Re: Unknown user agent in my logs...

From: tony barry <tony@xxxxxxxxxxxxx>
Date: Tue, 10 Apr 2007 10:41:10 +1200

Hi,

I cant help with the user agent but the name suggests a tool to discover
network services.
Whois tells me the IP belongs to SBC internet services. They show up in
google. I suggest you report this to them. They are part of a major US
telecomms provider so there is a good chance they will take appropriate
action.

On Sun, 2007-04-08 at 23:33 -0500, Clinton E. Troutman wrote:

Beginning just after 18:00 this evening, my Apache access log began to show
hits every few seconds from the same source IP.
Other than time, all lines appear to be the same... (sample given below).

Hits continued until I blocked the source IP (via iptables). My router shows
the incoming attempts continue at the same rate (but iptables is dropping
the packets as they reach that machine).

I'm wondering if anyone has experience with the User Agent shown in these
log entries. Google hasn't helped me at all (maybe my Google skills are
lacking...).

I suspect a hacked machine, especially since they apparently haven't noticed
I have blocked them; but, I wonder, hacked with what???

--- Begin Sample ---
70.245.143.248 - - [08/Apr/2007:19:40:21 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:27 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:33 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:39 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:45 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:51 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:57 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:03 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:09 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:15 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:22 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:28 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:34 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:40 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:46 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:52 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:58 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:04 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:10 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:16 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:22 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:28 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
--- End Sample ---

Thanks in advance,
--
Clinton E. Troutman
Independent Computer Consultant for Home,
Home Office, and Small Business in Fort Worth, Texas

Follow-Ups:
- Re: Unknown user agent in my logs...
  - From: Clinton E. Troutman

References:
- Unknown user agent in my logs...
  - From: Clinton E. Troutman

Prev by Date: Re: Unknown user agent in my logs...
Next by Date: RE: Audit Windows files/folders
Previous by thread: Re: Unknown user agent in my logs...
Next by thread: Re: Unknown user agent in my logs...
Index(es):
- Date
- Thread

Relevant Pages

Re: Windows Mobile 5, Tmobile, Not able to search google..
... j> cannot be displayed or downloaded because the connection was lost. ... j> my user agent string it sees? ... j> any ideas on WHY google (the most useful search engine on the net) will ...
(microsoft.public.pocketpc)
Windows Mobile 5, Tmobile, Not able to search google..
... cannot be displayed or downloaded because the connection was lost. ... my user agent string it sees? ... any ideas on WHY google (the most useful search engine on the net) will ...
(microsoft.public.pocketpc)
Re: GPS and Google map
... Google is one of the few sites that reads the device "user agent" strings and, for the pocket pc, only displays maps and does so with a single image unlike the pc version that "tiles" all of the map displays. ...
(microsoft.public.pocketpc)
Re: cloaking?
... >> What is giving you the idea that the forum is cloaking? ... > Somehow Google is reading the page content and I am obviously getting a ... made with a no cache and you can not see the pages unless you login. ... > page than if you set your user agent to Firefox or a regular browser. ...
(alt.internet.search-engines)