Hi,
We always see the normal probes for known insecure CGI scripts, and spiders
keep our logs full. But lately there have been a huge number of requests
for resources that are not on our server (even not counting Code Red II).
It looks like someone is spidering another server, yet sending requests to
our machine -- the requests don't really look like probes for insecure
scripts, rather just for files that are not and never have been on this
server (or any related virtual hosts).
Does everyone else see these? What's the deal? Are they really probes or
some spider run amok?
Right now someone is looking for things like:
/r/dr
/r/g3
/r/sb
/r/sw
/r/s/2
/r/a/booth
/r/s/pp
/NowPlaying
/mymovies/list
/terms
/ootw/1999/oarch99_index.html
I currently have a killfile of IP addresses and a PerlInitHandler that
blocks requests, but it would be nice to automate that process. Are there
any current modules that do this?
Another thing I find odd: this server has three virtual hosts. In the
second and third VH's logs I find requests for files found on the first,
default, VH. I've logged the Host: header and indeed it was there. Odd.
Bill Moseley
mailto:[EMAIL PROTECTED]
