Security Incidents mailing list archives
Strange HTTP user agent entries in log
From: Bob Rentschler <rentscb () WES ARMY MIL>
Date: Fri, 2 Feb 2001 09:23:21 -0600
I noticed some strange entries from a spider in my httpd logs yesterday and was wondering if anyone else had see something similar and if so what it is. Instead of a normal user agent entry this one starts with user-1.ip3000.com then goes to user0, user1 etc. incrimenting the nuber every second, staying in order even thought the source is at least 3 different IP's, nothing hostile looking, it read robots.txt but the user agent makes me suspicious. excerpt from the logs below. Bob 216.200.195.58 - - [01/Feb/2001:09:36:44 -0600] "GET /robots.txt HTTP/1.1" 200 199 "-" "user-1.ip3000.com" 216.200.195.53 - - [01/Feb/2001:09:36:45 -0600] "GET / HTTP/1.1" 200 10233 "-" "user0.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:38:19 -0600] "GET /images/topbar2.png HTTP/1.1" 200 12437 "-" "user0.ip3000.com" 216.200.195.58 - - [01/Feb/2001:09:38:21 -0600] "GET /images/linuxpower2.png HTTP/1.1" 200 1065 "-" "user0.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:38:23 -0600] "GET /images/apache-b.gif HTTP/1.1" 200 31273 "-" "user0.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:39:30 -0600] "GET /ftpstats/ftplog.html HTTP/1.1" 200 425823 "-" "user1.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:41:21 -0600] "GET /ftpstats/ftpgraph.html HTTP/1.1" 200 4010 "-" "user2.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:41:42 -0600] "GET /ftpstats/DailyHitStats.png HTTP/1.1" 200 1838 "-" "user2.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:41:43 -0600] "GET /ftpstats/DailyVolumeStats.png HTTP/1.1" 200 1935 "-" "user2.ip3000.com" 216.200.195.58 - - [01/Feb/2001:09:41:44 -0600] "GET /ftpstats/HourlyHitStats.png HTTP/1.1" 200 1690 "-" "user2.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:41:44 -0600] "GET /ftpstats/HourlyVolumeStats.png HTTP/1.1" 200 1848 "-" "user2.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:41:45 -0600] "GET /ftpstats/TopLevelDomainHitStats.png HTTP/1.1" 200 1704 "-" "user2.ip3000.com" <----Cut to different time frame------> 216.200.195.60 - - [01/Feb/2001:09:43:35 -0600] "GET /LUGOJ HTTP/1.1" 301 252 "-" "user5.ip3000.com" 216.200.195.58 - - [01/Feb/2001:09:43:37 -0600] "GET /LUGOJ/ HTTP/1.1" 200 6041 "-" "user5.ip3000.com" 216.200.195.58 - - [01/Feb/2001:09:44:33 -0600] "GET /LDP/index.html HTTP/1.1" 200 21713 "-" "user6.ip3000.com" 216.200.195.53 - - [01/Feb/2001:09:45:07 -0600] "GET /LDP/images/bg.jpg HTTP/1.1" 200 5444 "-" "user6.ip3000.com" 216.200.195.53 - - [01/Feb/2001:09:45:13 -0600] "GET /LDP/images/crdempsey2.jpg HTTP/1.1" 200 13911 "-" "user6.ip3000.com" 216.200.195.53 - - [01/Feb/2001:09:45:22 -0600] "GET /LDP/images/ibilio_logo1.gif HTTP/1.1" 200 954 "-" "user6.ip3000.com" 216.200.195.58 - - [01/Feb/2001:09:46:13 -0600] "GET /CPAN/index.html HTTP/1.1" 200 2964 "-" "user7.ip3000.com" 216.200.195.58 - - [01/Feb/2001:09:47:35 -0600] "GET /CPAN/misc/jpg/cpan.jpg HTTP/1.1" 200 10977 "-" "user7.ip3000.com" 216.200.195.53 - - [01/Feb/2001:09:49:43 -0600] "GET /php/manual.html HTTP/1.1" 200 8670 "-" "user8.ip3000.com" 216.200.195.58 - - [01/Feb/2001:09:50:15 -0600] "GET /LDP/LDP/LG/lg_frontpage.html HTTP/1.1" 200 12013 "-" "user9.ip3000.com" 216.200.195.60 - - [01/Feb/2001:09:50:48 -0600] "GET /LDP/LDP/LG/gx/lglogo.jpg HTTP/1.1" 200 39808 "-" "user9.ip3000.com" <-------Another cut in time to the only strange request made------> 216.200.195.53 - - [01/Feb/2001:19:08:23 -0600] "GET /webstats/url_200012.html HTTP/1.1" 200 27405 "-" "user247.ip3000.com" 216.200.195.58 - - [01/Feb/2001:19:09:15 -0600] "GET /webstats/site_200012.html HTTP/1.1" 200 15730 "-" "user248.ip3000.com" 216.200.195.60 - - [01/Feb/2001:19:09:30 -0600] "GET /webstats/XXXX:+++++++++++++++++++++++++++++++++++++++++++++++++++++ HTTP/1.1" 404 273 "-" "user249.ip3000.com" 216.200.195.53 - - [01/Feb/2001:19:09:31 -0600] "GET /webstats/XXXX:+++++++++++++++++++++++++++++++++++++++++++++++++++++/ HTTP/1.1" 404 274 "-" "user249.ip3000.com" 216.200.195.53 - - [01/Feb/2001:19:09:55 -0600] "GET /webstats/ref_200012.html HTTP/1.1" 200 10209 "-" "user250.ip3000.com" 216.200.195.60 - - [01/Feb/2001:19:11:00 -0600] "GET /webstats/search_200012.html HTTP/1.1" 200 13905 "-" "user251.ip3000.com"
Current thread:
- Strange HTTP user agent entries in log Bob Rentschler (Feb 02)