Re: Unusual GET requests

[Rachael Treu]

Though it appears that you've been able to collect some off-list 
factoids, I think that a little open forum speculation regarding 
the squawking in your logs might be beneficial to others on the 
list, so as follows is my $0.02(nego).

It's my patently paranoid impression that the gloveless probing 
you're seeing is the work of a curious and sleazy little spider, 
called by way of perl to scour your playground for PAD-files.  
While PAD files can be used to contribute to a philanthropic 
information-sharing/snaring schema, drilling down several links 
into a page served up by such a query makes quickly available a 
buffet of email addresses.

This, coupled with the always suspicious poking being done by a 
cable user, suggests that the spider is being brought to you by 
a compromised host at the other end of that modem, for the purposes 
of harvesting email addresses, and...you guessed it...spamming.

My advice to you is to hound the offender's ISP, and have fun doing it.
:)

ymmv,
--ra

--
K. Rachael Treu, CISSP  rara at navigo dot com
rara at sleepdeficit dot com
..this blurb has been brought to you by the letters 'v' and 'i'..


On Tue, Oct 21, 2003 at 08:59:22PM -0400, Brian Bruns said something to the effect of:
> 
> Hmmm, this is probably offtopic, but I can't seem to find anything online
> which explains this and I've never seen it before.
> 
> Maybe someone else here has seen this in their logs or has any idea what
> would do this?
> 
> Its obviously trying to gather some sort of information, could it be a
> prelude to some sort of DoS or exploit thats not publically known yet?
> 
> 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /pad-Files HTTP/1.1" 404
> 322
> "-" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /PAD-FILES HTTP/1.1" 404
> 322
> "-" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /Pad-Files HTTP/1.1" 404
> 322
> "-" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-files HTTP/1.1" 404
> 322
> "-" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /pad-files HTTP/1.1" 404
> 322
> "-" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /PAD-FILE HTTP/1.1" 404
> 321 "
> -" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-file HTTP/1.1" 404
> 321 "
> -" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /pad-File HTTP/1.1" 404
> 321 "
> -" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /Pad-File HTTP/1.1" 404
> 321 "
> -" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PadFiles HTTP/1.1" 404
> 321 "
> -" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /Padfiles HTTP/1.1" 404
> 321 "
> -" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PADFILES HTTP/1.1" 404
> 321 "
> -" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /padfiles HTTP/1.1" 404
> 321 "
> -" "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PadFile HTTP/1.1" 404
> 320 "-
> " "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Padfile HTTP/1.1" 404
> 320 "-
> " "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADFILE HTTP/1.1" 404
> 320 "-
> " "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /padfile HTTP/1.1" 404
> 320 "-
> " "libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Pads HTTP/1.1" 404 317
> "-" "
> libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADS HTTP/1.1" 404 317
> "-" "
> libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pads HTTP/1.1" 404 317
> "-" "
> libwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /Pad HTTP/1.1" 404 316
> "-" "l
> ibwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /PAD HTTP/1.1" 404 316
> "-" "l
> ibwww-perl/5.65"
> 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pad HTTP/1.1" 404 316
> "-" "l
> ibwww-perl/5.65"
> 
> --
> Brian Bruns
> The Summit Open Source Development Group
> Open Solutions For A Closed World / Anti-Spam Resources
> http://www.sosdg.org
> ICQ: 8077511
> 

Re: Unusual GET requests

[Kee Hinckley]

At 8:59 PM -0400 10/21/03, Brian Bruns wrote:
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /pad-Files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /PAD-FILES HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /Pad-Files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
That's VeriSign's new spell corrector DNS wildcard.

:-)
--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

Re: Unusual GET requests

[Brian Bruns]

Thanks to everyone who's responded.  We were a bit concerned because of all
the lovely new exploits going around as of late, and had no idea what it was
up to (considering it was coming from a cable modem, it threw up a red
flag).

Sorry to bother everyone :)
--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org
ICQ: 8077511
- Original Message - 
From: "Benjamin Krueger" <[EMAIL PROTECTED]>
To: "Brian Bruns" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, October 21, 2003 9:20 PM
Subject: Re: Unusual GET requests


> * Brian Bruns ([EMAIL PROTECTED]) [031021 18:01]:
> >
> > Hmmm, this is probably offtopic, but I can't seem to find anything
online
> > which explains this and I've never seen it before.
> >
> > Maybe someone else here has seen this in their logs or has any idea what
> > would do this?
> >
> > Its obviously trying to gather some sort of information, could it be a
> > prelude to some sort of DoS or exploit thats not publically known yet?
> [ ... snip loggy type stuff ... ]
>
> http://www.asp-shareware.org/pad/
>
> -- 
> Benjamin Krueger
>
> Confidence is the mother of success. Cockyness is a mother of a time bomb.
>