Bitcoin Forum
November 09, 2024, 07:22:20 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Project Development > Interesting Penetration Testing Logs
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Interesting Penetration Testing Logs  (Read 1506 times)
lulzplzkthx (OP)
Sr. Member
****
Offline Offline

Activity: 322
Merit: 251



View Profile WWW
May 16, 2012, 02:21:57 PM
 #1
Hey guys, thought I'd share this with you... I only recently started my site, Make Bitcoins Fast, and already I've been... pen tested? It looks more like they were testing to see if I was related to some other sites like the Bitcoin Faucet, MineField, and a lotto game. Anyway, here's the pages they tried requesting (which resulted in a 404):

Quote
/click/14/default.aspx
/click/11/||
/click/10/winners.html
/click/10/valid.html
/click/10/pool.html
/click/10/index.php
/click/10/details.html
/click/10/2012may2.txt
/click/10/2012april4.txt
/twitter/redirect
/themes/feedzebirds/logo.png
/themes/feedzebirds/Decoration_Transparent.png
/socket.io/socket.io.js
/js/jquery.jeditable.min.js
/js/jquery-ui.1.8.12.custom.min.js
/js/jquery-1.5.1.min.js
/img/info.png
/img/grass_selected.png
/img/grass.png
/img/dirt_step.png
/img/dirt.png
/img/bomb_step.png
/img/bomb.png
/img/bitcoin2.png
/img/arrow.png
/pages/refresh.png
/pages/quote_image.php
/pages/license.js
/pages/jquery.js
/pages/getbitcoins.js
/backlinks
/transactions.aspx
/recent_sends
/getsome
/terms
/statistics
/privacy
/peqj4
/misc/jquery.js
/misc/drupal.js
/learn-more
/ik11m
/hc3u9
/frv41
/front
/fees
/faq
/dohrb
/contact
/bitcoin
/a9vp
/907bp
/9bxta
/0y76z
/71g84

The requesting IP address was 95.143.198.72.

I'm not worried or anything, I'm just curious what you guys think this might be? Why would people be testing to see if my site is one of those sites?
PGP | OTC | @JohnMaguire2013

Projects: Portfolio | GitHub
bearbones
Sr. Member
****
Offline Offline

Activity: 316
Merit: 250



View Profile WWW
May 17, 2012, 04:50:47 AM
 #2
Quote from: John Maguire (lulzplzkthx) on May 16, 2012, 02:21:57 PM
Hey guys, thought I'd share this with you... I only recently started my site, Make Bitcoins Fast, and already I've been... pen tested? It looks more like they were testing to see if I was related to some other sites like the Bitcoin Faucet, MineField, and a lotto game. Anyway, here's the pages they tried requesting (which resulted in a 404):

Quote
/click/14/default.aspx
/click/11/||
/click/10/winners.html
/click/10/valid.html
/click/10/pool.html
/click/10/index.php
/click/10/details.html
/click/10/2012may2.txt
/click/10/2012april4.txt
/twitter/redirect
/themes/feedzebirds/logo.png
/themes/feedzebirds/Decoration_Transparent.png
/socket.io/socket.io.js
/js/jquery.jeditable.min.js
/js/jquery-ui.1.8.12.custom.min.js
/js/jquery-1.5.1.min.js
/img/info.png
/img/grass_selected.png
/img/grass.png
/img/dirt_step.png
/img/dirt.png
/img/bomb_step.png
/img/bomb.png
/img/bitcoin2.png
/img/arrow.png
/pages/refresh.png
/pages/quote_image.php
/pages/license.js
/pages/jquery.js
/pages/getbitcoins.js
/backlinks
/transactions.aspx
/recent_sends
/getsome
/terms
/statistics
/privacy
/peqj4
/misc/jquery.js
/misc/drupal.js
/learn-more
/ik11m
/hc3u9
/frv41
/front
/fees
/faq
/dohrb
/contact
/bitcoin
/a9vp
/907bp
/9bxta
/0y76z
/71g84

The requesting IP address was 95.143.198.72.

I'm not worried or anything, I'm just curious what you guys think this might be? Why would people be testing to see if my site is one of those sites?

I looked through the FeedZebirds logs, and found a single reference to said IP address. It looks like a Java-based crawler.

95.143.198.72 - - [16/May/2012:12:00:48 +0400] "GET / HTTP/1.1" 200 10678 "-" "Java/1.6.0_31"

Everything looks fine. I guess it is just some bot, looking for vulnerabilities. Wonder why it would look for some FeedZeBirds specific URLs on your site (i.e. http://www.feedzebirds.com/9bxta). Others are completely unrelated. We use no ASP whatsoever, for instance. Regardless, I suspect it found no vulnerabilities here, as everything looks in order. Such bots are not uncommon, after all.

[EDIT]
I'll add that looking through the 404s resulted in nothing unusual. A few futile attempts at finding a phpmyadmin instance and a ton of misspellings.
[/EDIT]
Feed Ze Birds Pay and get paid for tweets
Coinapult Send Bitcoins easily over email or text message
bitlotto
Hero Member
*****
Offline Offline

Activity: 672
Merit: 500


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
May 17, 2012, 04:56:24 AM
 #3
That's really weird.

Quote
I am messaging are sort of referenced in my logs... specifically the following:

Bitcoin Faucet
BitLotto
Feed Ze Birds
Bitcoin MineField
Possibly Mt. Gox and/or Intersango

Others of you that I PM'd have either experienced some attacks (DDoS or otherwise) from the IP I referenced (95.143.198.72), may be related to the URLs in this list, extra information, or better logs than I do (I can't access Apache logs evidently, just got these from Django.)

Very odd that they were looking for patterns that exist on my site. I haven't noticed anything. I'm pretty sure that a few people have looked around my site trying to find a bug or something. It would be a waste of time though. The private keys that have access to the lottery funds are kept off the server.

Always a good idea to be security aware. If you ever find anything out I'd LOVE to know!
*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Project Development > Interesting Penetration Testing Logs
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!