I have noticed some strange activities in my logs and posted my question in the "General Security" forum. Can anyone here shed any light on this matter.
SEE: thread83-635226
Clive
SEE: thread83-635226
Clive
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Question for Website Log expert 1
- Thread starter CliveC
- Start date
- Thread starter
- #3
OK. Separating out the relevant parts of the log entries you can see the TIME, IP ADDRESS, and the QUERY
ENTRY 1
16:26:12 210.54.216.202 GET /cgi-bin/formmail.pl
ENTRY 2 (20 seconds later)
16:26:22 203.96.111.237 GET /cgi-bin/formmail.cgi
The queries are related by time and purpose but the IP address is different. All IP addresses used map back to ARIN, RIPE or APNIC which are in themselves related.
SEE:
Clive
ENTRY 1
16:26:12 210.54.216.202 GET /cgi-bin/formmail.pl
ENTRY 2 (20 seconds later)
16:26:22 203.96.111.237 GET /cgi-bin/formmail.cgi
The queries are related by time and purpose but the IP address is different. All IP addresses used map back to ARIN, RIPE or APNIC which are in themselves related.
SEE:
Clive
- Thread starter
- #4
Here are the IP look-ups:
Trying whois -h whois.arin.net 210.54.216.202
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: RS2.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to Comment:
RegDate: 1996-07-01
Updated: 2002-09-11
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net
*********************************************
Trying whois -h whois.arin.net 203.96.111.237
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
NetRange: 202.0.0.0 - 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: RS2.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to Comment:
RegDate: 1994-04-05
Updated: 2002-09-11
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net
*********************************************
Trying whois -h whois.arin.net 195.229.241.235
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
NetRange: 195.0.0.0 - 195.255.255.255
CIDR: 195.0.0.0/8
NetName: RIPE-CBLK3
NetHandle: NET-195-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS.RIPE.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH03.NS.UU.NET
NameServer: MUNNARI.OZ.AU
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at RegDate: 1996-03-25
Updated: 2003-04-25
TechHandle: RIPE-NCC-ARIN
TechName: RIPE NCC Hostmaster
TechPhone: +31 20 535 4444
TechEmail: search-ripe-ncc-not-arin@ripe.net
OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: search-ripe-ncc-not-arin@ripe.net
*********************************************
Clive
Trying whois -h whois.arin.net 210.54.216.202
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: RS2.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to Comment:
RegDate: 1996-07-01
Updated: 2002-09-11
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net
*********************************************
Trying whois -h whois.arin.net 203.96.111.237
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
NetRange: 202.0.0.0 - 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: RS2.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to Comment:
RegDate: 1994-04-05
Updated: 2002-09-11
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net
*********************************************
Trying whois -h whois.arin.net 195.229.241.235
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
NetRange: 195.0.0.0 - 195.255.255.255
CIDR: 195.0.0.0/8
NetName: RIPE-CBLK3
NetHandle: NET-195-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS.RIPE.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH03.NS.UU.NET
NameServer: MUNNARI.OZ.AU
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at RegDate: 1996-03-25
Updated: 2003-04-25
TechHandle: RIPE-NCC-ARIN
TechName: RIPE NCC Hostmaster
TechPhone: +31 20 535 4444
TechEmail: search-ripe-ncc-not-arin@ripe.net
OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: search-ripe-ncc-not-arin@ripe.net
*********************************************
Clive
-
1
- #5
Hi mate,
These are very common log entries and as long as you don't have these scripts on your server, you are ok. The 404 that appears in the log means the request was greeted by a 404 error, again you have nothing to worry about.
Most likely the IP addresses you are seeing are of innocent people that know nothing about this happening.
It's a script running these requests and not someone manually typing your address.
If you want to stop these requests from appearing in your logs, the way to do it depends on the server you are running. If you are running Apache then a rewrite rule will do the trick.
RedirectMatch (.*)\formmail.pl(.*) RedirectMatch (.*)\formmail.cgi(.*)
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
These are very common log entries and as long as you don't have these scripts on your server, you are ok. The 404 that appears in the log means the request was greeted by a 404 error, again you have nothing to worry about.
Most likely the IP addresses you are seeing are of innocent people that know nothing about this happening.
It's a script running these requests and not someone manually typing your address.
If you want to stop these requests from appearing in your logs, the way to do it depends on the server you are running. If you are running Apache then a rewrite rule will do the trick.
RedirectMatch (.*)\formmail.pl(.*) RedirectMatch (.*)\formmail.cgi(.*)
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
- Thread starter
- #6
Wullie, Thanks for the info. I was aware of the implications but did not understand the changing IP numbers. I guess that you are suggesting that the script spoofs an IP randomly from a known range for each iteration.
The reason that I became suspicious is that I am also getting something strange happening on an unrelated site.
Normally when someone visits the site, I immediately get five or six log entries. One for the frameset (index.php), one for each frame in the frameset, one for the external css and one for the external javascript.
However the site is visited daily from the same IP address but the only entry in the log is for a single GET of the index.php. Any ideas on that?
Clive
The reason that I became suspicious is that I am also getting something strange happening on an unrelated site.
Normally when someone visits the site, I immediately get five or six log entries. One for the frameset (index.php), one for each frame in the frameset, one for the external css and one for the external javascript.
However the site is visited daily from the same IP address but the only entry in the log is for a single GET of the index.php. Any ideas on that?
Clive
- Thread starter
- #7
Hi mate,
The single request for the index.php sounds like it doesn't support frames, hence only the single request.
Do you have any monitors running on the server, checking uptime or similar? If not, can you post a few of the requests here with any details of patterns between request times etc.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
The single request for the index.php sounds like it doesn't support frames, hence only the single request.
Do you have any monitors running on the server, checking uptime or similar? If not, can you post a few of the requests here with any details of patterns between request times etc.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
- Thread starter
- #9
Here is 4 days worth of requests:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Dates: 2003-08-08 - 2003-08-11
#Fields: date time c-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2003-08-08 17:36:44 64.156.198.76 - 80 GET /index.php - 200 2163 113 171 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312462) - -
2003-08-09 17:24:16 64.156.198.76 - 80 GET /index.php - 200 2163 113 188 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312468) - -
2003-08-10 17:05:31 64.156.198.76 - 80 GET /index.php - 200 2163 113 266 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312463) - -
2003-08-11 16:51:32 64.156.198.76 - 80 GET /index.php - 200 2163 113 1156 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312465) - -
Clive
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Dates: 2003-08-08 - 2003-08-11
#Fields: date time c-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2003-08-08 17:36:44 64.156.198.76 - 80 GET /index.php - 200 2163 113 171 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312462) - -
2003-08-09 17:24:16 64.156.198.76 - 80 GET /index.php - 200 2163 113 188 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312468) - -
2003-08-10 17:05:31 64.156.198.76 - 80 GET /index.php - 200 2163 113 266 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312463) - -
2003-08-11 16:51:32 64.156.198.76 - 80 GET /index.php - 200 2163 113 1156 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312465) - -
Clive
Hi mate,
Here are some more details:
[ignore][/ignore]
You will need to copy and paste the URL, TT was messing it up.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
Here are some more details:
[ignore][/ignore]
You will need to copy and paste the URL, TT was messing it up.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
- Thread starter
- #11
Wullie, The link did not work. I found the site and tried several searches but could not find forum11/1685.htm.
Search Results
Your search for did not return any matches:
Results: No documents were found.
Clive
Search Results
Your search for did not return any matches:
Results: No documents were found.
Clive
Hi Mate,
They seem to do a check to see if there is a referrer.
Take the URL above and paste it into Google, click search and the link to this page should appear. Exact same URL, but they seem to accept the connection if you arrive through Google.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
They seem to do a check to see if there is a referrer.
Take the URL above and paste it into Google, click search and the link to this page should appear. Exact same URL, but they seem to accept the connection if you arrive through Google.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
- Thread starter
- #13
Thanks Wullie, I managed to get to it that way.
I found another link where someone called WILDERNESS describes the same problem:
Clive
I found another link where someone called WILDERNESS describes the same problem:
Clive
Hi mate,
That other tread is linked to from the one I gave above, I've just been reading it.
The comment that it might be stumbleupon.com sounds like a possiblity.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
That other tread is linked to from the one I gave above, I've just been reading it.
The comment that it might be stumbleupon.com sounds like a possiblity.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
- Thread starter
- #15
You wrote:
"The comment that it might be stumbleupon.com sounds like a possiblity."
not sure what you mean by this.
Thanks
Clive
"The comment that it might be stumbleupon.com sounds like a possiblity."
not sure what you mean by this.
Thanks
Clive
Hi mate,
In the tread that you posted the link to above, Wilderness posted the following:
These two conseutive visits were seconds apart:
63.249.27.138 - - [06/Jul/2002:14:38:07 -0700] "HEAD / HTTP/1.1" 200 0 " "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
64.156.198.75 - - [06/Jul/2002:14:39:10 -0700] "GET / HTTP/1.1" 200 14146 "-" "Mozilla/5.0 (x11; Linux i686; en-US; rv:1.0rc5; OBJR)"
64.156.198.75 - - [06/Jul/2002:14:39:10 -0700] "GET /PARTICULAR.htm HTTP/1.1" 200 16504 "-" "Mozilla/5.0 (x11; Linux i686; en-US; rv:1.0rc5; OBJR)"
Notice the stumbleupon.com part..
Then the next post in that thread was from user mbauser2 saying:
I spent a few hours figuring out Stumbleupon last month. It's a random-surfing service: install toolbar, pick topics of interest, hit the button, and it sends you to a random site from one of those topics. Available for IE and Mozilla.
Your page has apparently be added to the site pool Stumbleupon uses. The HEAD request is link checking (done semi-regularly by a spider, and everytime the toolbar sends a user to your site). I nagged Stumbleupon's owner about it sending too many HEAD requests, and it looks like he's reined it in. I get about 5 pageviews a month through Stumbleupon.
As for the Mozilla agent, I'm with EliteWeb in thinking it's just another browser, i.e., "Mozilla for x11 (an Un*x windowing system) running under Linux, i686 processor, U.S.-language Release Canidate 5 of Version 1.0". I don't know what the OBJR is for, but it probably identifies a plugin or programming library.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
In the tread that you posted the link to above, Wilderness posted the following:
These two conseutive visits were seconds apart:
63.249.27.138 - - [06/Jul/2002:14:38:07 -0700] "HEAD / HTTP/1.1" 200 0 " "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
64.156.198.75 - - [06/Jul/2002:14:39:10 -0700] "GET / HTTP/1.1" 200 14146 "-" "Mozilla/5.0 (x11; Linux i686; en-US; rv:1.0rc5; OBJR)"
64.156.198.75 - - [06/Jul/2002:14:39:10 -0700] "GET /PARTICULAR.htm HTTP/1.1" 200 16504 "-" "Mozilla/5.0 (x11; Linux i686; en-US; rv:1.0rc5; OBJR)"
Notice the stumbleupon.com part..
Then the next post in that thread was from user mbauser2 saying:
I spent a few hours figuring out Stumbleupon last month. It's a random-surfing service: install toolbar, pick topics of interest, hit the button, and it sends you to a random site from one of those topics. Available for IE and Mozilla.
Your page has apparently be added to the site pool Stumbleupon uses. The HEAD request is link checking (done semi-regularly by a spider, and everytime the toolbar sends a user to your site). I nagged Stumbleupon's owner about it sending too many HEAD requests, and it looks like he's reined it in. I get about 5 pageviews a month through Stumbleupon.
As for the Mozilla agent, I'm with EliteWeb in thinking it's just another browser, i.e., "Mozilla for x11 (an Un*x windowing system) running under Linux, i686 processor, U.S.-language Release Canidate 5 of Version 1.0". I don't know what the OBJR is for, but it probably identifies a plugin or programming library.
Hope this helps
Wullie
The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
- Thread starter
- #17
Wullie, I see I guess you were referring to:
which was a link from forum11/1685.htm.
I don't think that this stumbleupon thing has anything to do with this. IP address 64.156.198.76 (who have been visiting me daily since 8/8/2003) maps back to who appear to be engaged in electronic surveilance of my site.
Clive
which was a link from forum11/1685.htm.
I don't think that this stumbleupon thing has anything to do with this. IP address 64.156.198.76 (who have been visiting me daily since 8/8/2003) maps back to who appear to be engaged in electronic surveilance of my site.
Clive
- Status
Similar threads
- Locked
- Question
- Locked
- Question