OK Sysadmins, UNIX nerds and web experts.... What do you think about this browser behavior?

Message Bookmarked

Bookmark Removed

64.156.198.76 - - [09/Feb/2003:09:04:18 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [11/Feb/2003:09:09:30 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [12/Feb/2003:09:06:36 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [13/Feb/2003:09:12:25 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [14/Feb/2003:09:12:24 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [15/Feb/2003:09:13:45 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [17/Feb/2003:09:16:48 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [18/Feb/2003:09:14:45 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [19/Feb/2003:09:17:06 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [20/Feb/2003:09:17:56 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [22/Feb/2003:09:15:03 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [23/Feb/2003:09:24:12 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [24/Feb/2003:09:18:32 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [25/Feb/2003:09:14:25 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)" 0 while1.org 64.156.198.76 - - [26/Feb/2003:09:15:37 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.1-rc1; i686 Linux; 20020517)" 0 while1.org 64.156.198.76 - - [27/Feb/2003:09:11:56 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312462)" 0 while1.org 64.156.198.76 - - [28/Feb/2003:09:13:26 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312462)" 0 while1.org 64.156.198.76 - - [01/Mar/2003:09:16:02 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.0-rc6; i686 Linux; 20020812)" 0 while1.org 64.156.198.76 - - [02/Mar/2003:09:15:54 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.1-rc4; i686 Linux; 20020917)" 0 while1.org 64.156.198.76 - - [03/Mar/2003:09:12:14 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.1; i686 Linux; 20020625)" 0 while1.org 64.156.198.76 - - [04/Mar/2003:09:06:20 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312468)" 0 while1.org 64.156.198.76 - - [05/Mar/2003:09:14:45 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.1-rc4; i686 Linux; 20020926)" 0 while1.org 64.156.198.76 - - [06/Mar/2003:09:15:45 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.1-rc2; i686 Linux; 20020416)" 0 while1.org 64.156.198.76 - - [07/Mar/2003:09:21:08 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.0-rc1; i686 Linux; 20020124)" 1 while1.org 64.156.198.76 - - [08/Mar/2003:09:18:01 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.1-rc6; i686 Linux; 20021121)" 1 while1.org 64.156.198.76 - - [10/Mar/2003:09:21:36 -0500] "GET /~orion/orchid3.html HTTP/1.1" 200 6574 "-" "Mozilla/5.0 (compatible; Konqueror/3.0-rc3; i686 Linux; 20020222)" 0 while1.org 64.156.198.76 - - [11/Mar/2003:09:15:58 -0500] "GET /~orion/orchid3.html HTTP/1.1" 302 296 "-" "Mozilla/5.0 (compatible; Konqueror/3.0-rc2; i686 Linux; 20020708)" 0 while1.org 64.156.198.76 - - [12/Mar/2003:09:16:39 -0500] "GET /~orion/orchid3.html HTTP/1.1" 302 296 "-" "Mozilla/5.0 (compatible; Konqueror/3.1-rc6; i686 Linux; 20020810)" 0 while1.org

NOTE the version changing randomly and one MSIE version and the time stamps are fucking daily at nearly the same time

OrgName: Level 3 Communications, Inc. OrgID: LVLT Address: 1025 Eldorado Blvd. City: Broomfield StateProv: CO PostalCode: 80021 Country: US

NetRange: 64.152.0.0 - 64.159.255.255 CIDR: 64.152.0.0/13 NetName: LC-ORG-ARIN NetHandle: NET-64-152-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1.LEVEL3.NET NameServer: NS2.LEVEL3.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2000-06-08 Updated: 2001-05-30

TechHandle: LC-ORG-ARIN TechName: level Communications TechPhone: +1-877-453-8353 TechEmail: [email protected]

OrgTechHandle: TPL1-ARIN OrgTechName: Tech POC LVLT OrgTechPhone: +1-877-453-8353 OrgTechEmail: [email protected]

OrgAbuseHandle: APL8-ARIN OrgAbuseName: Abuse POC LVLT OrgAbusePhone: +1-877-453-8353 OrgAbuseEmail: [email protected]

# ARIN WHOIS database, last updated 2003-03-11 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database.

Any ideas what this is?

― Jon Williams (ex machina), Wednesday, 12 March 2003 14:32 (twenty-three years ago)

WOPPA?

― Pete (Pete), Wednesday, 12 March 2003 14:50 (twenty-three years ago)

― Jon Williams (ex machina), Wednesday, 12 March 2003 14:51 (twenty-three years ago)

I would, uh, check your kernel and whatnot.

― mark p (Mark P), Wednesday, 12 March 2003 15:08 (twenty-three years ago)

Linux jolt 2.4.18-grsec-1.9.4 #2 Sat Apr 20 03:20:23 EDT 2002 i586 unknown

asshat

― Jon Williams (ex machina), Wednesday, 12 March 2003 15:09 (twenty-three years ago)

Have I just been insulted in UNIX?

― mark p (Mark P), Wednesday, 12 March 2003 15:13 (twenty-three years ago)

LOOK IT IS PRETTY CLEAR THAT SOMETHING FISHY IS GOING ON. DIFFERENT, SEEMINGLY RANDOM WEB BROWSER VERSIONS GETTING THE *SAME FILE* NEARLY EVERY DAY AT THE SAME TIME....

― Jon Williams (ex machina), Wednesday, 12 March 2003 15:17 (twenty-three years ago)

a daily backup / mirror of that page? maybe run from ~orion3's home account?

andy

― koogs (koogs), Wednesday, 12 March 2003 15:17 (twenty-three years ago)

~orion is ILXor Ian Johnson. The times are slightly different and I know he's not doing it.

― Jon Williams (ex machina), Wednesday, 12 March 2003 15:18 (twenty-three years ago)

or some kind of link-death-checker. i had something once that notified users if i'd changed one of my pages, someone ran a service that did it.

andy

― koogs (koogs), Wednesday, 12 March 2003 15:20 (twenty-three years ago)

a twisted bot to flummox sysadmins?

― Ed (dali), Wednesday, 12 March 2003 15:21 (twenty-three years ago)

google for "64.156.198.76" ... this is some kind of crazy bot

― Jon Williams (ex machina), Wednesday, 12 March 2003 15:27 (twenty-three years ago)

a very mild DDOS attack 8)

andy

― koogs (koogs), Wednesday, 12 March 2003 15:28 (twenty-three years ago)

bizarre nslookup leads back to http://unknown.level3.net/ which is not very informative

― Ed (dali), Wednesday, 12 March 2003 15:29 (twenty-three years ago)

is anything trying to hit other ports from that address?

― Ed (dali), Wednesday, 12 March 2003 15:30 (twenty-three years ago)

Nope! Can someone else running a big site grep for this ip in their log?

― Jon Williams (ex machina), Wednesday, 12 March 2003 15:32 (twenty-three years ago)

Grepping my server logs, this seems to have happened to several of the sites I admin, for patches of about three weeks at a time. The logs I have to hand go back to last August, and it's been happening since then. Some sites were scanned daily, some every four or five days, and the timestamps vary by about three or four hours in each case.

― caitlin (caitlin), Wednesday, 12 March 2003 15:52 (twenty-three years ago)

were they hitting only one file?

― Jon Williams (ex machina), Wednesday, 12 March 2003 15:58 (twenty-three years ago)

They kept hitting the same file on each site, I think; I've only skimmed through the data at the moment. In most cases they were requesting the site's root dir.

― caitlin (caitlin), Wednesday, 12 March 2003 16:02 (twenty-three years ago)

It's all very bizarre.

Some sites have had one or two hits from this IP in the past 9 months or so. Most have had one every three or four days for a few weeks or so; it then stops. Some sites have one or two hits per day, for three or four weeks; then it stops. One site, since early November, has been getting 8 hits per day, always at around the same time with about a minute between each.

In most cases, the root dir is being requested. Some sites have requests for two or three different pages, and some of the pages that are being requested are ones that have been 404's for a couple of years or so.

The browser ID string was constant until about a month ago, after which it started changing. There's no referrer information. All the requests seem to be for directories or html files.

If anyone is really bothered about this, I can send them the relevant log extracts.

― caitlin (caitlin), Wednesday, 12 March 2003 17:08 (twenty-three years ago)

I'm thinking about emailing level3.net

― Jon Williams (ex machina), Wednesday, 12 March 2003 17:39 (twenty-three years ago)

whoa all of 64.156.198.* is doing this and seems mostly to be hitting lyrics files.....

― Jon Williams (ex machina), Wednesday, 12 March 2003 19:17 (twenty-three years ago)

Doing a wider grep for 64.156.198.*, it seems that the reason it only seemed to be happening for a few weeks on each site before is that the IP scanning one site switches occasionally. There still seem to be odd gaps in the logs, though, so I suspect it might be using a wider IP range.

― caitlin (caitlin), Thursday, 13 March 2003 11:53 (twenty-three years ago)

Well, I can't have too many people using Konqueror.

― Jon Williams (ex machina), Thursday, 13 March 2003 17:50 (twenty-three years ago)

You must be logged in to post. Please either login here, or if you are not registered, you may register here.