From: Will Aoki (waokiat_private)
Date: Mon May 13 2002 - 15:19:45 PDT

  • Next message: Chip McClure: "Re: Got 'em. (was "Re:")"

    [rewrapped lines]
    On Mon, May 13, 2002 at 02:43:28PM -0700, netscienceat_private wrote:
    > Hash: SHA1
    > - - [12/May/2002:20:29:08 -0400] "GET / HTTP/1.0" 200 18141 "-" "Opera/6.01 larbin2.6.2at_private"
    > - - [12/May/2002:20:31:04 -0400] "GET / HTTP/1.0" 200 18141 "-" "WinampMPEG/2.00 larbinat_private"
    > Anyone know who or what this is been running rampant                                                          > through the logs the past 72 hours, following links even with noindex                                                         > applied, no info on any google searches except last few days indexing                                                         > same, no whois, nothing. Been snooping around the site over and over                                                                  ^^^^^^^^
    You'll get better log data if you set "HostnameLookups off" in your
    Apache (I assume you're running Apache) config file. Whatever IP has
    been hitting you has number->name DNS set to point to,
    but since dosen't exist (and Apache dosen't verify that
    results it gets from number->name lookups are valid before logging
    them), the log entry is mostly worthless for determining source.
    A grep of my web server logs for 'larbin' turned up 14 entries so far
    today, all from, which may be your match:
    --- cut ---
    $ host
    $ host does not exist, try again
    $ whois
    California Regional Internet, Inc. (NETBLK-CARI)
       8929A COMPLEX DRIVE
       SAN DIEGO, CA 92123
       Netname: CARI
       Netblock: -
       Maintainer: CALI
          California Regional Intranet, Inc.  (IC63-ARIN)  sysadminat_private
       Domain System inverse mapping provided by:
       Record last updated on 18-Mar-2002.
       Database last updated on  12-May-2002 19:57:36 EDT.
    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at for DOMAIN related
    Information and for NIPRNET Information.
    --- cut ---
    Broken rdns BAD!
    However, it wasn't hitting my server anywhere near hard enough to
    cause problems. Except for requests for robots.txt, which usually were
    immediately followed by another request, the minimum time observed
    between requests was a respectable 30 seconds, and it seemed to obey
    the restrictions given in my robots.txt.
    Larbin (, the program
    hitting your server, is a web crawler.
    > again, all pages, using different user agents in the last 72 hours.
    William Aoki     waokiat_private       /"\  ASCII Ribbon Campaign
    B1FB C169 C7A6 238B 280B  <- key change    \ /  No HTML in mail or news!
    99AF A093 29AE 0AE1 9734                    X
                                               / \
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon May 13 2002 - 15:37:04 PDT