ec2-54-236-62-49.compute-1.amazonaws.com | ToothyWiki | ToothyWikiInternals | RecentChanges | Login | Webcomic

This, when I feel like it, will be updated with IP addresses of machines doing various sorts of scans on the webserver.
This will mostly be useless, since a lot of them are dynamic; it might be interesting, though.

Unregulated robot at started crawling our website about 11:24am. It ignored the robots.txt file and crawled through the wiki history and search namespaces, at the rate of several dozen hits per second, effectively DOSing the wiki. Requests from that IP address are now blocked.

CodeRed-infested machines

cust-479.adsl.bestweb.net - looks static - doesn't resolve

People looking for somewhere to forward spam through

pool-141-150-114-101.mad.east.verizon.net - bleh. Dialup pool. Can't do much with that.
Sure you can, you can block verizon.net.  Along with *bt* and *aol*  You'll cut down on problems significantly then.

Other stuff

host57-142.pool80181.interbusiness.it tried to get the webserver to proxy a connection to the FTP port on Why would someone want to do that?

To hide their tracks?  Presumably the logs on the ftp site would show access from your machine rather than the originating machine (which may well not be host57-142... but a machine using that one as a proxy, etc.) - Kazuhiko

We've been royally scanned (source IP This is the most comprehensive scan the webserver's had yet - does anyone recognise the tool used?
(PeterTaylor) Don't recognise the tool per se, but I recognise the scan. Someone tried that on my server a while back, and they hold the record for the most aggressive scan, though not the fastest. Took them over two minutes to perform 506 requests.
Hm. The machine in question is an open proxy, as Google: %22195%2E65%2E2%2E18%22 reveals. A good list of IP addresses to block there, methinks..

I'll add my (not very current) list of idiots:

More idiots.. 09:59:55 "GET /cgi-bin/formmail.pl HTTP/1.0" 404 "http://www.TOOTHYCAT.net/" "-" 09:59:56 "GET /cgi-bin/formmail.cgi HTTP/1.0" 404 "http://www.TOOTHYCAT.net/" "-"
Hm. Why is the word "TOOTHYCAT" in capitals? Where can they have picked that up from? 12:13:34 "\x04\x01" 501 - "-" 12:13:55 "\x05\x01\x02" 501 - "-"
WTH is that meant to be..?

ec2-54-236-62-49.compute-1.amazonaws.com | ToothyWiki | ToothyWikiInternals | RecentChanges | Login | Webcomic
Edit this page | View other revisions | Recently used referrers
Last edited September 20, 2003 12:13 pm (viewing revision 12, which is the newest) (diff)