RE: Cobalt Scan

[Tom Laermans <tom.laermans () powersource cx>]

Hi,


> > Name:    ariston.netcraft.com
> > Address:  195.92.95.61
>
> I've made the double check and used netcraft to examine one of my servers.
> The results are different from the request for cobalt-images seen so far:
>
> wooster.netcraft.com - - [27/Jul/2001:13:07:03 +0200] "HEAD / HTTP/1.1"
>  200 0 "http://www.netcraft.com/survey/"; "Mozilla/4.0 (compatible; 
> Netcraft Web Server Survey)"
> jumble.netcraft.com - - [28/Jul/2001:23:57:51 +0200] "HEAD / HTTP/1.0"
>  200 0 "http://www.netcraft.com/survey/"; "Mozilla/4.0 (compatible; 
> Netcraft Web Server Survey)"

These aren't cobalt-images requests, are they?

> So it isn't the normal probe that everbody can use, but something special.
> Speculations about the intended usage of the data are left to the reader.

I think it's something like this:

1) When you do a scan yourself on your server, you get what you see above,
2) When netcraft scans you automatically (daily I think, if you're in the 
correct queue) it uses the other way (the way you have seen before).

I don't know if this is correct, I have not checked and cannot check in the 
very near future :-/

HTH,

Tom

-------------------------------------------------
Web: http://www.powersource.cx --- ICQ#: 12120754
Also check this out:  http://kickme.to/sidewinder
Need some cheats?? http://www.chaos-cheatbase.com
Keep Fido&BBS Alive!     http://skynetbbs.dyns.cx
-------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com