NMRC button

Simple Nomad's Blog

sep 2005 | oct 2005 | nov 2005 | dec 2005 | jan 2006 | feb 2006 | mar 2006 |  apr 2006 | may 2006 | jun 2006 | jan 2007 | feb 2007 | aug 2007 | sep 2007

03Sep2007 - Weird Searches

How about some fun with logs? Getting the refering websites to the NMRC web server can be interesting. Normally logs are deleted within a few days, however I was working on a problem and kept them around for a couple of months, and I decided to poke around in them. Found some real gems.

Nothing like a good old fashion fool fuck:

84.159.252.208 - - [04/Aug/2007:06:08:08 -0700] "GET /pub/fool/2003/index1.html
HTTP/1.1" 200 2150 "http://www.google.de/search?q=fool+fuck&hl=de&client
=firefox-a&channel=s&rls=org.mozilla:de-DE:official&hs=eXy&start=10&sa=N" "Mozi
lla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.6) Gecko/20070725 Firefox/2.0
.0.6"

I bet looking at a ppt is not what this person wanted:

83.137.60.34 - - [25/Jul/2007:02:15:43 -0700] "GET /pub/present/shmoocon-2006-s
n.ppt HTTP/1.1" 206 171520 "http://search.yahoo.com/search?ei=UTF-8&n=10&va_vt=
any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=ppt&vm=p&fl=0&fr=yfp-t-465&fp_ip=IT&
p=fucking+machine" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

If anyone could come with this recipe, it is Weasel....

67.189.10.74 - - [19/Jul/2007:15:17:57 -0700] "GET /~weasel/chai/index.html HTT
P/1.1" 200 13232 "http://www.google.com/search?hl=en&safe=off&rls=GGLJ,GGLJ:200
6-49,GGLJ:en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=recipe+for+a+cup+of+go+
fuck+yourself&spell=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 
FunWebProducts; .NET CLR 1.1.4322)"

Remind me to never travel with this guy:

207.229.151.77 - - [29/Jul/2007:12:00:57 -0700] "GET /new/index.html HTTP/1.1" 
200 1778 "http://www.google.com/search?hl=en&safe=off&rlz=1B3GGGL_enUS177US227&
q=%22anal+hotel%22&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1
; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5"

Friend from Italy, you have come to the right place for all of your slave needs:

151.41.152.76 - - [22/Jul/2007:19:21:31 -0700] "GET /~hellnbak/spamcunt.txt HTT
P/1.1" 200 12100 "http://www.google.it/search?hl=it&q=asian+slavegirl&me
ta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; snprtz|S04024449902407
; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

Where in the world is that damned Kaminsky?

209.194.99.210 - - [25/Jul/2007:06:24:40 -0700] "GET /~thegnome/blog/jan06/inde
x.html HTTP/1.1" 200 26790 "http://www.google.com/search?hl=en&q=dam+kaminsk
i" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR
 2.0.50727; .NET CLR 3.0.04506.30)"

Mexico is weird.

189.143.16.236 - - [14/Jul/2007:21:16:12 -0700] "GET /~thegnome/chai.html HTTP/
1.1" 200 8233 "http://www.google.com.mx/search?hl=es&client=firefox-a&rls=org.m
ozilla%3Aes-ES%3Aofficial&hs=HyF&q=get+milk+box+blur&btnG=Buscar&meta=" 
"Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.4) Gecko/20070515 Fir
efox/2.0.0.4"

How to use L0pht? Throw VC at them, and then run them ragged doing consulting without letting them do the research you promised they could do? Might that work?

207.192.247.163 - - [04/Aug/2007:16:52:44 -0700] "GET /pub/faq/hackfaq/hackfaq-
13.html HTTP/1.1" 200 9713 "http://www.google.com/search?hl=en&q=how+to+use+
l0pht" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Sometimes we (NMRC) get our pages blocked (e.g. Websense), the url appears on a report, the admin clicks on the link on the report to see where the blocked user tried to go, and we get a nice referral in the logs.

The Missouri Department of Natural Resources thinks security advisories are "Criminal Skills", or at least their web blocker does...

168.166.196.40 - - [20/Jul/2007:09:39:41 -0700] "GET /pub/advise/20060114.txt H
TTP/1.1" 200 9933 "http://10.18.3.58:9014/actionpage?basictype=warn&epochsecond
s=1184949570&requestedurl=http%3A%2F%2Fwww.nmrc.org%2Fpub%2Fadvise%2F20060114.t
xt&categorylist=109&categorydescriptionlist=Criminal%20Skills&useripaddress=10.
18.11.11&username=ADS%5Cnrthomf&actiontaken=warn&actionreason=by-category&actio
nreasondata=109&replayhash=rbQLSQxEK9UsKOtqE%2Bd0SA%3D%3D" "Mozilla/4.0 (compat
ible; MSIE 6.0; Windows NT 5.1; SV1)"

Blocked at mcleancountyil.gov, the admin checked up on it:

216.201.120.90 - - [30/Jul/2007:10:34:29 -0700] "GET /pub/advise/20060114.txt H
TTP/1.1" 200 9933 "http://10.10.1.50:15871/cgi-bin/blockOptions.cgi?ws-session=
3524071954" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.43
22; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"

Unsure who is on the nightshift in this small company, but they let the employees check us out after hours...

24.196.120.114 - - [17/Jul/2007:05:41:17 -0700] "GET /pub/faq/hackfaq/hackfaq-1
1.html HTTP/1.1" 200 22179 "http://10.1.1.75:15871/cgi-bin/afterWorkOptions.cgi
?ws-session=2684381556" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
; .NET CLR 1.1.4322)"