Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: 404 - Conspiracy?

  • Subject: Re: 404 - Conspiracy?
  • From: Roy Schestowitz <newsgroups@schestowitz.com>
  • Date: Mon, 01 Aug 2005 04:34:29 +0100
  • Newsgroups: alt.www.webmaster
  • Organization: schestowitz.com / Manchester University
  • References: <dc9gd7$1ji1$1@godfrey.mcc.ac.uk> <1i1din28fi0cc$.dlg@markparnell.com.au> <dca0cs$2tv0$1@godfrey.mcc.ac.uk> <1122541249.1028.0@lotis.uk.clara.net> <dcapl8$3f5$1@godfrey.mcc.ac.uk> <1122563000.12502.0@lotis.uk.clara.net> <dcat3a$4eg$1@godfrey.mcc.ac.uk> <dcc1vj$dt1$1@godfrey.mcc.ac.uk> <1122725974.421127.70200@f14g2000cwb.googlegroups.com> <1122801853.778840.110580@g49g2000cwa.googlegroups.com> <dciqqm$2om1$1@godfrey.mcc.ac.uk> <Pine.GSO.3.95.iB1.0.1050731171331.14059B-100000@halifax.chebucto.ns.ca> <3l4tpeF110ecrU1@individual.net>
  • Reply-to: newsgroups@schestowitz.com
  • User-agent: KNode/0.7.2
Mak wrote:

> "Norman L. DeForest" <af380@chebucto.ns.ca> wrote in message
>
news:Pine.GSO.3.95.iB1.0.1050731171331.14059B-100000@halifax.chebucto.ns.ca...
>>
>> On Sun, 31 Jul 2005, Roy Schestowitz wrote:
>>
>>> Spamhuntress wrote:
>>>
>>> > In my haste, I made a few wrong conclusions here. First of all, the
>>> > 301 status code, which we don't see too often, is "moved permanently",
>>> > not 304 "not modified". So it's my server that sends the second
>>> > request, not the other way around. The bot only asks for the files by
>>> > all small caps, and the software (the wiki) ensures the request goes
>>> > to the right file.
>>> >
>>> > Sorry for the confusion...
>>>
>>> It was still useful to find out about these patterns of IP addresses. I
>>> have
>>> no clue why such network addresses have interest in fairly random pages
>>> and
>>> why they refuse to request for pages whose address is valid.
>>>
>>> Some other IP's that violate uppercase-lowercase conventions (only a few
>>> times a week) are automated guestbook spammers.
>>
>> <speculation type="completely wild">
>>
>> Is it possible that they are targetting vulnerable Windows systems?
>> Windows is case-insensitive for file names so if you know that a file
>> or directory named "AbCdEf" exists and you try to fetch "abcdef" and it
>> fails, you know the system is not Windows.  If "abcdef" works, the system
>> is probably a Windows system and can have its IP address cached for
>> further vulnerability tests (possibly from some other source).
>>
>> </speculation>
>>
> 
> 
> Ahhh, I like your thinking.
> 
> search for
> "InDEx.hTMl"
> type of thing.
> 
> instead of the old "admin/login.asp" that many are getting wise to.

I suspect you're on to some good line of thinking. I sometimes get tempted
(curiosity) to see if a site which I visit runs on Linux or Windows. I have
never intentionally converted a letter to uppercase to get an answer
though. It's unethical. Someone I know gets an E-mail for any 404 that is
raised.

There has been a DoS attack on my shared server in the past. However, it was
exploiting a notorious vulnerability in phpBB, so whether it's Linux or
Windows underneath, that won't make a difference. Maybe those bastards are
collecting some statistics... request files from 80 millions sites, spam
their error logs (Linux users only) and then come up with a one-page
'study'.... anyway, that's the conspiracy theorists' view...

Roy

-- 
Roy S. Schestowitz
http://Schestowitz.com

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index