Wow. We're slow. Took us /way/ too long to discovery that when the server said we weren't being fast enough, we should use Google SPDY. 

Even then, we were never able to figure out the other part which was to simply guess /cgi-bin/ (which produced a different error than entering other non-existant directories), then brute-force known cgi-bin exploits, find phf [http://insecure.org/sploits/phf-cgi.html]