[Dshield] Server

Craig Webster craig at xeriom.net
Fri Aug 19 13:32:01 GMT 2005

On Fri, August 19, 2005 14:15, Johannes B. Ullrich said:
>> - - [06/Aug/2005:21:51:56 -0400] "GET /downloads/?D=A
>> HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT;
>> ....../1.0 )"

> So nothing malicious per se. Spiders may follow these links.


> Overall, this looks like a distributed scan from a bot/search engine. I
> don't see any major problem here. They essentially just used a script to
> hit every page on your site. you may need to clamp down on some of your
> authentication if some of these files are supposed to be restricted.

I agree that it looks like a search engine spidering the site but the
whois output (http://www.whois.sc/ seems to say that it's
from a regular home user. Whois on some of the other IP addresses in the
logs say the same so it could be something trying to do something
naughty... or it could just be a few curious users clicking at random or
downloading your entire site.

What version of AWStats do you use? Older versions have some exploits that
can be used for some "fun" tricks. There's an older Dshield post that
shows you what the logs look like - have a look for these lines:

Craig Webster | e  : craig at xeriom.net   | monkeys && beer == true
Xeriom.NET    | web: http://xeriom.net/ | monkeys + beer == multiboom

More information about the list mailing list