Re: gw.ocg-corp.com

[Will Aoki <waoki () umnh utah edu>]

[rewrapped lines]

On Mon, May 13, 2002 at 02:43:28PM -0700, netscience () hushmail com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> gw.ocg-corp.com - - [12/May/2002:20:29:08 -0400] "GET / HTTP/1.0" 200 18141 "-" "Opera/6.01 larbin2.6.2 () 
> unspecified mail"
> gw.ocg-corp.com - - [12/May/2002:20:31:04 -0400] "GET / HTTP/1.0" 200 18141 "-" "WinampMPEG/2.00 larbin () 
> unspecified mail"
>
> Anyone know who or what this is gw.ocg-corp.com been running rampant                                                  
>         > through the logs the past 72 hours, following links even with noindex                                       
>                   > applied, no info on any google searches except last few days indexing                             
>                             > same, no whois, nothing. Been snooping around the site over and over                    
>                                               ^^^^^^^^

You'll get better log data if you set "HostnameLookups off" in your
Apache (I assume you're running Apache) config file. Whatever IP has
been hitting you has number->name DNS set to point to gw.ocg-corp.com,
but since ocg-corp.com dosen't exist (and Apache dosen't verify that
results it gets from number->name lookups are valid before logging
them), the log entry is mostly worthless for determining source.

But...

A grep of my web server logs for 'larbin' turned up 14 entries so far
today, all from 209.126.176.3, which may be your match:

--- cut ---
$ host 209.126.176.3
Name: gw.ocg-corp.com
Address: 209.126.176.3

$ host gw.ocg-corp.com
gw.ocg-corp.com does not exist, try again
$ whois 209.126.176.3
California Regional Internet, Inc. (NETBLK-CARI)
   8929A COMPLEX DRIVE
   SAN DIEGO, CA 92123
   US

   Netname: CARI
   Netblock: 209.126.128.0 - 209.126.207.255
   Maintainer: CALI

   Coordinator:
      California Regional Intranet, Inc.  (IC63-ARIN)  sysadmin () cari net
      858-974-5080

   Domain System inverse mapping provided by:

   NS1.ASPADMIN.COM             216.98.128.74
   NS2.ASPADMIN.COM             216.98.128.75

   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 18-Mar-2002.
   Database last updated on  12-May-2002 19:57:36 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
$
--- cut ---

Broken rdns BAD!


However, it wasn't hitting my server anywhere near hard enough to
cause problems. Except for requests for robots.txt, which usually were
immediately followed by another request, the minimum time observed
between requests was a respectable 30 seconds, and it seemed to obey
the restrictions given in my robots.txt.


Larbin (http://larbin.sourceforge.net/index-eng.html), the program
hitting your server, is a web crawler.

> again, all pages, using different user agents in the last 72 hours.

-- 
William Aoki     waoki () umnh utah edu       /"\  ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B  <- key change    \ /  No HTML in mail or news!
99AF A093 29AE 0AE1 9734                    X
                                           / \

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com