Security Incidents mailing list archives

Got 'em. (was "Re: gw.ocg-corp.com")

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Mon, 13 May 2002 15:43:46 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 13 May 2002, Chip McClure wrote:

I don't have any luck finding out any info on ocg-corp.com either. :(
I've got a few of the hits in my webserver logs, the same as you. My
guess, someone's spoofing the reverse dns on it. Kinda sounds like
someone is doing some very hard spidering on your site.


        My experiment paid off.  I figured the spider would goof at some
point and cough up the IP address and I was happy to find this was true.

        Here's what I have on this spider.  First, I did a search through
my Apache logs looking for all instances of 'gw.ocg-corp.com' in hopes
that there was a 404 (not found) happening somewhere in its spidering.
Sure enough, I found this:

gw.ocg-corp.com - - [10/May/2002:13:16:24 -0700] "GET /robots.txt HTTP/1.0" 404 4472 "-" "WinampMPEG/2.00 (larbin () 
unspecified mail)"

        Keep in mind that though one's Apache configuration may be set to
resolve IP addresses to domain names, Apache nonetheless logs only the IP
address in its error logs.  Thus, I correlated the above 404 with my
9-11justice_org-error.log and found the following:

[Fri May 10 13:16:23 2002] [error] [client 209.126.176.3] File does not exist: /hosts/virtual/9-11justice.org/robots.txt

        From there, it was all over but the shouting...

$ nslookup 209.126.176.3
Server:  localhost
Address:  127.0.0.1

Name:    gw.ocg-corp.com
Address:  209.126.176.3

        And there we have the culprit.  Who wants to throw the clue mallet
at 'em?  ;)

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-- They know the rules.  We know the loopholes. --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE84EGlGI2IHblM+8ERAsOwAJ957j3aZmxSDBuSCRHdCbNO1fbnGwCeNjzW
0WESOagKbcrWJtJpsJUwKBI=
=olsE
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

gw.ocg-corp.com netscience (May 13)
- Re: gw.ocg-corp.com Chip McClure (May 13)
  - Got 'em. (was "Re: gw.ocg-corp.com") Jay D. Dyson (May 13)
    - Re: Got 'em. (was "Re: gw.ocg-corp.com") Chip McClure (May 13)
    - Re: Got 'em. (was "Re: gw.ocg-corp.com") Hugo van der Kooij (May 13)
- Re: gw.ocg-corp.com Jordan K Wiens (May 13)
- Re: gw.ocg-corp.com Christian Vogel (May 13)
- Re: gw.ocg-corp.com Will Aoki (May 13)