Re: Unknown user agent in my logs...



I would like to add

http://www.dshield.org/ipinfo.html?ip=70.245.143.248 , Looks zombified
pc at ATT.

On 4/10/07, Anshuman G <anshu.pg@xxxxxxxxx> wrote:
Humm..

my googleskills are better it seems :).

Check >> http://www.linuxquestions.org/questions/showthread.php?p=2637338#post2637338

On 4/9/07, Clinton E. Troutman <cetro.consulting@xxxxxxxxxxxxx> wrote:
>
> Beginning just after 18:00 this evening, my Apache access log began to show
> hits every few seconds from the same source IP.
> Other than time, all lines appear to be the same... (sample given below).
>
> Hits continued until I blocked the source IP (via iptables). My router shows
> the incoming attempts continue at the same rate (but iptables is dropping
> the packets as they reach that machine).
>
> I'm wondering if anyone has experience with the User Agent shown in these
> log entries. Google hasn't helped me at all (maybe my Google skills are
> lacking...).
>
> I suspect a hacked machine, especially since they apparently haven't noticed
> I have blocked them; but, I wonder, hacked with what???
>
> --- Begin Sample ---
> 70.245.143.248 - - [08/Apr/2007:19:40:21 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:27 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:33 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:39 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:45 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:51 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:57 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:03 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:09 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:15 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:22 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:28 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:34 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:40 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:46 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:52 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:58 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:04 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:10 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:16 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:22 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:28 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> --- End Sample ---
>
> Thanks in advance,
> --
> Clinton E. Troutman
> Independent Computer Consultant for Home,
> Home Office, and Small Business in Fort Worth, Texas
> --
> Clinton E. Troutman
> CeTro
> Independent Computer Consultant for Home,
> Home Office, and Small Business in Fort Worth, Texas
> http://cetro.dnsalias.org/
>
>