Security Incidents mailing list archives

Re: gw.ocg-corp.com

From: Chip McClure <vhm3 () hades gigguardian com>
Date: Mon, 13 May 2002 14:56:00 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't have any luck finding out any info on ocg-corp.com either. :( I've
got a few of the hits in my webserver logs, the same as you. My guess,
someone's spoofing the reverse dns on it. Kinda sounds like someone is
doing some very hard spidering on your site.

However, I did find out some info on Labin:

http://larbin.sourceforge.net/index-eng.html

The following is a cut from my server logs as well, any relevance, or
associated IP's:

62.23.138.142 - - [05/May/2002:08:26:33 -0700] "GET /robots.txt HTTP/1.0"
404 335 "-" "larbin_2.6.1 (larbin2.6.1 () unspecified mail)"
62.23.138.142 - - [05/May/2002:08:26:33 -0700] "GET / HTTP/1.0" 200 4571
"-" "larbin_2.6.1 larbin2.6.1 () unspecified mail"
62.23.138.142 - - [07/May/2002:14:32:53 -0700] "GET /robots.txt HTTP/1.0"
404 335 "-" "larbin_2.6.1 (larbin2.6.1 () unspecified mail)"
62.23.138.142 - - [07/May/2002:14:32:56 -0700] "GET / HTTP/1.0" 200 4571
"-" "larbin_2.6.1 larbin2.6.1 () unspecified mail"
209.126.176.3 - - [09/May/2002:13:34:35 -0700] "GET /robots.txt HTTP/1.0"
404 335 "-" "larbin_2.6.2 (larbin2.6.2 () unspecified mail)"
209.126.176.3 - - [09/May/2002:13:34:39 -0700] "GET / HTTP/1.0" 200 4571
"-" "larbin_2.6.2 larbin2.6.2 () unspecified mail"
gw.ocg-corp.com - - [10/May/2002:17:29:38 -0700] "GET /robots.txt
HTTP/1.0" 404 335 "-" "WinampMPEG/2.00 (larbin () unspecified mail)"
gw.ocg-corp.com - - [10/May/2002:17:37:31 -0700] "GET /robots.txt
HTTP/1.0" 404 335 "-" ""Opera/6.01 (larbin () unspecified mail)"
gw.ocg-corp.com - - [10/May/2002:17:37:32 -0700] "GET / HTTP/1.0" 200 4571
"-" ""Opera/6.01 larbin () unspecified mail"
gw.ocg-corp.com - - [11/May/2002:22:33:39 -0700] "GET /robots.txt
HTTP/1.0" 404 335 "-" "WinampMPEG/2.00 (larbin () unspecified mail)"
gw.ocg-corp.com - - [11/May/2002:22:33:39 -0700] "GET / HTTP/1.0" 200 4571
"-" "WinampMPEG/2.00 larbin () unspecified mail"


- -----
Chip McClure
Sr. Unix Administrator
GigGuardian, Inc.

http://www.gigguardian.com/
- -----

On Mon, 13 May 2002 netscience () hushmail com wrote:


gw.ocg-corp.com - - [12/May/2002:20:29:08 -0400] "GET / HTTP/1.0" 200 18141 "-" "Opera/6.01 larbin2.6.2 () 
unspecified mail"
gw.ocg-corp.com - - [12/May/2002:20:31:04 -0400] "GET / HTTP/1.0" 200 18141 "-" "WinampMPEG/2.00 larbin () 
unspecified mail"

Anyone know who or what this is gw.ocg-corp.com been running rampant through the logs the past 72 hours, following 
links even with noindex applied, no info on any google searches except last few days indexing same, no whois, 
nothing. Been snooping around the site over and over again, all pages, using different user agents in the last 72 
hours.

Annoying as hell


..

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

------------ Output from pgp ------------
Pretty Good Privacy(tm) Version 6.5.8
Internal development version only - not for general release.
(c) 1999 Network Associates Inc.
Export of this software may be restricted by the U.S. government.
File is signed.  signature not checked.
Signature made 2002/05/13 21:42 GMT
key does not meet validity threshold.
WARNING:  Because this public key is not certified with a trusted
signature, it is not known with high confidence that this public key
actually belongs to: "(KeyID: 0xB693B8AB)".
wiping file pgptemp.$00pattern is: 0xffffffff
pattern is: 0x333
pattern is: 0xaaa
pattern is: 0x666
pattern is: 0x492
pattern is: 0x222
pattern is: 0x0
pattern is: 0xddd
pattern is: 0xffffffff
pattern is: 0x924
pattern is: 0xb6d
pattern is: 0xfff
pattern is: 0x999
pattern is: 0xffffffff
pattern is: 0x249
pattern is: 0xeee
pattern is: 0x888
pattern is: 0xccc
pattern is: 0xbbb
pattern is: 0x777
pattern is: 0x555
pattern is: 0xdb6
pattern is: 0x6db
pattern is: 0x111
pattern is: 0x444
pattern is: 0xffffffff
wiping file pgptemp.$01pattern is: 0xffffffff
pattern is: 0x492
pattern is: 0x999
pattern is: 0xaaa
pattern is: 0xb6d
pattern is: 0x666
pattern is: 0x0
pattern is: 0x888
pattern is: 0x6db
pattern is: 0xbbb
pattern is: 0xccc
pattern is: 0x924
pattern is: 0xddd
pattern is: 0xffffffff
pattern is: 0xeee
pattern is: 0xfff
pattern is: 0x249
pattern is: 0xdb6
pattern is: 0x444
pattern is: 0x333
pattern is: 0x555
pattern is: 0x111
pattern is: 0x777
pattern is: 0x222
pattern is: 0xffffffff
pattern is: 0xffffffff


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBPOA2c5uKtP8CSC69EQKb+QCg2V7Lsf7wKM2yiSi3jDHAI0FQ2LQAoM/6
p1ssUdbrGQ1G9FiwE4Nhv4YU
=ebqg
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

gw.ocg-corp.com netscience (May 13)
- Re: gw.ocg-corp.com Chip McClure (May 13)
  - Got 'em. (was "Re: gw.ocg-corp.com") Jay D. Dyson (May 13)
    - Re: Got 'em. (was "Re: gw.ocg-corp.com") Chip McClure (May 13)
    - Re: Got 'em. (was "Re: gw.ocg-corp.com") Hugo van der Kooij (May 13)
- Re: gw.ocg-corp.com Jordan K Wiens (May 13)
- Re: gw.ocg-corp.com Christian Vogel (May 13)
- Re: gw.ocg-corp.com Will Aoki (May 13)