What’s wrong with 209.88.228.11 and/or Konqueror?

Filed under The Web by adam | October 4, 2005 | 2922 hits | 6 comments

Today I received over 100,000 hits like this: 

 209.88.228.11 - - [04/Oct/2005:16:57:52 -0400] "PROPFIND /error/notfound.html/ HTTP/1.1" 302 240 "-" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko) (Debian package 4:3.4.1-1)"

It looks like the person actually came to my site for a legitimate reason: 

 209.88.228.11 - - [04/Oct/2005:09:50:41 -0400] "GET /weblog/2005/08/ HTTP/1.1" 200 53323 "http://www.google.com/search?hl=en&ie=UTF-8&q=download+growisofs+5.21+debian&spell=1" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko) (Debian package 4:3.4.1-1)"

and then wanted to see the contents of my /blogimages directory. That directory (where I store images that appear on this blog) cannot be publicly viewed: 

 209.88.228.11 - - [04/Oct/2005:09:52:19 -0400] "PROPFIND /blogimages/ HTTP/1.1" 302 239 "-" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko) (Debian package 4:3.4.1-1)" 209.88.228.11 - - [04/Oct/2005:09:52:19 -0400] "PROPFIND /error/notfound.html/ HTTP/1.1" 302 239 "-" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko) (Debian package 4:3.4.1-1)"

But why would this failed request repeat more than 100,000 times, basically every second for hours? Is this a very bad konqueror behavior, or a well camouflaged denial-of-service attack, or something else entirely? This kind of thing could generate some bad press for free software unless there’s a good explanation (“Konqueror security hole swamps innocent websites,” etc..).

6 comments

  1. Josh Triplett Jan 28

    I’m not sure why that would happen; one thing that looks suspicious, however, is the fact that there is a trailing slash on /error/notfound.html/, which looks rather odd. Perhaps Konqueror has different expectations when it thinks the target is a directory? The behavior you saw could be the result of what it interprets as an infinite redirect; are you sure that the error page doesn’t give another error code? I notice that the retrieval of the /error/notfound.html page shows a 302. It also seems strange that they would arrive at /error/notfound.html when trying to access /blogimages/ , since /blogimages/ leads to /error/forbidden.html .

    BTW, it is possible that they could be accessing the web through a brain-dead proxy, so it might or might not be Konqueror’s fault.

    Also, a minor HTML error I noticed when looking at that error page: the top level heading starts with h1, but ends with h2.

  2. Nikita Youshchenko Jan 28

    It could be a konqueror window (probably lost on the screen) with per-second auto-refresh occasionally turned on.

  3. Brian M. Carlson Jan 28

    Konqueror doesn’t use DAV unless someone is trying to use WebDAV from remote:/ , so it is most likely that someone is trying to access your server using WebDAV. In such a case, it would be like someone connecting to the server to be able to drag and drop. With normal HTTP, Konqueror should never issue a PROPFIND, because the server might not support it (mine doesn’t, for example).

  4. NelsonFx Jan 28

    hi, i meet the people that have thar ip, if you contact me and give more information about the log i can contact them to see wtf it’s happen, thanks i dont think that it’s a konqueror problem, that version only i seeit in knoppix 3.9/4 or usin the experimental kde4.1 packages. please contact me (Y)

  5. sunny Jan 28

    I do not think this is a konqueror issue. I recieved similar pattern in my log files. Site running on Unix

  6. sunny Jan 28

Leave a Reply

(Markdown Syntax Permitted)