OVH Community, your new community space.

91.121.6.21 scanning for exploits


The European
06-01-2009, 13:30
If you can't / don't want to change SSH port, I recommend using fail2ban to drop connections when an attack is obvious.

unclebob
05-01-2009, 19:48
I've changed my ssh port number to try and prevent some of the automated attacks (Mainly to save a bit of disk space in /var/log/ !)

gregoryfenton
05-01-2009, 17:14
I have unblocked the IP, I will let you know if I see anything.

BELLonline
04-01-2009, 20:36
Hi,

That server belongs to a client of mine, they must have picked up a virus somewhere. They were using Windows before but have now changed to Linux.

If you are still getting scanned by that IP (very unlikely) then please feel free to PM me.

DigitalDaz
04-01-2009, 17:34
Had someone having a go at my ssh port the other day. By the usernames they were trying, it looked like they were using a dictionary that was targeting educational institutions. It just shows their retardedness. A simple reverse lookup would have shown that the IP was a home dsl connection!

The European
03-01-2009, 01:35
If I had just one penny (or eurocent!) for every time I've been port scanned since the early 90s......


gregoryfenton
26-12-2008, 12:39
http://isc.sans.org/diary.html?storyid=900
w00tw00t
Published: 2005-11-29,
Last Updated: 2005-11-30 05:49:00 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Following our request for help, a while ago, we received another submission of somebody finding the following in his web logs:

"GET /w00tw00t.at.ISC.SANS.DFind"

It seems that we forgot to tell our whitehat readers that the search is off. We know what's behind it. It's a web vulnerability scanner that has this fingerprint. Find and use it at your own risk. We at the Internet Storm Center distance ourselves from this tool that is labeled by at least one security company as a hacker tool..
It is not causing me any problems, but it is still a vulnerability scan (or as ISC themselves describe the software that uses that string "a hacker tool").

I am not panicking or unduly worried - I am reporting a server hosted by OVH that is breaking OVH rules on hacking other servers.

Dave
26-12-2008, 01:19
Quote Originally Posted by derchris
I don't even see a problem here.
These are webserver logfiles. If someone tries to open a file which doesn't exists, thats ok.
No matter what source it comes from.

You reported it, now it is your turn to stop the messages, by using iptables or some other software to blacklist the ip from your server.
I agree, nothing to be worried about really, its simply saying someone tryed accessing a file on your website that doesnt exist, for example I could goto http://yoursite.com/top_secret_nucle...cess_codes.txt and because this doesn't exist (well maybe it does?) it would generate a line in your logs like:

Code:
*MY_IP* - - [26/Dec/2008:01:20:00 +0100] "GET /top_secret_nuclear_bunker_access_codes.txt HTTP/1.1" 404 339 "-" "-"
Looking at the portion of the log file you've posted the requests although their are a lot of them, they don't seem to be coming at any worrying pace (DOS etc)

Make a firewall rule and forget about it.

derchris
23-12-2008, 20:37
I don't even see a problem here.
These are webserver logfiles. If someone tries to open a file which doesn't exists, thats ok.
No matter what source it comes from.

You reported it, now it is your turn to stop the messages, by using iptables or some other software to blacklist the ip from your server.

gregoryfenton
23-12-2008, 20:30
Thanks but that just means I can't see the problem.

It doesn't get the underlying issue resolved.

derchris
23-12-2008, 20:01
Use iptables, done

gregoryfenton
23-12-2008, 18:28
And reported to abuse@ovh.net

gregoryfenton
23-12-2008, 17:39
More scans from this IP:
Code:
91.121.6.21 - - [21/Dec/2008:21:53:54 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:22:04:25 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:22:16:02 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:22:27:55 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:22:38:41 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:22:49:33 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:23:00:19 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:23:11:20 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:23:21:59 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:23:32:27 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [21/Dec/2008:23:43:30 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:03:51:24 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:04:00:01 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:04:08:22 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:04:16:44 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:04:25:42 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:04:34:10 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:04:42:19 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:04:50:48 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:04:59:27 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:05:07:44 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:05:16:03 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:05:24:23 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:05:32:48 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:05:40:50 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:05:49:13 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:05:57:34 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:06:06:12 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:06:14:25 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:06:22:43 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:06:31:11 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:06:39:26 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:06:47:57 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:06:56:26 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:07:04:59 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:07:13:16 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:07:21:51 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:07:29:54 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:07:38:19 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:07:46:34 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:07:55:05 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:08:03:23 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:08:11:46 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:08:20:18 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:08:28:43 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:08:37:01 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:08:45:13 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:08:53:28 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:09:02:01 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:09:10:30 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:09:18:53 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:09:27:33 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:09:36:40 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:09:45:10 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:09:54:23 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:10:03:02 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:10:12:06 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:10:21:19 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:10:30:18 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:10:39:07 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:10:48:06 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:10:56:45 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:11:05:31 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:11:14:07 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:11:22:52 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:11:31:31 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:11:40:07 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:11:48:58 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:11:57:34 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:12:06:05 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:12:15:01 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:12:23:39 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:12:32:32 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:12:41:32 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:12:51:04 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:13:00:06 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:13:10:38 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:13:19:52 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:13:28:42 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:13:37:50 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:13:47:09 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:13:56:26 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:14:05:40 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:14:15:06 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:14:24:18 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:14:33:18 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:14:42:02 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:14:50:59 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:14:59:53 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
91.121.6.21 - - [23/Dec/2008:15:09:01 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 404 339 "-" "-"
And more but this forum won't let me post more than 10k characters in one post

gregoryfenton
22-12-2008, 11:19
Doing it this way allows other server owners to check their logs for scan attempts, and hopefully makes others less likely to instigate scans knowing that they will be reported in public.

Winit
22-12-2008, 05:20
abuse@ovh.net

gregoryfenton
21-12-2008, 21:11
91.121.6.21 - - [21/Dec/2008:21:53:54 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 404 339 "-" "-"

This is a known scan string from a vulnerability scanner "DFind".