|
Title: Interesting Penetration Testing Logs Post by: lulzplzkthx on May 16, 2012, 02:21:57 PM Hey guys, thought I'd share this with you... I only recently started my site, Make Bitcoins Fast (http://www.makebitcoinsfast.com/), and already I've been... pen tested? It looks more like they were testing to see if I was related to some other sites like the Bitcoin Faucet, MineField, and a lotto game. Anyway, here's the pages they tried requesting (which resulted in a 404):
Quote /click/14/default.aspx /click/11/|| /click/10/winners.html /click/10/valid.html /click/10/pool.html /click/10/index.php /click/10/details.html /click/10/2012may2.txt /click/10/2012april4.txt /twitter/redirect /themes/feedzebirds/logo.png /themes/feedzebirds/Decoration_Transparent.png /socket.io/socket.io.js /js/jquery.jeditable.min.js /js/jquery-ui.1.8.12.custom.min.js /js/jquery-1.5.1.min.js /img/info.png /img/grass_selected.png /img/grass.png /img/dirt_step.png /img/dirt.png /img/bomb_step.png /img/bomb.png /img/bitcoin2.png /img/arrow.png /pages/refresh.png /pages/quote_image.php /pages/license.js /pages/jquery.js /pages/getbitcoins.js /backlinks /transactions.aspx /recent_sends /getsome /terms /statistics /privacy /peqj4 /misc/jquery.js /misc/drupal.js /learn-more /ik11m /hc3u9 /frv41 /front /fees /faq /dohrb /contact /bitcoin /a9vp /907bp /9bxta /0y76z /71g84 The requesting IP address was 95.143.198.72. I'm not worried or anything, I'm just curious what you guys think this might be? Why would people be testing to see if my site is one of those sites? Title: Re: Interesting Penetration Testing Logs Post by: bearbones on May 17, 2012, 04:50:47 AM Hey guys, thought I'd share this with you... I only recently started my site, Make Bitcoins Fast (http://www.makebitcoinsfast.com/), and already I've been... pen tested? It looks more like they were testing to see if I was related to some other sites like the Bitcoin Faucet, MineField, and a lotto game. Anyway, here's the pages they tried requesting (which resulted in a 404): Quote /click/14/default.aspx /click/11/|| /click/10/winners.html /click/10/valid.html /click/10/pool.html /click/10/index.php /click/10/details.html /click/10/2012may2.txt /click/10/2012april4.txt /twitter/redirect /themes/feedzebirds/logo.png /themes/feedzebirds/Decoration_Transparent.png /socket.io/socket.io.js /js/jquery.jeditable.min.js /js/jquery-ui.1.8.12.custom.min.js /js/jquery-1.5.1.min.js /img/info.png /img/grass_selected.png /img/grass.png /img/dirt_step.png /img/dirt.png /img/bomb_step.png /img/bomb.png /img/bitcoin2.png /img/arrow.png /pages/refresh.png /pages/quote_image.php /pages/license.js /pages/jquery.js /pages/getbitcoins.js /backlinks /transactions.aspx /recent_sends /getsome /terms /statistics /privacy /peqj4 /misc/jquery.js /misc/drupal.js /learn-more /ik11m /hc3u9 /frv41 /front /fees /faq /dohrb /contact /bitcoin /a9vp /907bp /9bxta /0y76z /71g84 The requesting IP address was 95.143.198.72. I'm not worried or anything, I'm just curious what you guys think this might be? Why would people be testing to see if my site is one of those sites? I looked through the FeedZebirds logs, and found a single reference to said IP address. It looks like a Java-based crawler. 95.143.198.72 - - [16/May/2012:12:00:48 +0400] "GET / HTTP/1.1" 200 10678 "-" "Java/1.6.0_31" Everything looks fine. I guess it is just some bot, looking for vulnerabilities. Wonder why it would look for some FeedZeBirds specific URLs on your site (i.e. http://www.feedzebirds.com/9bxta). Others are completely unrelated. We use no ASP whatsoever, for instance. Regardless, I suspect it found no vulnerabilities here, as everything looks in order. Such bots are not uncommon, after all. [EDIT] I'll add that looking through the 404s resulted in nothing unusual. A few futile attempts at finding a phpmyadmin instance and a ton of misspellings. [/EDIT] Title: Re: Interesting Penetration Testing Logs Post by: bitlotto on May 17, 2012, 04:56:24 AM That's really weird.
Quote I am messaging are sort of referenced in my logs... specifically the following: Bitcoin Faucet BitLotto Feed Ze Birds Bitcoin MineField Possibly Mt. Gox and/or Intersango Others of you that I PM'd have either experienced some attacks (DDoS or otherwise) from the IP I referenced (95.143.198.72), may be related to the URLs in this list, extra information, or better logs than I do (I can't access Apache logs evidently, just got these from Django.) Very odd that they were looking for patterns that exist on my site. I haven't noticed anything. I'm pretty sure that a few people have looked around my site trying to find a bug or something. It would be a waste of time though. The private keys that have access to the lottery funds are kept off the server. Always a good idea to be security aware. If you ever find anything out I'd LOVE to know! |