Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unknown user agent in my logs...

From: "Anshuman G" <anshu.pg () gmail com>
Date: Tue, 10 Apr 2007 02:57:03 +0530
Humm..

my googleskills are better it seems :).

Check >> http://www.linuxquestions.org/questions/showthread.php?p=2637338#post2637338

On 4/9/07, Clinton E. Troutman <cetro.consulting () sbcglobal net> wrote:


Beginning just after 18:00 this evening, my Apache access log began to show
hits every few seconds from the same source IP.
Other than time, all lines appear to be the same... (sample given below).

Hits continued until I blocked the source IP (via iptables). My router shows
the incoming attempts continue at the same rate (but iptables is dropping
the packets as they reach that machine).

I'm wondering if anyone has experience with the User Agent shown in these
log entries. Google hasn't helped me at all (maybe my Google skills are
lacking...).

I suspect a hacked machine, especially since they apparently haven't noticed
I have blocked them; but, I wonder, hacked with what???

--- Begin Sample ---
70.245.143.248 - - [08/Apr/2007:19:40:21 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:27 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:33 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:39 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:45 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:51 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:40:57 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:03 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:09 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:15 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:22 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:28 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:34 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:40 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:46 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:52 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:41:58 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:04 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:10 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:16 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:22 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
70.245.143.248 - - [08/Apr/2007:19:42:28 -0500] "GET / HTTP/1.1" 206
5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
--- End Sample ---

Thanks in advance,
--
Clinton E. Troutman
Independent Computer Consultant for Home,
  Home Office, and Small Business in Fort Worth, Texas
--
Clinton E. Troutman
CeTro
Independent Computer Consultant for Home,
  Home Office, and Small Business in Fort Worth, Texas
http://cetro.dnsalias.org/
Previous By Date Next
Previous By Thread Next

Current thread: