Since September 4th we've had 16987 identical requests from 24.27.115.199 to
our reg_system.cgi.
The request is an HTTP/1.0 post request with
action=lookup&domain=somedomain.foo&affiliate_id=
The UserAgent is reported as Mozilla Compatible (MS IE 3.01 WinNT) and
it sends a Host header even though it's doing an HTTP/1.0 request.
A quick grep through a few minutes worth of snort caps show lookups
for many domain names : mmb.net, tdt.net, mof.com, aol.org, ugm.com,
byq.org, kof.org, y2k.net, 3fs.com, zvv.com, v2t.com, etc.).
The script is not hammering us at all (no doubt how they avoided
attention this long), requests are coming in at intervals of 4 seconds up
over a minute.
I've already contacted RR about this, but I figured I'd mention it just in
case others are experiencing the same.
Do the 2.4 scripts do HTTP_REFERER checking? If not, then I would really
like to
see this get added in some build.
Thanks and good night
MAtthew
--
Matthew Asham, VE7UDP
Left Coast Systems Corp, SuperWebhost.com
