strange web traffic

From: Pall Thayer (pallat_private)
Date: Tue Aug 26 2003 - 02:48:28 PDT

Next message: Abe Usher: "towards a taxonomy of Information Assurance (IA)"

Previous message: Dave Killion: "Looking for MSBlast.D/Nachi/Welchia malcode..."
Next in thread: Valdis.Kletnieksat_private: "Re: strange web traffic"
Reply: Valdis.Kletnieksat_private: "Re: strange web traffic"
Reply: Etaoin Shrdlu: "Re: strange web traffic"
Reply: George Theall: "Re: strange web traffic"
Reply: Bill Carlson: "Re: strange web traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For the past week and a half or so, I've been noticing several strange
entries in my webserver access log. Although they appear harmless, the
volume of the requests worries me a bit. Here's what they look like:

218.103.121.39 - - [26/Aug/2003:08:28:12 +0000] "GET / HTTP/1.1" 200 686 "-"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

65.42.85.131 - - [26/Aug/2003:09:10:10 +0000] "GET / HTTP/1.1" 200 686 "-"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

66.190.217.13 - - [26/Aug/2003:09:26:45 +0000] "GET / HTTP/1.1" 200 686 "-"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

What makes them strange is that when my server recieves a request for the
root file, it should result in five seperate requests. A legitimate request
looks like this:

81.224.245.151 - - [26/Aug/2003:08:11:34 +0000] "GET / HTTP/1.1" 200 686 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"
81.224.245.151 - - [26/Aug/2003:08:11:35 +0000] "GET /interf.html HTTP/1.1"
200 16238 "http://130.208.220.190/" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98; Win 9x 4.90)"
81.224.245.151 - - [26/Aug/2003:08:11:35 +0000] "GET /shock2.html HTTP/1.1"
200 1647 "http://130.208.220.190/" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98; Win 9x 4.90)"
81.224.245.151 - - [26/Aug/2003:08:11:35 +0000] "GET /isjs.gif HTTP/1.1" 200
692 "http://130.208.220.190/interf.html" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98; Win 9x 4.90)"
81.224.245.151 - - [26/Aug/2003:08:11:36 +0000] "GET /isjs2.swf HTTP/1.1"
200 11768 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"

The dodgy ones only appear once and another thing that makes them strange is
that aside from the IP number, they are all identical:

GET / HTTP/1.1" 200 686 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

I managed to retrieve some info on one of the machines and found out that it
was running Windows 2000, not 98.

Anyone have any info on this?



Pall Thayer
artist/teacher
Fjolbrautaskolinn vid Armula
http://www.this.is/pallit
http://www.this.is/pallit/isjs
http://www.this.is/pallit/harmony
http://130.208.220.190/panse


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Abe Usher: "towards a taxonomy of Information Assurance (IA)"
Previous message: Dave Killion: "Looking for MSBlast.D/Nachi/Welchia malcode..."
Next in thread: Valdis.Kletnieksat_private: "Re: strange web traffic"
Reply: Valdis.Kletnieksat_private: "Re: strange web traffic"
Reply: Etaoin Shrdlu: "Re: strange web traffic"
Reply: George Theall: "Re: strange web traffic"
Reply: Bill Carlson: "Re: strange web traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:45:46 PDT