Mikel L. Williams
mikelw at ruffinbuildingsystems.com
Fri Aug 19 13:49:06 GMT 2005
Of the three IP address conducting this scan, one is from the Sprint network
out of REDMOND, WA.
Maybe you've been crawled by one of Microsoft's HoneyMonkeys...
----- Original Message -----
From: "Craig Webster" <craig at xeriom.net>
To: "General DShield Discussion List" <list at lists.dshield.org>
Cc: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Friday, August 19, 2005 8:32 AM
Subject: Re: [Dshield] Server
> On Fri, August 19, 2005 14:15, Johannes B. Ullrich said:
> >> 22.214.171.124 - - [06/Aug/2005:21:51:56 -0400] "GET /downloads/?D=A
> >> HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT;
> >> ....../1.0 )"
> > So nothing malicious per se. Spiders may follow these links.
> > Overall, this looks like a distributed scan from a bot/search engine. I
> > don't see any major problem here. They essentially just used a script to
> > hit every page on your site. you may need to clamp down on some of your
> > authentication if some of these files are supposed to be restricted.
> I agree that it looks like a search engine spidering the site but the
> whois output (http://www.whois.sc/126.96.36.199) seems to say that it's
> from a regular home user. Whois on some of the other IP addresses in the
> logs say the same so it could be something trying to do something
> naughty... or it could just be a few curious users clicking at random or
> downloading your entire site.
> What version of AWStats do you use? Older versions have some exploits that
> can be used for some "fun" tricks. There's an older Dshield post that
> shows you what the logs look like - have a look for these lines:
> Craig Webster | e : craig at xeriom.net | monkeys && beer == true
> Xeriom.NET | web: http://xeriom.net/ | monkeys + beer == multiboom
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list