> "Norman L. DeForest" <email@example.com> wrote in message
>> On Sun, 31 Jul 2005, Roy Schestowitz wrote:
>>> Spamhuntress wrote:
>>> > In my haste, I made a few wrong conclusions here. First of all, the
>>> > 301 status code, which we don't see too often, is "moved permanently",
>>> > not 304 "not modified". So it's my server that sends the second
>>> > request, not the other way around. The bot only asks for the files by
>>> > all small caps, and the software (the wiki) ensures the request goes
>>> > to the right file.
>>> > Sorry for the confusion...
>>> It was still useful to find out about these patterns of IP addresses. I
>>> no clue why such network addresses have interest in fairly random pages
>>> why they refuse to request for pages whose address is valid.
>>> Some other IP's that violate uppercase-lowercase conventions (only a few
>>> times a week) are automated guestbook spammers.
>> <speculation type="completely wild">
>> Is it possible that they are targetting vulnerable Windows systems?
>> Windows is case-insensitive for file names so if you know that a file
>> or directory named "AbCdEf" exists and you try to fetch "abcdef" and it
>> fails, you know the system is not Windows. If "abcdef" works, the system
>> is probably a Windows system and can have its IP address cached for
>> further vulnerability tests (possibly from some other source).
> Ahhh, I like your thinking.
> search for
> type of thing.
> instead of the old "admin/login.asp" that many are getting wise to.
I suspect you're on to some good line of thinking. I sometimes get tempted
(curiosity) to see if a site which I visit runs on Linux or Windows. I have
never intentionally converted a letter to uppercase to get an answer
though. It's unethical. Someone I know gets an E-mail for any 404 that is
There has been a DoS attack on my shared server in the past. However, it was
exploiting a notorious vulnerability in phpBB, so whether it's Linux or
Windows underneath, that won't make a difference. Maybe those bastards are
collecting some statistics... request files from 80 millions sites, spam
their error logs (Linux users only) and then come up with a one-page
'study'.... anyway, that's the conspiracy theorists' view...
Roy S. Schestowitz