Security Incidents mailing list archives

Re: Got 'em. (was "Re: gw.ocg-corp.com")

From: Chip McClure <vhm3 () hades gigguardian com>
Date: Mon, 13 May 2002 15:53:39 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I found him as well. :)

Going through my web server logs the past few days, that IP (numeric) was
also listed in there, same useragent string. You can find out what he's up
to:

http://209.126.176.3:8081/

On each connection to my site, all he got was a non-existant robots.txt &
the index page. Each visit, nothing different. When I checked his "pending
urls" - they were all a bunch of yahoo ip's.

:)

- -----
Chip McClure
Sr. Unix Administrator
GigGuardian, Inc.

http://www.gigguardian.com/
- -----

On Mon, 13 May 2002, Jay D. Dyson wrote:

On Mon, 13 May 2002, Chip McClure wrote:

I don't have any luck finding out any info on ocg-corp.com either. :(
I've got a few of the hits in my webserver logs, the same as you. My
guess, someone's spoofing the reverse dns on it. Kinda sounds like
someone is doing some very hard spidering on your site.


      My experiment paid off.  I figured the spider would goof at some
point and cough up the IP address and I was happy to find this was true.

      Here's what I have on this spider.  First, I did a search through
my Apache logs looking for all instances of 'gw.ocg-corp.com' in hopes
that there was a 404 (not found) happening somewhere in its spidering.
Sure enough, I found this:

gw.ocg-corp.com - - [10/May/2002:13:16:24 -0700] "GET /robots.txt HTTP/1.0" 404 4472 "-" "WinampMPEG/2.00 (larbin () 
unspecified mail)"

      Keep in mind that though one's Apache configuration may be set to
resolve IP addresses to domain names, Apache nonetheless logs only the IP
address in its error logs.  Thus, I correlated the above 404 with my
9-11justice_org-error.log and found the following:

[Fri May 10 13:16:23 2002] [error] [client 209.126.176.3] File does not exist: 
/hosts/virtual/9-11justice.org/robots.txt

      From there, it was all over but the shouting...

$ nslookup 209.126.176.3
Server:  localhost
Address:  127.0.0.1

Name:    gw.ocg-corp.com
Address:  209.126.176.3

      And there we have the culprit.  Who wants to throw the clue mallet
at 'em?  ;)

-Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-- They know the rules.  We know the loopholes. --'  `------'

------------ Output from pgp ------------
Pretty Good Privacy(tm) Version 6.5.8
Internal development version only - not for general release.
(c) 1999 Network Associates Inc.
Export of this software may be restricted by the U.S. government.
File is signed.  signature not checked.
Signature made 2002/05/13 22:44 GMT
key does not meet validity threshold.
WARNING:  Because this public key is not certified with a trusted
signature, it is not known with high confidence that this public key
actually belongs to: "(KeyID: 0xB94CFBC1)".
wiping file pgptemp.$00pattern is: 0xffffffff
pattern is: 0xbbb
pattern is: 0x6db
pattern is: 0xfff
pattern is: 0x333
pattern is: 0x999
pattern is: 0x888
pattern is: 0xccc
pattern is: 0x0
pattern is: 0x492
pattern is: 0xeee
pattern is: 0xdb6
pattern is: 0x555
pattern is: 0xffffffff
pattern is: 0x249
pattern is: 0x444
pattern is: 0xddd
pattern is: 0xaaa
pattern is: 0x924
pattern is: 0x777
pattern is: 0xb6d
pattern is: 0x666
pattern is: 0x111
pattern is: 0x222
pattern is: 0xffffffff
pattern is: 0xffffffff
wiping file pgptemp.$01pattern is: 0xffffffff
pattern is: 0x6db
pattern is: 0x444
pattern is: 0xfff
pattern is: 0xdb6
pattern is: 0x555
pattern is: 0x249
pattern is: 0x333
pattern is: 0x777
pattern is: 0xb6d
pattern is: 0x111
pattern is: 0xbbb
pattern is: 0x492
pattern is: 0xffffffff
pattern is: 0xccc
pattern is: 0xaaa
pattern is: 0xddd
pattern is: 0xffffffff
pattern is: 0x0
pattern is: 0x666
pattern is: 0xeee
pattern is: 0x222
pattern is: 0x924
pattern is: 0x888
pattern is: 0x999
pattern is: 0xffffffff


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBPOBD9puKtP8CSC69EQLRyACbBkmjbjl1Rk/nWizbuaPB7BtoGKcAoJyi
sbpWLQ9VZkLDx5yFcXqsCRyO
=0piZ
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

gw.ocg-corp.com netscience (May 13)
- Re: gw.ocg-corp.com Chip McClure (May 13)
  - Got 'em. (was "Re: gw.ocg-corp.com") Jay D. Dyson (May 13)
    - Re: Got 'em. (was "Re: gw.ocg-corp.com") Chip McClure (May 13)
    - Re: Got 'em. (was "Re: gw.ocg-corp.com") Hugo van der Kooij (May 13)
- Re: gw.ocg-corp.com Jordan K Wiens (May 13)
- Re: gw.ocg-corp.com Christian Vogel (May 13)
- Re: gw.ocg-corp.com Will Aoki (May 13)