Unusual GET requests

Hmmm, this is probably offtopic, but I can't seem to find anything online
which explains this and I've never seen it before.

Maybe someone else here has seen this in their logs or has any idea what
would do this?

Its obviously trying to gather some sort of information, could it be a
prelude to some sort of DoS or exploit thats not publically known yet?

68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /pad-Files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /PAD-FILES HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] "GET /Pad-Files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /pad-files HTTP/1.1" 404
322
"-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /PAD-FILE HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] "GET /Pad-file HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /pad-File HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] "GET /Pad-File HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PadFiles HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /Padfiles HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /PADFILES HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] "GET /padfiles HTTP/1.1" 404
321 "
-" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PadFile HTTP/1.1" 404
320 "-
" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Padfile HTTP/1.1" 404
320 "-
" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADFILE HTTP/1.1" 404
320 "-
" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /padfile HTTP/1.1" 404
320 "-
" "libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /Pads HTTP/1.1" 404 317
"-" "
libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] "GET /PADS HTTP/1.1" 404 317
"-" "
libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pads HTTP/1.1" 404 317
"-" "
libwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /Pad HTTP/1.1" 404 316
"-" "l
ibwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /PAD HTTP/1.1" 404 316
"-" "l
ibwww-perl/5.65"
68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] "GET /pad HTTP/1.1" 404 316
"-" "l
ibwww-perl/5.65"

Thanks to everyone who's responded. We were a bit concerned because of all
the lovely new exploits going around as of late, and had no idea what it was
up to (considering it was coming from a cable modem, it threw up a red
flag).

Sorry to bother everyone :slight_smile:

That's VeriSign's new spell corrector DNS wildcard.

:slight_smile:

Though it appears that you've been able to collect some off-list
factoids, I think that a little open forum speculation regarding
the squawking in your logs might be beneficial to others on the
list, so as follows is my $0.02(nego).

It's my patently paranoid impression that the gloveless probing
you're seeing is the work of a curious and sleazy little spider,
called by way of perl to scour your playground for PAD-files.
While PAD files can be used to contribute to a philanthropic
information-sharing/snaring schema, drilling down several links
into a page served up by such a query makes quickly available a
buffet of email addresses.

This, coupled with the always suspicious poking being done by a
cable user, suggests that the spider is being brought to you by
a compromised host at the other end of that modem, for the purposes
of harvesting email addresses, and...you guessed it...spamming.

My advice to you is to hound the offender's ISP, and have fun doing it.
:slight_smile:

ymmv,
--ra