Re: gw.ocg-corp.com

From: Jordan K Wiens (jwiens@nersp.nerdc.ufl.edu)
Date: 05/13/02


Date: Mon, 13 May 2002 17:54:58 -0400 (EDT)
From: Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>
To: <netscience@hushmail.com>

I've seen a ton of those hits as well. The software that is doing the
spidering can be downloaded here:
http://larbin.sourceforge.net/index-eng.html

Always entertaining is to follow links like:
http://IP.OF.LARBIN:8081/
Get all sorts of neat stats on the crawler.

Especially good is:
http://aa.bb.cc.dd:8081/ip.html
Which is fun for finding random links or seeing where the crawler is going.

Not really sure what they're doing with the data from this thing, or what
it's after, but I have seen it as well. The most interesting thing about
it is the WinampMPEG string. The crawler will hit up and (I suppose)
follow robots.txt files, at least it looks like it does from my logs of
larbin crawls.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Mon, 13 May 2002 netscience@hushmail.com wrote:

> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > gw.ocg-corp.com - - [12/May/2002:20:29:08 -0400] "GET / HTTP/1.0" 200 18141 "-" "Opera/6.01 larbin2.6.2@unspecified.mail" > gw.ocg-corp.com - - [12/May/2002:20:31:04 -0400] "GET / HTTP/1.0" 200 18141 "-" "WinampMPEG/2.00 larbin@unspecified.mail" > > Anyone know who or what this is gw.ocg-corp.com been running rampant through the logs the past 72 hours, following links even with noindex applied, no info on any google searches except last few days indexing same, no whois, nothing. Been snooping around the site over and over again, all pages, using different user agents in the last 72 hours. > > Annoying as hell > > > .. > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.1 > Note: This signature can be verified at https://www.hushtools.com > > wl4EARECAB8FAjzgMyYYHG5ldHNjaWVuY2VAaHVzaG1haWwuY29tAAoJECFLG0i2k7ir > NhQAl3ZWuDE9OBKEEbZLyOr2AGcI4TEAn1BxSYp3+CW1QE9yu/Btzi60RJGH > =WTBP > -----END PGP SIGNATURE----- > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > >

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Kuang2 strikes again, is it just me?
    ... I've only taken 5 hits on it but I'm on an Arizona dialup. ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Unusual volume: UDP:137 probes
    ... network yesterday, 5 today. ... > Sep 20 2 hits ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: CodeBlue finally hitting, or what?
    ... CodeBlue finally hitting, or what? ... I've gotten 721 hits just today for cmd.exe of some sort. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • More one NASA management
    ... I have seen pictures of satellites from the ground years ago ... "Three hundred and eight hits were counted during the inspection, ... with depths measuring up to 1 1/2 inches. ... Considering those facts known since 97 how the hell could management ...
    (sci.crypt)
  • send as questions
    ... I have a user who I created in Active Directory named Project ... I have gone in and given them the necessary permissions in both Active ... If he hits the From: button and selects the user: ... Project Management from his Address Book, he is able to send the ...
    (microsoft.public.exchange.admin)