Security Basics mailing list archives

strange logs

From: jpc <jeempc () sbcglobal net>
Date: Thu, 08 Jul 2004 19:18:03 -0400

Has anyone seen this error (see below)in the apache log.
It appears someone is trying to mess with my server.
Notice how the ip changes from 69.209.152.51 to 69.192.139.207--this may be two
different people I guess.
The first ip is using the same provider as I am. My IP was 69.209.152.xxx at
the time.
This has been happening since the 4th.
Any ideas? I googled the error message and couldn't find much.

Here is some info on the ip's

nmap 69.209.152.51

Starting nmap 3.45 ( http://www.insecure.org/nmap/ )
at 2004-07-08 15:54 EDT
Interesting ports on adsl-69-209-152-51.dsl.sfldmi.ameritech.net
(69.209.152.51):
(The 1650 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
113/tcp  open     auth
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
559/tcp  open     teedtap
1025/tcp filtered NFS-or-IIS
5000/tcp open     UPnP


nmap 69.192.139.207

Starting nmap 3.45 ( http://www.insecure.org/nmap/ )
at 2004-07-08 16:04 EDT
Interesting ports on CPE001095ca02cb-CM0010954a02cb.cpe.net.cable.rogers.com
(69.192.139.207):
(The 1642 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
80/tcp   open     http
113/tcp  open     auth
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
641/tcp  open     unknown
665/tcp  open     unknown
1025/tcp open     NFS-or-IIS
1080/tcp filtered socks
1214/tcp open     fasttrack
1434/tcp filtered ms-sql-m
3531/tcp open     peerenabler
5000/tcp open     UPnP


I went to the site 69.192.139.207 with my browser and a blank page appeared.
There seems to be a web server running on it. So I tried this...

telnet 69.192.139.207 80
Trying 69.192.139.207...
Connected to 69.192.139.207.
Escape character is '^]'.
GET index.htm
HTTP/1.0 501 Not Implemented
X-Kazaa-Username: Babie_Gurl
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 69.192.139.207:2692
X-Kazaa-SupernodeIP: 69.70.73.172:2215

Who the hell is Babie_Gurl??? :)







root@www:/var/log/apache# tail -f  error_log | grep -v 'x90'

[Thu Jul  8 15:19:36 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:22:44 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI
too long
[Thu Jul  8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI
too long

root@www:/var/log/apache# tail -f  error_log | grep -v 'x90'
[Thu Jul  8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI
too long
[Thu Jul  8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:58:41 2004] [error] [client 69.209.152.51] request failed: URI
too long
[Thu Jul  8 15:58:53 2004] [error] [client 69.209.152.51] request failed: URI
too long


---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate one-on-one interaction with one of our expert instructors.Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------

Current thread:

strange logs jpc (Jul 09)
- Re: strange logs Dave Dearinger (Jul 12)
- Re: strange logs flurdoing (Jul 12)
  - Re: strange logs David Williams (Jul 13)