The Blog of Harald

I have a webserver at home that has two purposes:

# serve my start.html page to the various computers around the home network
# serve a Java SSH client for remote access when I am travelling

otherwise, it’s empty; there’s an index.html that redirects visitors to “www.cfrq.net”:http://www.cfrq.net/.

So in the spirit of “joy”:http://www.cleverhack.com/blog/ I offer one weeks worth of log entries:

bc. 64.210.196.197 – – [05/Oct/2003:08:00:28 -0400] “GET /robots.txt HTTP/1.0” 404 1044 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; Girafabo
t; girafabot at girafa dot com; http://www.girafa.com)”
64.210.196.197 – – [05/Oct/2003:08:00:30 -0400] “GET / HTTP/1.0” 200 346 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; Girafabot; girafabo
t at girafa dot com; http://www.girafa.com)”
202.62.124.246 – – [05/Oct/2003:08:57:23 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
195.199.113.93 – – [05/Oct/2003:09:11:20 -0400] “GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir” 404 1040 “-” “-”
217.235.215.221 – – [05/Oct/2003:13:26:02 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
4.65.206.189 – – [06/Oct/2003:03:52:41 -0400] “GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir” 404 1040 “-” “-”
130.39.12.96 – – [06/Oct/2003:09:36:03 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
129.16.97.149 – – [06/Oct/2003:10:07:45 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
202.63.163.46 – – [06/Oct/2003:16:26:29 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
218.103.70.82 – – [07/Oct/2003:05:04:48 -0400] “GET / HTTP/1.1” 400 298 “-” “-”
62.94.18.69 – – [07/Oct/2003:07:35:18 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
64.68.82.169 – – [07/Oct/2003:08:51:01 -0400] “GET /robots.txt HTTP/1.0” 404 1044 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
64.68.82.169 – – [07/Oct/2003:08:51:12 -0400] “GET / HTTP/1.0” 304 0 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
211.38.42.212 – – [07/Oct/2003:11:06:28 -0400] “GET / HTTP/1.1” 400 298 “-” “-”
80.50.49.231 – – [07/Oct/2003:16:09:35 -0400] “GET /sumthin HTTP/1.0” 404 1040 “-” “-”
211.233.37.239 – – [07/Oct/2003:19:40:15 -0400] “GET / HTTP/1.1” 400 298 “-” “-”
64.68.82.38 – – [08/Oct/2003:06:19:30 -0400] “GET / HTTP/1.0” 304 0 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
64.216.223.109 – – [09/Oct/2003:01:03:38 -0400] “POST http://64.216.223.109:25/ HTTP/1.1” 200 346 “-” “-”
67.97.3.89 – – [09/Oct/2003:12:21:16 -0400] “GET /sumthin HTTP/1.0” 404 1040 “-” “-”
64.68.82.167 – – [10/Oct/2003:10:43:21 -0400] “GET /robots.txt HTTP/1.0” 404 1044 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
64.68.82.167 – – [10/Oct/2003:10:43:28 -0400] “GET / HTTP/1.0” 304 0 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
206.98.253.78 – – [10/Oct/2003:20:43:37 -0400] “GET /sumthin HTTP/1.0” 404 1040 “-” “-”
213.206.74.231 – – [10/Oct/2003:23:29:19 -0400] “GET / HTTP/1.0” 200 346 “-” “-”
64.81.53.154 – – [11/Oct/2003:08:43:44 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
66.77.73.44 – – [11/Oct/2003:17:32:30 -0400] “GET /robots.txt HTTP/1.0” 404 1044 “-” “FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://fa
st.no/support/crawler.asp)”
12.247.47.7 – – [11/Oct/2003:19:11:29 -0400] “CONNECT 1.3.3.7:1337 HTTP/1.0” 405 964 “-” “-”

A little bit of search engine spider traffic, and a bunch of hack attempts. “Fascinating”, as Spock would say…

The “/sumthin fetch”:http://www.webmasterworld.com/forum11/2100.htm is apparently from a couple of trojans looking for 404 pages, because they often identify the webserver (and its weaknesses). “nsiislog.dll”:http://securityresponse.symantec.com/avcenter/security/Content/8035.html is a known buffer overflow. The POST to port 25 is a spammer looking for an open proxy, and the CONNECT 1.3.3.7:1337 is apparently a newer version of the same scanner (looking for the 405 error on the CONNECT, presumably).

As mentioned before, I run scripts that searches my logs for common hack attempts and blacklists (or RBLs) the source. Now I’ve got some new patterns to search for.

Coming on Monday: “automated comment spam blacklists”:http://www.jayallen.org/journey/2003/10/mtblacklist_monday_hell_or_high_water …