View Full Version : Hacker Ring getting to Datacenter Servers before clients get them
TheHeartSmasher
18 Sep 2007, 05:25pm
I have noticed that there is somesort of ring subdomainname.pornsitenamering.com in the access logs of servers before clients even have a chance to touch them from multiple datacenters, ISPs etc.
I'll post the access logs when I get home. I was wondering if any of you guys had any information on these sites and what they put on your system. :confused:
kryyst
18 Sep 2007, 07:03pm
anytime I've seen those logs they've been the result of web crawlers looking for places to put up spam adds.
TheHeartSmasher
18 Sep 2007, 08:38pm
Here is an access log.
84.160.203.231 - - [23/Aug/2007:16:43:41 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; MSIE 4.01; Windows NT5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:16:44:56 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; MSIE 4.0; Windows 95; FREEI v2.53 )"
84.160.203.231 - - [23/Aug/2007:16:46:56 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; MSIE 5.0; Windows 98; NetCaptor )"
84.160.203.231 - - [23/Aug/2007:16:48:12 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; [de]; AOL 5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:16:49:42 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
84.160.203.231 - - [23/Aug/2007:16:50:57 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; [jp]; Windows NT4.0; DigiExt )"
116.76.130.228 - - [23/Aug/2007:16:51:55 -0500] "GET http://hacker.org.ru/prxjdg.php HTTP/1.1" 404 287 "http://hacker.org.ru/prxjdg.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
84.160.203.231 - - [23/Aug/2007:16:52:56 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; [en]; Windows 98; athome020 )"
84.160.203.231 - - [23/Aug/2007:16:54:11 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; MSIE 5.0; Windows 98; athome020 )"
84.160.203.231 - - [23/Aug/2007:16:55:37 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; MSIE 4.0; Windows 95; TWRAITH )"
84.160.203.231 - - [23/Aug/2007:16:56:52 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; [de]; Windows NT4.0; DigiExt )"
64.56.65.150 - - [23/Aug/2007:16:57:01 -0500] "POST http://64.56.65.150/proxy/test.php HTTP/1.1" 404 290 "-" "-"
84.160.203.231 - - [23/Aug/2007:16:58:46 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; [en]; Windows NT5.0; athome020 )"
84.160.203.231 - - [23/Aug/2007:17:00:20 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; [jp]; AOL 5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:01:48 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:03:03 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; MSIE 4.0; AOL 5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:05:02 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; [fr]; Windows NT5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:06:17 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.7 ( compatible; MSIE 5.0; Windows NT5.0; athome0107 )"
84.160.203.231 - - [23/Aug/2007:17:07:46 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; MSIE 4.01; Windows NT4.0; FREEI v2.53 )"
84.160.203.231 - - [23/Aug/2007:17:09:01 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; [en]; Windows NT5.0; Compaq )"
84.160.203.231 - - [23/Aug/2007:17:11:03 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
64.56.65.150 - - [23/Aug/2007:17:11:57 -0500] "POST http://64.56.65.150/proxy/test.php HTTP/1.1" 404 290 "-" "-"
84.160.203.231 - - [23/Aug/2007:17:12:18 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; MSIE 5.01; AOL 5.0; win9x/NT 4.90 )"
84.160.203.231 - - [23/Aug/2007:17:13:44 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; MSIE 4.0; Windows 95; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:14:59 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; [jp]; Windows 98; athome020 )"
84.160.203.231 - - [23/Aug/2007:17:16:46 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; [jp]; Windows 95; win9x/NT 4.90 )"
84.160.203.231 - - [23/Aug/2007:17:18:02 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; MSIE 4.0; Windows 98; win9x/NT 4.90 )"
84.160.203.231 - - [23/Aug/2007:17:19:28 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; MSIE 4.0; Windows NT5.0; MSNIA )"
84.160.203.231 - - [23/Aug/2007:17:20:43 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; [jp]; Windows NT5.0; MSNIA )"
84.160.203.231 - - [23/Aug/2007:17:22:40 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:23:55 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; [jp]; AOL 5.0; FREEI v2.53 )"
84.160.203.231 - - [23/Aug/2007:17:25:22 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; [dk]; Windows NT4.0; NetCaptor )"
84.160.203.231 - - [23/Aug/2007:17:26:37 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.7 ( compatible; [jp]; Windows 95; DigiExt )"
64.56.65.150 - - [23/Aug/2007:17:26:53 -0500] "POST http://64.56.65.150/proxy/test.php HTTP/1.1" 404 290 "-" "-"
84.160.203.231 - - [23/Aug/2007:17:28:25 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; MSIE 4.0; AOL 5.0; athome020 )"
84.160.203.231 - - [23/Aug/2007:17:29:40 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; [jp]; Windows 98; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:31:08 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; MSIE 5.5; Windows NT4.0; NetCaptor )"
84.160.203.231 - - [23/Aug/2007:17:32:23 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; [dk]; AOL 5.0; Compaq )"
84.160.203.231 - - [23/Aug/2007:17:34:22 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; MSIE 4.01; Windows NT5.0; ezn IE )"
84.160.203.231 - - [23/Aug/2007:17:35:50 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; MSIE 4.0; Windows 95; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:37:20 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.7 ( compatible; MSIE 5.5; AOL 5.0; MSNIA )"
84.160.203.231 - - [23/Aug/2007:17:38:38 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; [de]; Windows NT4.0; Compaq )"
84.160.203.231 - - [23/Aug/2007:17:40:37 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; [jp]; Windows 95; Compaq )"
84.160.203.231 - - [23/Aug/2007:17:41:52 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.7 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )"
64.56.65.150 - - [23/Aug/2007:17:41:54 -0500] "POST http://64.56.65.150/proxy/test.php HTTP/1.1" 404 290 "-" "-"
84.160.203.231 - - [23/Aug/2007:17:43:17 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; [fr]; Windows 98; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:44:33 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; [jp]; Windows NT5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:46:33 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; [de]; Windows NT5.0; NetCaptor )"
84.160.203.231 - - [23/Aug/2007:17:47:46 -0500] "HEAD http://www.bleuproductionsonline.com/members/index.htm HTTP/1.0" 404 - "http://www.bleuproductionsonline.com/members/index.htm" "Mozilla/3.01 ( compatible; MSIE 5.0; AOL 5.0; athome020 )"
84.160.203.231 - - [23/Aug/2007:17:47:48 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; [en]; AOL 5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:49:16 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; MSIE 4.0; Windows NT4.0; Compaq )"
84.160.203.231 - - [23/Aug/2007:17:50:31 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; [dk]; Windows 95; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:52:19 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; [en]; Windows NT5.0; DigiExt )"
123.8.255.224 - - [23/Aug/2007:17:52:21 -0500] "GET http://hacker.org.ru/prxjdg.php HTTP/1.1" 404 287 "http://hacker.org.ru/prxjdg.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
84.160.203.231 - - [23/Aug/2007:17:53:37 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; [jp]; Windows NT4.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:17:55:04 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; [fr]; Windows NT4.0; FREEI v2.53 )"
84.160.203.231 - - [23/Aug/2007:17:56:19 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; [de]; AOL 5.0; Compaq )"
64.56.65.150 - - [23/Aug/2007:17:56:50 -0500] "POST http://64.56.65.150/proxy/test.php HTTP/1.1" 404 290 "-" "-"
84.160.203.231 - - [23/Aug/2007:17:58:09 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; MSIE 5.0; Windows NT5.0; win9x/NT 4.90 )"
84.160.203.231 - - [23/Aug/2007:17:59:24 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.6 ( compatible; [de]; Windows NT4.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:18:00:51 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; [dk]; Windows NT4.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:18:02:06 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; MSIE 5.0; Windows NT4.0; MSNIA )"
84.160.203.231 - - [23/Aug/2007:18:03:57 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; MSIE 4.0; Windows NT5.0; FREEI v2.53 )"
84.160.203.231 - - [23/Aug/2007:18:05:12 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; [de]; Windows NT5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:18:06:44 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.0 ( compatible; MSIE 5.5; Windows 95; DigiExt )"
84.160.203.231 - - [23/Aug/2007:18:07:59 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
84.160.203.231 - - [23/Aug/2007:18:09:52 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
84.160.203.231 - - [23/Aug/2007:18:11:07 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; [jp]; Windows 98; DigiExt )"
222.216.28.140 - - [23/Aug/2007:18:11:10 -0500] "GET http://www.proxygrade.com/proxygrade.php?hash=C59C2E3FD31372BADD1004781F90050A953698723D3E HTTP/1.1" 404 296 "http://www.proxygrade.com/proxygrade.php?hash=C59C2E3FD31372BADD1004781F90050A953698723D3E" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
64.56.65.150 - - [23/Aug/2007:18:11:55 -0500] "POST http://64.56.65.150/proxy/test.php HTTP/1.1" 404 290 "-" "-"
84.160.203.231 - - [23/Aug/2007:18:12:33 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.72 ( compatible; [fr]; Windows 95; DigiExt )"
84.160.203.231 - - [23/Aug/2007:18:13:48 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/3.01 ( compatible; MSIE 4.01; AOL 5.0; Compaq )"
84.160.203.231 - - [23/Aug/2007:18:15:35 -0500] "HEAD http://www.slave-angelica.com/members/index.php HTTP/1.0" 404 - "http://www.slave-angelica.com/members/index.php" "Mozilla/4.73 ( compatible; [fr]; Windows 98; DigiExt )"
Appears to be a legitimet person trying to upload stuff to servers. I have seen stuff like this from theplanet, serverbeach, layered tech, hypernia, etc. the whole 9 yards.
This is with nothing on them, a fresh install of RH or CentoOS, or even Windows Server with WHM/etc.
Kwitko
18 Sep 2007, 09:03pm
Looks like someone trying to test your servers for open proxies.
primesuspect
18 Sep 2007, 09:06pm
they're just scanning for vulnerabilities and ****ty php scripts
kryyst
19 Sep 2007, 01:23pm
Looks like a bot probing to see what's running on that machine. Notice it's checking language and browser compatibility to see what sticks.
Fortunately it's all form 1 ip - block it and I'd suggest blocking it not at 84.160.203.231 but 84.160
vBulletin® v3.7.3, Copyright ©2000-2009, Jelsoft Enterprises Ltd.