Reallyl fouled up scans from linux15.ebar.dtu.dk

From: Joshua J. Kugler (isdat_private)
Date: Tue May 22 2001 - 12:38:22 PDT

Next message: Guido Van De Velde: "What's on 4662 ?"

Previous message: Dave Garn: "RE: IP_MASQ:reverse ICMP: failed checksum from www.xxx.yyy.zzz!"
Reply: Daniel Martin: "Re: Reallyl fouled up scans from linux15.ebar.dtu.dk"
Reply: Daniel CHIRITA: "RE: Reallyl fouled up scans from linux15.ebar.dtu.dk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This morning, Webalizer went nuts with a whole bunch of "Warning: Truncating 
oversized request field [line number]" messages.  Over 450K worth.  An 
investigation of my Apache logs shows requests like these:

130.225.77.30 - - [11/May/2001:12:17:26 -0800] "GET 
/sic/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stugov/stuweb.shtml 
HTTP/1.0" 401 4292 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)"

A lot of the requests are good, it looks like he was trying to traverse the 
tree.  Every now and then, there are requests of the form:

/~EgggNoggg/Testing/?D=A

Is the ?D=A testing for some hole?

Here are some other odd ones
130.225.77.30 - - [11/May/2001:11:33:06 -0800] 
"GET/~havolina/%20%20%20%20%20%20%20http://www.cicv.fr/creation_artistique/online/orlan/index.html 
HTTP/1.0" 404 386 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)"

130.225.77.30 - - [11/May/2001:11:34:37 -0800] "GET /~ftrtp/?N=A HTTP/1.0" 
200 698
130.225.77.30 - - [11/May/2001:11:34:37 -0800] "GET /~ftrtp/?N=A HTTP/1.0" 
200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
0.1)"
130.225.77.30 - - [11/May/2001:11:34:40 -0800] "GET /~ftrtp/?M=D HTTP/1.0" 
200 698
130.225.77.30 - - [11/May/2001:11:34:40 -0800] "GET /~ftrtp/?M=D HTTP/1.0" 
200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
0.1)"
130.225.77.30 - - [11/May/2001:11:34:42 -0800] "GET /~ftrtp/?S=D HTTP/1.0" 
200 698
130.225.77.30 - - [11/May/2001:11:34:42 -0800] "GET /~ftrtp/?S=D HTTP/1.0" 
200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
0.1)"
130.225.77.30 - - [11/May/2001:11:34:45 -0800] "GET /~ftrtp/?D=D HTTP/1.0" 
200 698
130.225.77.30 - - [11/May/2001:11:34:45 -0800] "GET /~ftrtp/?D=D HTTP/1.0" 
200 698 "-" "Mozilla 4.0 (compatible; HttpTool/
0.1)"

Yes, I realized these are 11/May.  These must have been buried under some 
other error messages in Webalizer, so I didn't catch them until now. Sorry.

Any pointers would be great

j----- k-----

-- 
Joshua Kugler
Associated Students of the University of Alaska Fairbanks
Information Services Director
isdat_private
907-474-7601

Next message: Guido Van De Velde: "What's on 4662 ?"
Previous message: Dave Garn: "RE: IP_MASQ:reverse ICMP: failed checksum from www.xxx.yyy.zzz!"
Reply: Daniel Martin: "Re: Reallyl fouled up scans from linux15.ebar.dtu.dk"
Reply: Daniel CHIRITA: "RE: Reallyl fouled up scans from linux15.ebar.dtu.dk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 22 2001 - 17:05:58 PDT