[Wolves] whats this?

David Goodwin dg at clocksoft.com
Wed Oct 19 08:33:33 BST 2005


>   10 mod_proxy connection attempts (0.00 MB),

^^ people hoping that you're Apache is setup badly, and allowing you to 
proxy (hide) their connections to other people.

>  Attempts to use 1 known hacks were logged 8 time(s)
>    \\x90\\x90\\x90\\x90   by 
>            82.37.228.35 2 time(s) 
>            82.37.79.29 2 time(s) 
>            82.37.226.46 2 time(s) 
>            82.37.193.73 2 time(s) 


Ah, another blueyonder user :) you'll get used to these hacking 
attempts.....


>  Connection attempts using mod_proxy:
>     157.158.2.161 -> 217.17.33.10:6667 : 4 Time(s)
>     194.109.21.230 -> 194.109.153.2:6667 : 2 Time(s)
>     82.96.96.3 -> 82.96.96.3:802 : 4 Time(s)

The destination port of the proxy attempt is 6667, which is normally 
used for IRC.

Some of these attempts may just be irc servers (e.g. freenode) scanning 
your PC for an open proxy (if there is an open proxy then there's a good 
chance that your box is comprimised and trying to join a bot-net, hence 
freenodes desire to stop such hosts from connecting).

[dg at henry:~]$ telnet 194.109.153.2 6667
Trying 194.109.153.2...
Connected to 194.109.153.2.
Escape character is '^]'.
Proxy Check
Connection closed by foreign host.

[dg at henry:~]$ telnet 82.96.96.3 802
Trying 82.96.96.3...
Connected to 82.96.96.3.
Escape character is '^]'.
L9G90WDS0ZY2JMMPU1C7EP0XJ205A5CTI1TLJ6S8R77EL20DAKQPSEE728WV2ZD44AY3GC4JL0W69AYY
Connection closed by foreign host.

^^ not sure what the last one is telling me... but the previous one was 
quite obvious.

>  A total of 2 ROBOTS were logged 
>        Mozilla/5.0 (compatible; Googlebot/2.1; 
> +http://www.google.com/bot.html) 4 time(s) 
>        Googlebot/2.1 (+http://www.google.com/bot.html) 2 time(s) 

See http://www.google.com/bot.html (surprisingly)


> Should I worry about this? Are the bots just the search engines? And whats the 
> 1 known hacks logged 8 times?

It means the same hack was tried 8 times.... whether it was successful 
or not depends on your setup.



David.


-- 
David Goodwin
w: http://www.clocksoft.co.uk
e: david.goodwin at clocksoft.com
t: 0121 313 3850



More information about the Wolves mailing list