Bitcoin Forum
December 04, 2016, 04:24:26 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Interesting Penetration Testing Logs  (Read 1350 times)
lulzplzkthx
Sr. Member
****
Offline Offline

Activity: 322



View Profile WWW
May 16, 2012, 02:21:57 PM
 #1

Hey guys, thought I'd share this with you... I only recently started my site, Make Bitcoins Fast, and already I've been... pen tested? It looks more like they were testing to see if I was related to some other sites like the Bitcoin Faucet, MineField, and a lotto game. Anyway, here's the pages they tried requesting (which resulted in a 404):

Quote
/click/14/default.aspx
/click/11/||
/click/10/winners.html
/click/10/valid.html
/click/10/pool.html
/click/10/index.php
/click/10/details.html
/click/10/2012may2.txt
/click/10/2012april4.txt
/twitter/redirect
/themes/feedzebirds/logo.png
/themes/feedzebirds/Decoration_Transparent.png
/socket.io/socket.io.js
/js/jquery.jeditable.min.js
/js/jquery-ui.1.8.12.custom.min.js
/js/jquery-1.5.1.min.js
/img/info.png
/img/grass_selected.png
/img/grass.png
/img/dirt_step.png
/img/dirt.png
/img/bomb_step.png
/img/bomb.png
/img/bitcoin2.png
/img/arrow.png
/pages/refresh.png
/pages/quote_image.php
/pages/license.js
/pages/jquery.js
/pages/getbitcoins.js
/backlinks
/transactions.aspx
/recent_sends
/getsome
/terms
/statistics
/privacy
/peqj4
/misc/jquery.js
/misc/drupal.js
/learn-more
/ik11m
/hc3u9
/frv41
/front
/fees
/faq
/dohrb
/contact
/bitcoin
/a9vp
/907bp
/9bxta
/0y76z
/71g84

The requesting IP address was 95.143.198.72.

I'm not worried or anything, I'm just curious what you guys think this might be? Why would people be testing to see if my site is one of those sites?

1480868666
Hero Member
*
Offline Offline

Posts: 1480868666

View Profile Personal Message (Offline)

Ignore
1480868666
Reply with quote  #2

1480868666
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
bearbones
Sr. Member
****
Offline Offline

Activity: 317



View Profile WWW
May 17, 2012, 04:50:47 AM
 #2

Hey guys, thought I'd share this with you... I only recently started my site, Make Bitcoins Fast, and already I've been... pen tested? It looks more like they were testing to see if I was related to some other sites like the Bitcoin Faucet, MineField, and a lotto game. Anyway, here's the pages they tried requesting (which resulted in a 404):

Quote
/click/14/default.aspx
/click/11/||
/click/10/winners.html
/click/10/valid.html
/click/10/pool.html
/click/10/index.php
/click/10/details.html
/click/10/2012may2.txt
/click/10/2012april4.txt
/twitter/redirect
/themes/feedzebirds/logo.png
/themes/feedzebirds/Decoration_Transparent.png
/socket.io/socket.io.js
/js/jquery.jeditable.min.js
/js/jquery-ui.1.8.12.custom.min.js
/js/jquery-1.5.1.min.js
/img/info.png
/img/grass_selected.png
/img/grass.png
/img/dirt_step.png
/img/dirt.png
/img/bomb_step.png
/img/bomb.png
/img/bitcoin2.png
/img/arrow.png
/pages/refresh.png
/pages/quote_image.php
/pages/license.js
/pages/jquery.js
/pages/getbitcoins.js
/backlinks
/transactions.aspx
/recent_sends
/getsome
/terms
/statistics
/privacy
/peqj4
/misc/jquery.js
/misc/drupal.js
/learn-more
/ik11m
/hc3u9
/frv41
/front
/fees
/faq
/dohrb
/contact
/bitcoin
/a9vp
/907bp
/9bxta
/0y76z
/71g84

The requesting IP address was 95.143.198.72.

I'm not worried or anything, I'm just curious what you guys think this might be? Why would people be testing to see if my site is one of those sites?

I looked through the FeedZebirds logs, and found a single reference to said IP address. It looks like a Java-based crawler.

95.143.198.72 - - [16/May/2012:12:00:48 +0400] "GET / HTTP/1.1" 200 10678 "-" "Java/1.6.0_31"

Everything looks fine. I guess it is just some bot, looking for vulnerabilities. Wonder why it would look for some FeedZeBirds specific URLs on your site (i.e. http://www.feedzebirds.com/9bxta). Others are completely unrelated. We use no ASP whatsoever, for instance. Regardless, I suspect it found no vulnerabilities here, as everything looks in order. Such bots are not uncommon, after all.

[EDIT]
I'll add that looking through the 404s resulted in nothing unusual. A few futile attempts at finding a phpmyadmin instance and a ton of misspellings.
[/EDIT]

Feed Ze Birds Pay and get paid for tweets
Coinapult Send Bitcoins easily over email or text message
bitlotto
Hero Member
*****
Offline Offline

Activity: 672


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
May 17, 2012, 04:56:24 AM
 #3

That's really weird.

Quote
I am messaging are sort of referenced in my logs... specifically the following:

Bitcoin Faucet
BitLotto
Feed Ze Birds
Bitcoin MineField
Possibly Mt. Gox and/or Intersango

Others of you that I PM'd have either experienced some attacks (DDoS or otherwise) from the IP I referenced (95.143.198.72), may be related to the URLs in this list, extra information, or better logs than I do (I can't access Apache logs evidently, just got these from Django.)

Very odd that they were looking for patterns that exist on my site. I haven't noticed anything. I'm pretty sure that a few people have looked around my site trying to find a bug or something. It would be a waste of time though. The private keys that have access to the lottery funds are kept off the server.

Always a good idea to be security aware. If you ever find anything out I'd LOVE to know!

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!