[rewrapped lines] On Mon, May 13, 2002 at 02:43:28PM -0700, netscienceat_private wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > gw.ocg-corp.com - - [12/May/2002:20:29:08 -0400] "GET / HTTP/1.0" 200 18141 "-" "Opera/6.01 larbin2.6.2at_private" > gw.ocg-corp.com - - [12/May/2002:20:31:04 -0400] "GET / HTTP/1.0" 200 18141 "-" "WinampMPEG/2.00 larbinat_private" > > Anyone know who or what this is gw.ocg-corp.com been running rampant > through the logs the past 72 hours, following links even with noindex > applied, no info on any google searches except last few days indexing > same, no whois, nothing. Been snooping around the site over and over ^^^^^^^^ You'll get better log data if you set "HostnameLookups off" in your Apache (I assume you're running Apache) config file. Whatever IP has been hitting you has number->name DNS set to point to gw.ocg-corp.com, but since ocg-corp.com dosen't exist (and Apache dosen't verify that results it gets from number->name lookups are valid before logging them), the log entry is mostly worthless for determining source. But... A grep of my web server logs for 'larbin' turned up 14 entries so far today, all from 209.126.176.3, which may be your match: --- cut --- $ host 209.126.176.3 Name: gw.ocg-corp.com Address: 209.126.176.3 $ host gw.ocg-corp.com gw.ocg-corp.com does not exist, try again $ whois 209.126.176.3 California Regional Internet, Inc. (NETBLK-CARI) 8929A COMPLEX DRIVE SAN DIEGO, CA 92123 US Netname: CARI Netblock: 209.126.128.0 - 209.126.207.255 Maintainer: CALI Coordinator: California Regional Intranet, Inc. (IC63-ARIN) sysadminat_private 858-974-5080 Domain System inverse mapping provided by: NS1.ASPADMIN.COM 216.98.128.74 NS2.ASPADMIN.COM 216.98.128.75 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Record last updated on 18-Mar-2002. Database last updated on 12-May-2002 19:57:36 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. $ --- cut --- Broken rdns BAD! However, it wasn't hitting my server anywhere near hard enough to cause problems. Except for requests for robots.txt, which usually were immediately followed by another request, the minimum time observed between requests was a respectable 30 seconds, and it seemed to obey the restrictions given in my robots.txt. Larbin (http://larbin.sourceforge.net/index-eng.html), the program hitting your server, is a web crawler. > again, all pages, using different user agents in the last 72 hours. -- William Aoki waokiat_private /"\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B <- key change \ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 X / \ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 13 2002 - 15:37:04 PDT