Security Incidents mailing list archives
Got 'em. (was "Re: gw.ocg-corp.com")
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Mon, 13 May 2002 15:43:46 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 13 May 2002, Chip McClure wrote:
I don't have any luck finding out any info on ocg-corp.com either. :( I've got a few of the hits in my webserver logs, the same as you. My guess, someone's spoofing the reverse dns on it. Kinda sounds like someone is doing some very hard spidering on your site.
My experiment paid off. I figured the spider would goof at some point and cough up the IP address and I was happy to find this was true. Here's what I have on this spider. First, I did a search through my Apache logs looking for all instances of 'gw.ocg-corp.com' in hopes that there was a 404 (not found) happening somewhere in its spidering. Sure enough, I found this: gw.ocg-corp.com - - [10/May/2002:13:16:24 -0700] "GET /robots.txt HTTP/1.0" 404 4472 "-" "WinampMPEG/2.00 (larbin () unspecified mail)" Keep in mind that though one's Apache configuration may be set to resolve IP addresses to domain names, Apache nonetheless logs only the IP address in its error logs. Thus, I correlated the above 404 with my 9-11justice_org-error.log and found the following: [Fri May 10 13:16:23 2002] [error] [client 209.126.176.3] File does not exist: /hosts/virtual/9-11justice.org/robots.txt From there, it was all over but the shouting... $ nslookup 209.126.176.3 Server: localhost Address: 127.0.0.1 Name: gw.ocg-corp.com Address: 209.126.176.3 And there we have the culprit. Who wants to throw the clue mallet at 'em? ;) - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) | = |-' `--' `--' `-- They know the rules. We know the loopholes. --' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE84EGlGI2IHblM+8ERAsOwAJ957j3aZmxSDBuSCRHdCbNO1fbnGwCeNjzW 0WESOagKbcrWJtJpsJUwKBI= =olsE -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- gw.ocg-corp.com netscience (May 13)
- Re: gw.ocg-corp.com Chip McClure (May 13)
- Got 'em. (was "Re: gw.ocg-corp.com") Jay D. Dyson (May 13)
- Re: Got 'em. (was "Re: gw.ocg-corp.com") Chip McClure (May 13)
- Re: Got 'em. (was "Re: gw.ocg-corp.com") Hugo van der Kooij (May 13)
- Got 'em. (was "Re: gw.ocg-corp.com") Jay D. Dyson (May 13)
- Re: gw.ocg-corp.com Jordan K Wiens (May 13)
- Re: gw.ocg-corp.com Christian Vogel (May 13)
- Re: gw.ocg-corp.com Will Aoki (May 13)
- Re: gw.ocg-corp.com Chip McClure (May 13)