Interesting Penetration Testing Logs

[lulzplzkthx]

Hey guys, thought I'd share this with you... I only recently started my site, Make Bitcoins Fast, and already I've been... pen tested? It looks more like they were testing to see if I was related to some other sites like the Bitcoin Faucet, MineField, and a lotto game. Anyway, here's the pages they tried requesting (which resulted in a 404):

/click/14/default.aspx
/click/11/||
/click/10/winners.html
/click/10/valid.html
/click/10/pool.html
/click/10/index.php
/click/10/details.html
/click/10/2012may2.txt
/click/10/2012april4.txt
/twitter/redirect
/themes/feedzebirds/logo.png
/themes/feedzebirds/Decoration_Transparent.png
/socket.io/socket.io.js
/js/jquery.jeditable.min.js
/js/jquery-ui.1.8.12.custom.min.js
/js/jquery-1.5.1.min.js
/img/info.png
/img/grass_selected.png
/img/grass.png
/img/dirt_step.png
/img/dirt.png
/img/bomb_step.png
/img/bomb.png
/img/bitcoin2.png
/img/arrow.png
/pages/refresh.png
/pages/quote_image.php
/pages/license.js
/pages/jquery.js
/pages/getbitcoins.js
/backlinks
/transactions.aspx
/recent_sends
/getsome
/terms
/statistics
/privacy
/peqj4
/misc/jquery.js
/misc/drupal.js
/learn-more
/ik11m
/hc3u9
/frv41
/front
/fees
/faq
/dohrb
/contact
/bitcoin
/a9vp
/907bp
/9bxta
/0y76z
/71g84

The requesting IP address was 95.143.198.72.

I'm not worried or anything, I'm just curious what you guys think this might be? Why would people be testing to see if my site is one of those sites?

[1714112163]

1714112163

[1714112163]

1714112163

[1714112163]

1714112163

[bearbones]

Hey guys, thought I'd share this with you... I only recently started my site, Make Bitcoins Fast, and already I've been... pen tested? It looks more like they were testing to see if I was related to some other sites like the Bitcoin Faucet, MineField, and a lotto game. Anyway, here's the pages they tried requesting (which resulted in a 404):

/click/14/default.aspx
/click/11/||
/click/10/winners.html
/click/10/valid.html
/click/10/pool.html
/click/10/index.php
/click/10/details.html
/click/10/2012may2.txt
/click/10/2012april4.txt
/twitter/redirect
/themes/feedzebirds/logo.png
/themes/feedzebirds/Decoration_Transparent.png
/socket.io/socket.io.js
/js/jquery.jeditable.min.js
/js/jquery-ui.1.8.12.custom.min.js
/js/jquery-1.5.1.min.js
/img/info.png
/img/grass_selected.png
/img/grass.png
/img/dirt_step.png
/img/dirt.png
/img/bomb_step.png
/img/bomb.png
/img/bitcoin2.png
/img/arrow.png
/pages/refresh.png
/pages/quote_image.php
/pages/license.js
/pages/jquery.js
/pages/getbitcoins.js
/backlinks
/transactions.aspx
/recent_sends
/getsome
/terms
/statistics
/privacy
/peqj4
/misc/jquery.js
/misc/drupal.js
/learn-more
/ik11m
/hc3u9
/frv41
/front
/fees
/faq
/dohrb
/contact
/bitcoin
/a9vp
/907bp
/9bxta
/0y76z
/71g84

The requesting IP address was 95.143.198.72.

I'm not worried or anything, I'm just curious what you guys think this might be? Why would people be testing to see if my site is one of those sites?

I looked through the FeedZebirds logs, and found a single reference to said IP address. It looks like a Java-based crawler.

95.143.198.72 - - [16/May/2012:12:00:48 +0400] "GET / HTTP/1.1" 200 10678 "-" "Java/1.6.0_31"

Everything looks fine. I guess it is just some bot, looking for vulnerabilities. Wonder why it would look for some FeedZeBirds specific URLs on your site (i.e. http://www.feedzebirds.com/9bxta). Others are completely unrelated. We use no ASP whatsoever, for instance. Regardless, I suspect it found no vulnerabilities here, as everything looks in order. Such bots are not uncommon, after all.

[EDIT]
I'll add that looking through the 404s resulted in nothing unusual. A few futile attempts at finding a phpmyadmin instance and a ton of misspellings.
[/EDIT]

[bitlotto]

That's really weird.

I am messaging are sort of referenced in my logs... specifically the following:

Bitcoin Faucet
BitLotto
Feed Ze Birds
Bitcoin MineField
Possibly Mt. Gox and/or Intersango

Others of you that I PM'd have either experienced some attacks (DDoS or otherwise) from the IP I referenced (95.143.198.72), may be related to the URLs in this list, extra information, or better logs than I do (I can't access Apache logs evidently, just got these from Django.)

Very odd that they were looking for patterns that exist on my site. I haven't noticed anything. I'm pretty sure that a few people have looked around my site trying to find a bug or something. It would be a waste of time though. The private keys that have access to the lottery funds are kept off the server.

Always a good idea to be security aware. If you ever find anything out I'd LOVE to know!