[Dshield] Server

Mikel L. Williams mikelw at ruffinbuildingsystems.com
Fri Aug 19 13:49:06 GMT 2005


Of the three IP address conducting this scan, one is from the Sprint network
out of REDMOND, WA.

Maybe you've been crawled by one of Microsoft's HoneyMonkeys...


----- Original Message ----- 
From: "Craig Webster" <craig at xeriom.net>
To: "General DShield Discussion List" <list at lists.dshield.org>
Cc: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Friday, August 19, 2005 8:32 AM
Subject: Re: [Dshield] Server


>
> On Fri, August 19, 2005 14:15, Johannes B. Ullrich said:
> >> 12.44.172.92 - - [06/Aug/2005:21:51:56 -0400] "GET /downloads/?D=A
> >> HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT;
> >> ....../1.0 )"
>
> > So nothing malicious per se. Spiders may follow these links.
>
> [...]
>
> > Overall, this looks like a distributed scan from a bot/search engine. I
> > don't see any major problem here. They essentially just used a script to
> > hit every page on your site. you may need to clamp down on some of your
> > authentication if some of these files are supposed to be restricted.
>
> I agree that it looks like a search engine spidering the site but the
> whois output (http://www.whois.sc/12.44.172.92) seems to say that it's
> from a regular home user. Whois on some of the other IP addresses in the
> logs say the same so it could be something trying to do something
> naughty... or it could just be a few curious users clicking at random or
> downloading your entire site.
>
> What version of AWStats do you use? Older versions have some exploits that
> can be used for some "fun" tricks. There's an older Dshield post that
> shows you what the logs look like - have a look for these lines:
> http://www.dshield.org/pipermail/list/2005-March/019603.html
>
> Yours,
> Craig
> --
> Craig Webster | e  : craig at xeriom.net   | monkeys && beer == true
> Xeriom.NET    | web: http://xeriom.net/ | monkeys + beer == multiboom
>
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list