Bill Moseley wrote:
> But it's amazing how many are just lame in that they take perfectly good
> HREF tags and mess them up in the request. For example, every day I see
> many requests from Novell's BorderManager where they forgot to convert HTML
> entities in HREFs before making the request.
>
> Here's another example:
>
> 64.3.57.99 - "-" [04/Nov/2000:04:36:22 -0800] "GET /../../../ HTTP/1.0" 400
> 265 "-" "Microsoft Internet Explorer/4.40.426 (Windows 95)" 5740
i don't think u have a lame spider here. i think u have a hacker trying to hack
your server.
>
>
> In the last day that IP has requested about 10,000 documents. Over half
> were 404 requests where some 404s were non-converted entities from HREFs,
> but most were just for documents that do not and have never existed on this
> site. Almost 1000 request were 400s (Bad Request like the example above).
> And I'd guess that's not really the correct user agent, either....
there is a current exploit for non-converted entities on Microsoft IIS. Maybe
they're trying them out on your Apache for some reason.
>
>
> In general, what I'm interested in stopping are the thousands of requests
> for documents that just don't exist on the site. And to simply block the
> lame ones, since they are, well, lame.
perhaps u can run a cron job that scans your logs. identify lame spiders and/or
hackers and add a rule to IPChains (assuming linux 2.2.??) to deny access from
that IP to your server. i understand that Portsentry does this trick when it
determines that an IP is scanning for open ports.
hth,
--
___cliff [EMAIL PROTECTED]http://www.genwax.com/
