Tag Archives: Network

Interesting scanner

I know I’m probably the only one in this island that thinks this as interesting, but nevertheless…

It’s normal for the web server to get scanned by other “inquisitive” people/machines/bots, but this tool looks pretty interesting…  Will dig deeper into this later.

The scanners typically try to detect whether I’m running certain vulnerable versions of web apps for them to exploit.  So when the web app does not exist, guess what happens? 😉

This particular scan was interesting, because of the user agent field.  Check it out:

200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /roundcubemail-0.1//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola
200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /wm//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /webmail//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /webmail2//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:05 +0800] “GET /rms//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:05 +0800] “GET /roundcubemail//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:05 +0800] “GET /mail2//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:05 +0800] “GET /mail//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:04 +0800] “GET /mss2//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:04 +0800] “GET /rc//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”

If anyone knows more about this particular scanner, feel free to comment and share!

Edit (19 Jul): it seems that I’ve joined the ranks of those who’ve been scanned one way or another.  Apparently it is in Romanian, meaning “All my love for the devil”.

Weird outgoing IP accesses…

Found out by accident (plenty of “accident”s happening with me recently) that one of the home computers has been connecting out to some weird China IP amongst others, all of which are blacklisted according to robtex

Starting to get quite concerned, since there was a lot of stuff that was previously installed, like those that you “need” to install in order to view online videos.

Will start to do some verbose logging to gather more info, but this isn’t looking good so far.  How this came up was because of the way the computer tried to connect to the site, apparently it tried to make too many connections at the same time, causing the router to think that there’s a SYN flood attack going on lol.

Culprit #1 – 221.238.197.38 [robtex report]

Other culprits: 204.2.160.27 [rb], 61.155.137.7 [rb]