Reallyl fouled up scans from linux15.ebar.dtu.dk

From: Joshua J. Kugler (isdat_private)
Date: Tue May 22 2001 - 12:38:22 PDT

  • Next message: Guido Van De Velde: "What's on 4662 ?"

    This morning, Webalizer went nuts with a whole bunch of "Warning: Truncating 
    oversized request field [line number]" messages.  Over 450K worth.  An 
    investigation of my Apache logs shows requests like these:
    
    130.225.77.30 - - [11/May/2001:12:17:26 -0800] "GET 
    /sic/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stuweb.shtml 
    HTTP/1.0" 401 4292 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)"
    
    A lot of the requests are good, it looks like he was trying to traverse the 
    tree.  Every now and then, there are requests of the form:
    
    /~EgggNoggg/Testing/?D=A
    
    Is the ?D=A testing for some hole?
    
    Here are some other odd ones
    130.225.77.30 - - [11/May/2001:11:33:06 -0800] 
    "GET/~havolina/%20%20%20%20%20%20%20http://www.cicv.fr/creation_artistique/online/orlan/index.html 
    HTTP/1.0" 404 386 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)"
    
    130.225.77.30 - - [11/May/2001:11:34:37 -0800] "GET /~ftrtp/?N=A HTTP/1.0" 
    200 698
    130.225.77.30 - - [11/May/2001:11:34:37 -0800] "GET /~ftrtp/?N=A HTTP/1.0" 
    200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
    0.1)"
    130.225.77.30 - - [11/May/2001:11:34:40 -0800] "GET /~ftrtp/?M=D HTTP/1.0" 
    200 698
    130.225.77.30 - - [11/May/2001:11:34:40 -0800] "GET /~ftrtp/?M=D HTTP/1.0" 
    200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
    0.1)"
    130.225.77.30 - - [11/May/2001:11:34:42 -0800] "GET /~ftrtp/?S=D HTTP/1.0" 
    200 698
    130.225.77.30 - - [11/May/2001:11:34:42 -0800] "GET /~ftrtp/?S=D HTTP/1.0" 
    200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
    0.1)"
    130.225.77.30 - - [11/May/2001:11:34:45 -0800] "GET /~ftrtp/?D=D HTTP/1.0" 
    200 698
    130.225.77.30 - - [11/May/2001:11:34:45 -0800] "GET /~ftrtp/?D=D HTTP/1.0" 
    200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
    0.1)"
    
    Yes, I realized these are 11/May.  These must have been buried under some 
    other error messages in Webalizer, so I didn't catch them until now. Sorry.
    
    Any pointers would be great
    
    j----- k-----
    
    -- 
    Joshua Kugler
    Associated Students of the University of Alaska Fairbanks
    Information Services Director
    isdat_private
    907-474-7601
    



    This archive was generated by hypermail 2b30 : Tue May 22 2001 - 17:05:58 PDT