Mak wrote:
> "Norman L. DeForest" <af380@chebucto.ns.ca> wrote in message
>
news:Pine.GSO.3.95.iB1.0.1050731171331.14059B-100000@halifax.chebucto.ns.ca...
>>
>> On Sun, 31 Jul 2005, Roy Schestowitz wrote:
>>
>>> Spamhuntress wrote:
>>>
>>> > In my haste, I made a few wrong conclusions here. First of all, the
>>> > 301 status code, which we don't see too often, is "moved permanently",
>>> > not 304 "not modified". So it's my server that sends the second
>>> > request, not the other way around. The bot only asks for the files by
>>> > all small caps, and the software (the wiki) ensures the request goes
>>> > to the right file.
>>> >
>>> > Sorry for the confusion...
>>>
>>> It was still useful to find out about these patterns of IP addresses. I
>>> have
>>> no clue why such network addresses have interest in fairly random pages
>>> and
>>> why they refuse to request for pages whose address is valid.
>>>
>>> Some other IP's that violate uppercase-lowercase conventions (only a few
>>> times a week) are automated guestbook spammers.
>>
>> <speculation type="completely wild">
>>
>> Is it possible that they are targetting vulnerable Windows systems?
>> Windows is case-insensitive for file names so if you know that a file
>> or directory named "AbCdEf" exists and you try to fetch "abcdef" and it
>> fails, you know the system is not Windows. If "abcdef" works, the system
>> is probably a Windows system and can have its IP address cached for
>> further vulnerability tests (possibly from some other source).
>>
>> </speculation>
>>
>
>
> Ahhh, I like your thinking.
>
> search for
> "InDEx.hTMl"
> type of thing.
>
> instead of the old "admin/login.asp" that many are getting wise to.
I suspect you're on to some good line of thinking. I sometimes get tempted
(curiosity) to see if a site which I visit runs on Linux or Windows. I have
never intentionally converted a letter to uppercase to get an answer
though. It's unethical. Someone I know gets an E-mail for any 404 that is
raised.
There has been a DoS attack on my shared server in the past. However, it was
exploiting a notorious vulnerability in phpBB, so whether it's Linux or
Windows underneath, that won't make a difference. Maybe those bastards are
collecting some statistics... request files from 80 millions sites, spam
their error logs (Linux users only) and then come up with a one-page
'study'.... anyway, that's the conspiracy theorists' view...
Roy
--
Roy S. Schestowitz
http://Schestowitz.com
|
|