TL32Sn – feeder for cz32ts?
Perhaps TL32Sn’s role in life is to build a list of URLs for cz32ts to try? Perhaps the “inurl” part of TL32Sn’s query represents a fingerprint search for known vulnerable web apps? Once it’s done the Google search and has got a list of results (shortened by the presence of the seemingly irrelevant keyword), does it phone these home to 126.96.36.199 for cz32ts to check out later on?
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk