Re: strange web traffic

bugtraq_at_cgisecurity.net
Date: 08/26/03

  • Next message: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests" 
    To: pall@fa.is (Pall Thayer)
Date: Tue, 26 Aug 2003 12:06:06 -0400 (EDT)

    This is probably one of two things.

    1. Web spiders indexing your site. They will not always hit these files in the same order.
    2. A web scanner grabbing banners looking for a particular type of vulnerable machine.

    - admin@cgisecurity.com

    >
    > For the past week and a half or so, I've been noticing several strange
    > entries in my webserver access log. Although they appear harmless, the
    > volume of the requests worries me a bit. Here's what they look like:
    >
    > 218.103.121.39 - - [26/Aug/2003:08:28:12 +0000] "GET / HTTP/1.1" 200 686 "-"
    > "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    >
    > 65.42.85.131 - - [26/Aug/2003:09:10:10 +0000] "GET / HTTP/1.1" 200 686 "-"
    > "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    >
    > 66.190.217.13 - - [26/Aug/2003:09:26:45 +0000] "GET / HTTP/1.1" 200 686 "-"
    > "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    >
    > What makes them strange is that when my server recieves a request for the
    > root file, it should result in five seperate requests. A legitimate request
    > looks like this:
    >
    > 81.224.245.151 - - [26/Aug/2003:08:11:34 +0000] "GET / HTTP/1.1" 200 686 "-"
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"
    > 81.224.245.151 - - [26/Aug/2003:08:11:35 +0000] "GET /interf.html HTTP/1.1"
    > 200 16238 "http://130.208.220.190/" "Mozilla/4.0 (compatible; MSIE 6.0;
    > Windows 98; Win 9x 4.90)"
    > 81.224.245.151 - - [26/Aug/2003:08:11:35 +0000] "GET /shock2.html HTTP/1.1"
    > 200 1647 "http://130.208.220.190/" "Mozilla/4.0 (compatible; MSIE 6.0;
    > Windows 98; Win 9x 4.90)"
    > 81.224.245.151 - - [26/Aug/2003:08:11:35 +0000] "GET /isjs.gif HTTP/1.1" 200
    > 692 "http://130.208.220.190/interf.html" "Mozilla/4.0 (compatible; MSIE 6.0;
    > Windows 98; Win 9x 4.90)"
    > 81.224.245.151 - - [26/Aug/2003:08:11:36 +0000] "GET /isjs2.swf HTTP/1.1"
    > 200 11768 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"
    >
    > The dodgy ones only appear once and another thing that makes them strange is
    > that aside from the IP number, they are all identical:
    >
    > GET / HTTP/1.1" 200 686 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    >
    > I managed to retrieve some info on one of the machines and found out that it
    > was running Windows 2000, not 98.
    >
    > Anyone have any info on this?
    >
    >
    >
    > Pall Thayer
    > artist/teacher
    > Fjolbrautaskolinn vid Armula
    > http://www.this.is/pallit
    > http://www.this.is/pallit/isjs
    > http://www.this.is/pallit/harmony
    > http://130.208.220.190/panse
    >
    >
    > ---------------------------------------------------------------------------
    > Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    > technical IT security event. Modeled after the famous Black Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    > Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    > ----------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"