OK, this is getting weird…
Look at this web site.
Now look at these web logs:
worm.polski-cukier.pl - - [26/Oct/2004:06:11:25 -0500] "GET /mt/archives/000128.html HTTP/1.0" 404 291 "http://12.163.72.13/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)"
worm.polski-cukier.pl - - [26/Oct/2004:06:11:27 -0500] “GET /mt/archives/000128.html HTTP/1.0″ 404 291 “http://12.163.72.13/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)”
worm.polski-cukier.pl - - [26/Oct/2004:08:11:18 -0500] “GET /mt/archives/000647.html HTTP/1.0″ 404 291 “http://12.163.72.13/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)”
worm.polski-cukier.pl - - [26/Oct/2004:08:14:25 -0500] “GET /mt/archives/000738.html HTTP/1.0″ 404 291 “http://12.163.72.13/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)”
worm.polski-cukier.pl - - [26/Oct/2004:08:14:28 -0500] “GET /mt/archives/000738.html HTTP/1.0″ 404 291 “http://12.163.72.13/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)”
worm.polski-cukier.pl - - [26/Oct/2004:08:20:54 -0500] “GET /mt/archives/000597.html HTTP/1.0″ 404 291 “http://12.163.72.13/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)”
These guys are all over the site.
THEY MAKE SUGAR!!! What do they need a worm for?
What’s with that referer? It’s not resolvable, it’s not in a RIPE netblock…
The DNS for worm looks right to me - I’m no expert… you can forward and reverse resolve it, so i dont think it’s spoofed.
Weird, eh? I just cant imagine what a sugar manufacturer needs a web-crawler for!
