New zombie fleet looking at webserver root pages??? Started Feb 10, ALL with browser string "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
From: Craig (anonymous_at_illegalhostname.com)
Date: 02/17/04
- Previous message: Duane Arnold: "Re: Wired Network / Wireless Network / Internet - 1 attachment"
- Next in thread: Micheal Robert Zium: "Re: New zombie fleet looking at webserver root pages??? Started Feb 10, ALL with browser string "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)""
- Reply: Cichlidiot: "Re: New zombie fleet looking at webserver root pages??? Started Feb 10, ALL with browser string "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Feb 2004 04:47:58 -0500
Good-day,
I know this isn't exactly a firewall question, but you guys seem much more on top of these types of things than the "general security" crowd who are all dealing with spyware and mail-worms.
I've never seen anything like this before.
Starting back on Feb 10th 2004 I've found an increasing number of solitary http get requests to the root page of my webserver. They come from broadband lines spread all over the place, and *ALL* the requests have the same browser identifier, with no referrer. Almost none of the IP's have ever made more than one request.
I mean the usual are malformed/404 requests attempting to exploit old IIS holes, rogue search engines, and spam spiders from Nigeria looking for e-mail addresses (crawling ONLY html pages but without a crawler referrer).
These are all get requests that result in 200 codes.
They *all* have the same ID of "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)".
The IP's do *not* appear anywhere else in my logs, for any other codes (200's, 404's, etc).
I am able to ping about half these IPs.
And it definitely started on the 10th, and by the 13th reached it's current stead state rate of around 20 requests a day.
See the access log grep from February below. Note that a similar grep on January's logs turns up only one or two such hits the entire month.
Any ideas? A new worm looking for a new IIS hole based on the MS source code release that was also around the 10th but that results in benign looking 200 requests on non-IIS webservers????
Cheers,
-Craig
PS: I've verified that the "grep 30038" below has not pulled in a single root page request that accompanied any standard browser request for the root page, none of them had that browser ID!!! The grep merely excludes requests for other more popular pages within my site that came from browsers that happened to have the same browser ID. (My main page is NOT a popular entrypoint or destination, so I'm not supprised no-one browsed it with that specific browser type.
The whole reason I noticed this is that there were clumps of 4-6 of these in my logs (my site gets approx 30 unique visitors a day) with ZERO requests for the associated images on the root page or any subsequent "browsing" or crawling activity.
> grep "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" ac0402*.log | grep 30038
ac040212.log:68.72.124.77 - - [11/Feb/2004:04:01:24 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040212.log:218.220.85.78 - - [11/Feb/2004:18:47:50 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040213.log:219.109.123.82 - - [12/Feb/2004:00:53:07 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040213.log:218.222.107.220 - - [12/Feb/2004:10:04:51 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040213.log:220.159.111.42 - - [12/Feb/2004:12:26:05 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040213.log:66.72.10.151 - - [12/Feb/2004:18:15:06 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040213.log:68.94.196.201 - - [12/Feb/2004:22:22:41 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040213.log:216.190.71.198 - - [12/Feb/2004:22:31:35 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040213.log:61.184.41.27 - - [12/Feb/2004:23:24:08 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:61.119.187.62 - - [13/Feb/2004:01:45:25 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:221.187.230.130 - - [13/Feb/2004:06:30:36 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:61.223.51.33 - - [13/Feb/2004:08:48:54 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:67.74.252.225 - - [13/Feb/2004:09:18:27 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:216.78.57.232 - - [13/Feb/2004:12:01:38 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:202.247.32.19 - - [13/Feb/2004:12:36:42 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:210.107.27.80 - - [13/Feb/2004:14:55:30 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:63.233.228.48 - - [13/Feb/2004:15:19:11 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:211.18.119.212 - - [13/Feb/2004:15:21:28 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:216.192.148.3 - - [13/Feb/2004:16:07:32 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:81.49.130.74 - - [13/Feb/2004:16:56:44 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:211.120.145.170 - - [13/Feb/2004:18:47:30 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:80.58.20.237 - - [13/Feb/2004:20:31:40 -0500] "GET / HTTP/1.0" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:68.123.54.42 - - [13/Feb/2004:20:51:38 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040214.log:222.3.235.191 - - [13/Feb/2004:21:31:46 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:220.99.161.193 - - [14/Feb/2004:02:09:10 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:68.23.11.40 - - [14/Feb/2004:02:36:44 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:210.180.96.11 - - [14/Feb/2004:02:48:19 -0500] "GET / HTTP/1.0" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:68.123.113.84 - - [14/Feb/2004:03:56:08 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:67.72.212.113 - - [14/Feb/2004:06:35:36 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:220.214.252.39 - - [14/Feb/2004:07:49:27 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:220.221.213.223 - - [14/Feb/2004:08:51:19 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:218.19.33.238 - - [14/Feb/2004:08:56:56 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:69.0.16.155 - - [14/Feb/2004:08:59:03 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:80.58.42.237 - - [14/Feb/2004:12:05:12 -0500] "GET / HTTP/1.0" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:210.132.255.186 - - [14/Feb/2004:12:08:22 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:81.251.122.42 - - [14/Feb/2004:14:14:21 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:80.54.202.16 - - [14/Feb/2004:15:43:13 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:4.65.2.129 - - [14/Feb/2004:15:43:16 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:80.58.50.173 - - [14/Feb/2004:16:06:04 -0500] "GET / HTTP/1.0" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:203.72.170.45 - - [14/Feb/2004:16:50:16 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:65.43.171.176 - - [14/Feb/2004:17:14:57 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:218.169.73.252 - - [14/Feb/2004:18:35:42 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:217.43.37.135 - - [14/Feb/2004:19:04:02 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:80.58.35.237 - - [14/Feb/2004:19:19:00 -0500] "GET / HTTP/1.0" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:4.3.7.48 - - [14/Feb/2004:20:25:15 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:209.153.174.186 - - [14/Feb/2004:21:01:02 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:203.141.89.145 - - [14/Feb/2004:22:17:02 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:67.73.148.47 - - [14/Feb/2004:23:00:18 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040215.log:69.105.132.76 - - [14/Feb/2004:23:51:40 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:165.247.76.184 - - [15/Feb/2004:01:25:59 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:219.110.59.10 - - [15/Feb/2004:01:28:54 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:81.48.46.231 - - [15/Feb/2004:02:21:37 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:221.189.192.29 - - [15/Feb/2004:02:45:03 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:222.136.0.139 - - [15/Feb/2004:05:32:25 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:210.219.150.66 - - [15/Feb/2004:05:49:41 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:61.59.201.126 - - [15/Feb/2004:06:32:21 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:165.247.66.144 - - [15/Feb/2004:08:41:45 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:218.24.23.185 - - [15/Feb/2004:09:06:52 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:67.126.221.15 - - [15/Feb/2004:09:13:33 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:64.218.106.14 - - [15/Feb/2004:10:49:52 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:212.76.253.57 - - [15/Feb/2004:12:46:00 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:67.73.158.152 - - [15/Feb/2004:17:00:21 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:165.121.91.142 - - [15/Feb/2004:19:15:15 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:80.15.202.141 - - [15/Feb/2004:19:30:28 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:68.219.139.39 - - [15/Feb/2004:20:21:01 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:68.161.202.22 - - [15/Feb/2004:20:39:43 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:210.221.64.35 - - [15/Feb/2004:20:50:36 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:66.73.167.46 - - [15/Feb/2004:21:41:44 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:80.58.41.45 - - [15/Feb/2004:21:44:34 -0500] "GET / HTTP/1.0" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040216.log:80.58.13.237 - - [15/Feb/2004:22:46:59 -0500] "GET / HTTP/1.0" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:81.250.68.143 - - [16/Feb/2004:00:51:08 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:220.96.233.217 - - [16/Feb/2004:02:23:12 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:211.131.240.206 - - [16/Feb/2004:07:04:17 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:220.144.131.157 - - [16/Feb/2004:07:19:07 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:4.13.49.22 - - [16/Feb/2004:07:32:29 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:61.202.55.223 - - [16/Feb/2004:08:10:11 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:221.196.32.90 - - [16/Feb/2004:08:36:35 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:68.77.27.254 - - [16/Feb/2004:10:12:29 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:61.193.102.126 - - [16/Feb/2004:11:13:33 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:219.167.89.200 - - [16/Feb/2004:11:57:17 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:62.147.141.61 - - [16/Feb/2004:12:32:15 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:82.64.8.23 - - [16/Feb/2004:16:07:38 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:81.203.124.36 - - [16/Feb/2004:16:27:29 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:65.142.29.31 - - [16/Feb/2004:16:49:03 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:218.171.137.218 - - [16/Feb/2004:19:52:17 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:61.231.63.170 - - [16/Feb/2004:20:06:52 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:165.247.94.180 - - [16/Feb/2004:20:43:53 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:205.185.83.254 - - [16/Feb/2004:20:53:34 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:64.169.7.203 - - [16/Feb/2004:20:59:36 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:68.75.58.65 - - [16/Feb/2004:21:42:33 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:67.0.141.14 - - [16/Feb/2004:22:16:57 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ac040217.log:64.222.44.116 - - [16/Feb/2004:22:49:57 -0500] "GET / HTTP/1.1" 200 30038 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
- Previous message: Duane Arnold: "Re: Wired Network / Wireless Network / Internet - 1 attachment"
- Next in thread: Micheal Robert Zium: "Re: New zombie fleet looking at webserver root pages??? Started Feb 10, ALL with browser string "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)""
- Reply: Cichlidiot: "Re: New zombie fleet looking at webserver root pages??? Started Feb 10, ALL with browser string "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
