[Home]ToothyWikiInternals/AttackAttempts

ec2-35-173-47-43.compute-1.amazonaws.com | ToothyWiki | ToothyWikiInternals | RecentChanges | Login | Webcomic

This, when I feel like it, will be updated with IP addresses of machines doing various sorts of scans on the webserver.
This will mostly be useless, since a lot of them are dynamic; it might be interesting, though.




Unregulated robot at 65.94.249.113 started crawling our website about 11:24am. It ignored the robots.txt file and crawled through the wiki history and search namespaces, at the rate of several dozen hits per second, effectively DOSing the wiki. Requests from that IP address are now blocked.




CodeRed-infested machines



cust-479.adsl.bestweb.net - looks static
218.158.133.21 - doesn't resolve
202.105.134.67
68.48.35.79


People looking for somewhere to forward spam through



pool-141-150-114-101.mad.east.verizon.net - bleh. Dialup pool. Can't do much with that.
Sure you can, you can block verizon.net.  Along with *bt* and *aol*  You'll cut down on problems significantly then.

Other stuff



host57-142.pool80181.interbusiness.it tried to get the webserver to proxy a connection to the FTP port on 207.46.133.140. Why would someone want to do that?

To hide their tracks?  Presumably the logs on the ftp site would show access from your machine rather than the originating machine (which may well not be host57-142... but a machine using that one as a proxy, etc.) - Kazuhiko

We've been royally scanned (source IP 195.65.2.18). This is the most comprehensive scan the webserver's had yet - does anyone recognise the tool used?
(PeterTaylor) Don't recognise the tool per se, but I recognise the scan. Someone tried that on my server a while back, and they hold the record for the most aggressive scan, though not the fastest. Took them over two minutes to perform 506 requests.
Hm. The machine in question is an open proxy, as Google: %22195%2E65%2E2%2E18%22 reveals. A good list of IP addresses to block there, methinks..

I'll add my (not very current) list of idiots:
217.52.200.18
80.128.189.238
217.1.237.234
217.155.34.244
194.88.0.30
193.114.233.5
217.59.89.202
165.166.175.181
--Vitenka



More idiots..
 168.95.19.27 09:59:55 "GET /cgi-bin/formmail.pl HTTP/1.0" 404 "http://www.TOOTHYCAT.net/" "-"
168.95.19.27 09:59:56 "GET /cgi-bin/formmail.cgi HTTP/1.0" 404 "http://www.TOOTHYCAT.net/" "-"
Hm. Why is the word "TOOTHYCAT" in capitals? Where can they have picked that up from?

 218.13.88.246 12:13:34 "\x04\x01" 501 - "-"
218.13.88.246 12:13:55 "\x05\x01\x02" 501 - "-"
WTH is that meant to be..?

ec2-35-173-47-43.compute-1.amazonaws.com | ToothyWiki | ToothyWikiInternals | RecentChanges | Login | Webcomic
Edit this page | View other revisions | Recently used referrers
Last edited September 20, 2003 12:13 pm (viewing revision 12, which is the newest) (diff)
Search: