting since > > last midnight. He apparently ignors robots.txt I asked my ISP to block > > him at the firewall early this morning, but he apparently did > > not. (Today's log file for this URL is 27MB and counting.) > > > > But another character started out: > > > > 208.27.31.145 www.smarteryellowpages.com - [31/Jan/2005:11:35:46 -0800] > > "GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=5606&STRMVER=4&CAPREQ=0 > > HTTP/1.1" 302 233 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; > > .NET CLR 1.1.4322)" > > > > and then did > > > > 208.27.31.145 www.smarteryellowpages.com - [31/Jan/2005:11:35:47 -0800] > > "GET /MSOffice/index.cfm HTTP/1.1" 302 233 "" "Mozilla/4.0 (compatible; > > MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" > > > > 31,758 times and counting. The first 208.27.31.145 looks like an attempt > > at SQL Injection. Is it? We don't run asp here (perhaps > > fortunately). The second looks something like a DOS attack. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192569 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
