> > On Tue, 26 Aug 2003 bugtraqat_private wrote: > > > This is a perfectly valid http request. Opening up a raw connection to "vh.org" I see the following. > > > > Request > > GET / HTTP/1.0 > > Host: vh.org > > Valid yes. Suspicious, also yes. Any of the many client browsers, indeed > many web spiders will at least send an Agent header. The sparse request Yes many will, but not all. I know of people who have designed spiders for the company they work for without assigning a user-agent header. Most search engines on the otherhand will assign one for their spiders. I agree though it is fairly common to assign one. Have you tried identifying the owner of the ip address/blocks? I'm curious if perhaps it is a "in house" spider that perhaps isn't working/designed properly(like someone checking to see if they site has changed). > alone does not equal hositile intent, I agree. However, the same user > attempting to visit the URL "http://vh.org/" every five minutes, 24/7? Not > normal behavior. > Ah, I overlooked this at the bottom of your post my bad. --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 23:41:15 PDT