Security Incidents mailing list archives
Re: Got 'em. (was "Re: gw.ocg-corp.com")
From: Chip McClure <vhm3 () hades gigguardian com>
Date: Mon, 13 May 2002 15:53:39 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I found him as well. :) Going through my web server logs the past few days, that IP (numeric) was also listed in there, same useragent string. You can find out what he's up to: http://209.126.176.3:8081/ On each connection to my site, all he got was a non-existant robots.txt & the index page. Each visit, nothing different. When I checked his "pending urls" - they were all a bunch of yahoo ip's. :) - ----- Chip McClure Sr. Unix Administrator GigGuardian, Inc. http://www.gigguardian.com/ - ----- On Mon, 13 May 2002, Jay D. Dyson wrote:
On Mon, 13 May 2002, Chip McClure wrote:I don't have any luck finding out any info on ocg-corp.com either. :( I've got a few of the hits in my webserver logs, the same as you. My guess, someone's spoofing the reverse dns on it. Kinda sounds like someone is doing some very hard spidering on your site.My experiment paid off. I figured the spider would goof at some point and cough up the IP address and I was happy to find this was true. Here's what I have on this spider. First, I did a search through my Apache logs looking for all instances of 'gw.ocg-corp.com' in hopes that there was a 404 (not found) happening somewhere in its spidering. Sure enough, I found this: gw.ocg-corp.com - - [10/May/2002:13:16:24 -0700] "GET /robots.txt HTTP/1.0" 404 4472 "-" "WinampMPEG/2.00 (larbin () unspecified mail)" Keep in mind that though one's Apache configuration may be set to resolve IP addresses to domain names, Apache nonetheless logs only the IP address in its error logs. Thus, I correlated the above 404 with my 9-11justice_org-error.log and found the following: [Fri May 10 13:16:23 2002] [error] [client 209.126.176.3] File does not exist: /hosts/virtual/9-11justice.org/robots.txt From there, it was all over but the shouting... $ nslookup 209.126.176.3 Server: localhost Address: 127.0.0.1 Name: gw.ocg-corp.com Address: 209.126.176.3 And there we have the culprit. Who wants to throw the clue mallet at 'em? ;) -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) | = |-' `--' `--' `-- They know the rules. We know the loopholes. --' `------' ------------ Output from pgp ------------ Pretty Good Privacy(tm) Version 6.5.8 Internal development version only - not for general release. (c) 1999 Network Associates Inc. Export of this software may be restricted by the U.S. government. File is signed. signature not checked. Signature made 2002/05/13 22:44 GMT key does not meet validity threshold. WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "(KeyID: 0xB94CFBC1)". wiping file pgptemp.$00pattern is: 0xffffffff pattern is: 0xbbb pattern is: 0x6db pattern is: 0xfff pattern is: 0x333 pattern is: 0x999 pattern is: 0x888 pattern is: 0xccc pattern is: 0x0 pattern is: 0x492 pattern is: 0xeee pattern is: 0xdb6 pattern is: 0x555 pattern is: 0xffffffff pattern is: 0x249 pattern is: 0x444 pattern is: 0xddd pattern is: 0xaaa pattern is: 0x924 pattern is: 0x777 pattern is: 0xb6d pattern is: 0x666 pattern is: 0x111 pattern is: 0x222 pattern is: 0xffffffff pattern is: 0xffffffff wiping file pgptemp.$01pattern is: 0xffffffff pattern is: 0x6db pattern is: 0x444 pattern is: 0xfff pattern is: 0xdb6 pattern is: 0x555 pattern is: 0x249 pattern is: 0x333 pattern is: 0x777 pattern is: 0xb6d pattern is: 0x111 pattern is: 0xbbb pattern is: 0x492 pattern is: 0xffffffff pattern is: 0xccc pattern is: 0xaaa pattern is: 0xddd pattern is: 0xffffffff pattern is: 0x0 pattern is: 0x666 pattern is: 0xeee pattern is: 0x222 pattern is: 0x924 pattern is: 0x888 pattern is: 0x999 pattern is: 0xffffffff
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPOBD9puKtP8CSC69EQLRyACbBkmjbjl1Rk/nWizbuaPB7BtoGKcAoJyi sbpWLQ9VZkLDx5yFcXqsCRyO =0piZ -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- gw.ocg-corp.com netscience (May 13)
- Re: gw.ocg-corp.com Chip McClure (May 13)
- Got 'em. (was "Re: gw.ocg-corp.com") Jay D. Dyson (May 13)
- Re: Got 'em. (was "Re: gw.ocg-corp.com") Chip McClure (May 13)
- Re: Got 'em. (was "Re: gw.ocg-corp.com") Hugo van der Kooij (May 13)
- Got 'em. (was "Re: gw.ocg-corp.com") Jay D. Dyson (May 13)
- Re: gw.ocg-corp.com Jordan K Wiens (May 13)
- Re: gw.ocg-corp.com Christian Vogel (May 13)
- Re: gw.ocg-corp.com Will Aoki (May 13)
- Re: gw.ocg-corp.com Chip McClure (May 13)