-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I found him as well. :) Going through my web server logs the past few days, that IP (numeric) was also listed in there, same useragent string. You can find out what he's up to: http://209.126.176.3:8081/ On each connection to my site, all he got was a non-existant robots.txt & the index page. Each visit, nothing different. When I checked his "pending urls" - they were all a bunch of yahoo ip's. :) - ----- Chip McClure Sr. Unix Administrator GigGuardian, Inc. http://www.gigguardian.com/ - ----- On Mon, 13 May 2002, Jay D. Dyson wrote: > On Mon, 13 May 2002, Chip McClure wrote: > > > I don't have any luck finding out any info on ocg-corp.com either. :( > > I've got a few of the hits in my webserver logs, the same as you. My > > guess, someone's spoofing the reverse dns on it. Kinda sounds like > > someone is doing some very hard spidering on your site. > > My experiment paid off. I figured the spider would goof at some > point and cough up the IP address and I was happy to find this was true. > > Here's what I have on this spider. First, I did a search through > my Apache logs looking for all instances of 'gw.ocg-corp.com' in hopes > that there was a 404 (not found) happening somewhere in its spidering. > Sure enough, I found this: > > gw.ocg-corp.com - - [10/May/2002:13:16:24 -0700] "GET /robots.txt HTTP/1.0" 404 4472 "-" "WinampMPEG/2.00 (larbinat_private)" > > Keep in mind that though one's Apache configuration may be set to > resolve IP addresses to domain names, Apache nonetheless logs only the IP > address in its error logs. Thus, I correlated the above 404 with my > 9-11justice_org-error.log and found the following: > > [Fri May 10 13:16:23 2002] [error] [client 209.126.176.3] File does not exist: /hosts/virtual/9-11justice.org/robots.txt > > From there, it was all over but the shouting... > > $ nslookup 209.126.176.3 > Server: localhost > Address: 127.0.0.1 > > Name: gw.ocg-corp.com > Address: 209.126.176.3 > > And there we have the culprit. Who wants to throw the clue mallet > at 'em? ;) > > -Jay > > ( ( _______ > )) )) .--"There's always time for a good cup of coffee"--. >====<--. > C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-' > `--' `--' `-- They know the rules. We know the loopholes. --' `------' > > ------------ Output from pgp ------------ > Pretty Good Privacy(tm) Version 6.5.8 > Internal development version only - not for general release. > (c) 1999 Network Associates Inc. > Export of this software may be restricted by the U.S. government. > File is signed. signature not checked. > Signature made 2002/05/13 22:44 GMT > key does not meet validity threshold. > WARNING: Because this public key is not certified with a trusted > signature, it is not known with high confidence that this public key > actually belongs to: "(KeyID: 0xB94CFBC1)". > wiping file pgptemp.$00pattern is: 0xffffffff > pattern is: 0xbbb > pattern is: 0x6db > pattern is: 0xfff > pattern is: 0x333 > pattern is: 0x999 > pattern is: 0x888 > pattern is: 0xccc > pattern is: 0x0 > pattern is: 0x492 > pattern is: 0xeee > pattern is: 0xdb6 > pattern is: 0x555 > pattern is: 0xffffffff > pattern is: 0x249 > pattern is: 0x444 > pattern is: 0xddd > pattern is: 0xaaa > pattern is: 0x924 > pattern is: 0x777 > pattern is: 0xb6d > pattern is: 0x666 > pattern is: 0x111 > pattern is: 0x222 > pattern is: 0xffffffff > pattern is: 0xffffffff > wiping file pgptemp.$01pattern is: 0xffffffff > pattern is: 0x6db > pattern is: 0x444 > pattern is: 0xfff > pattern is: 0xdb6 > pattern is: 0x555 > pattern is: 0x249 > pattern is: 0x333 > pattern is: 0x777 > pattern is: 0xb6d > pattern is: 0x111 > pattern is: 0xbbb > pattern is: 0x492 > pattern is: 0xffffffff > pattern is: 0xccc > pattern is: 0xaaa > pattern is: 0xddd > pattern is: 0xffffffff > pattern is: 0x0 > pattern is: 0x666 > pattern is: 0xeee > pattern is: 0x222 > pattern is: 0x924 > pattern is: 0x888 > pattern is: 0x999 > pattern is: 0xffffffff > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPOBD9puKtP8CSC69EQLRyACbBkmjbjl1Rk/nWizbuaPB7BtoGKcAoJyi sbpWLQ9VZkLDx5yFcXqsCRyO =0piZ -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 13 2002 - 16:02:15 PDT