[logs] Unknown user agent in my logs...
Mark Cohen
mark at splunk.com
Sun Apr 8 23:18:48 PDT 2007
I did a quick google search and found that those are possibly from a
Single Click Systems piece of software that auto-discovers. (HomeNet
Manager maybe)
The IP address is ppp-70-245-143-248.dsl.rcsntx.swbell.net which is
likely someone's home network.
-Mark
On Apr 8, 2007, at 9:25 PM, Clinton E. Troutman wrote:
>
> Beginning just after 18:00 this evening, my Apache access log began
> to show
> hits every few seconds from the same source IP.
> Other than time, all lines appear to be the same... (sample given
> below).
>
> Hits continued until I blocked the source IP (via iptables). My
> router shows
> the incoming attempts continue at the same rate (but iptables is
> dropping
> the packets as they reach that machine).
>
> I'm wondering if anyone has experience with the User Agent shown in
> these
> log entries. Google hasn't helped me at all (maybe my Google skills
> are
> lacking...).
>
> I suspect a hacked machine, especially since they apparently
> haven't noticed
> I have blocked them; but, I wonder, hacked with what???
>
> --- Begin Sample ---
> 70.245.143.248 - - [08/Apr/2007:19:40:21 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:27 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:33 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:39 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:45 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:51 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:40:57 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:03 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:09 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:15 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:22 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:28 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:34 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:40 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:46 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:52 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:41:58 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:04 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:10 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:16 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:22 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> 70.245.143.248 - - [08/Apr/2007:19:42:28 -0500] "GET / HTTP/1.1" 206
> 5293 "-" "EZI_HTTP_NETDEV_DISCOVER"
> --- End Sample ---
>
> Thanks in advance,
> --
> Clinton E. Troutman
> Independent Computer Consultant for Home,
> Home Office, and Small Business in Fort Worth, Texas
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
Mark Cohen
mark at splunk.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 155 bytes
Desc: This is a digitally signed message part
Url : http://www.loganalysis.org/pipermail/loganalysis/attachments/20070408/d0a33b81/PGP.bin
More information about the LogAnalysis
mailing list