Re: Unknown user agent in my logs...

["Anshuman G" <anshu.pg () gmail com>]

I would like to add

http://www.dshield.org/ipinfo.html?ip=70.245.143.248 , Looks zombified
pc at ATT.

On 4/10/07, Anshuman G <anshu.pg () gmail com> wrote:
> Humm..
>
> my googleskills are better it seems :).
>
> Check >> http://www.linuxquestions.org/questions/showthread.php?p=2637338#post2637338
>
> On 4/9/07, Clinton E. Troutman <cetro.consulting () sbcglobal net> wrote:
> >
> > Beginning just after 18:00 this evening, my Apache access log began to show
> > hits every few seconds from the same source IP.
> > Other than time, all lines appear to be the same... (sample given below).
> >
> > Hits continued until I blocked the source IP (via iptables). My router shows
> > the incoming attempts continue at the same rate (but iptables is dropping
> > the packets as they reach that machine).
> >
> > I'm wondering if anyone has experience with the User Agent shown in these
> > log entries. Google hasn't helped me at all (maybe my Google skills are
> > lacking...).
> >
> > I suspect a hacked machine, especially since they apparently haven't noticed
> > I have blocked them; but, I wonder, hacked with what???
> >
> > --- Begin Sample ---
> > 70.245.143.248 - - [08/Apr/2007:19:40:21 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:40:27 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:40:33 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:40:39 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:40:45 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:40:51 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:40:57 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:03 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:09 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:15 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:22 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:28 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:34 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:40 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:46 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:52 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:41:58 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:42:04 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:42:10 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:42:16 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:42:22 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > 70.245.143.248 - - [08/Apr/2007:19:42:28 -0500] "GET / HTTP/1.1" 206
> > 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> > --- End Sample ---
> >
> > Thanks in advance,
> > --
> > Clinton E. Troutman
> > Independent Computer Consultant for Home,
> >   Home Office, and Small Business in Fort Worth, Texas
> > --
> > Clinton E. Troutman
> > CeTro
> > Independent Computer Consultant for Home,
> >   Home Office, and Small Business in Fort Worth, Texas
> > http://cetro.dnsalias.org/
> >
> >