30 July 2013
What is IP 220.127.116.11 doing to Cryptome?
Fairly standard web application map/vuln scan. By looking for known file
structures, attacker can find fingerprint of installed software and use for
exploitation with known exploits. Notice that logs include "Nessus" - an
off-the-shelf vulnerability scanner -
- this may be scripted, or done manually. This is standard for any website
these days, I wouldn't take it personally.
Seems to me like someone already did the work ahead of time and was able
to identify the file structure of your web server. It seems evident because
what is happening appears to be a vulnerabilities scan. I guess most companies
hire overpaid systems operators, because it seems like nobody ever mentions
this sort of thing happening except for hackers themselves.
In other words, congratulations on not having overpaid systems administrators!
I'm not a computer analyst, nor an expert. But I do know a few things, and
I'm rumored to have a fairly high IQ, so if you feel I might be right about
that (You could always ask the NSA what's happening ;P), then here are a
few relatively easy precautions to take:
- Contact the NSA and try to figure this stuff out, I'm sure they'd love
to figure it out with you (It's obviously a test of some kind...I could go
on here, not knowing ;P).
- Archive all of your goodies on a 1TB portable hard drive (Not the files
that run your server, those might be corrupted by now), and never connect
it to the internet ever.
- Compare original files from their original media to their current versions
stored online (Might be hash variations).
- Continue to record similar and not-so-common activity.
Other than that, John, I couldn't say anything more. A computer security
analyst could identify this problem for you, maybe TSCM could figure it out
18.104.22.168 is using some tool to guess names of files & directories
on http://www.cryptome.org/*, attempting to discover
1) content that the webmaster (you) did not mean to be publicly accessible
2) presence of software that is known to contain vulnerabilities.
Based on the output, I think that tool is Nikto ( http://www.cirt.net/nikto2
), and nothing was discovered other than some directories that are not publicly
accessible (at all, or not without password): http://cryptome.org/awstats/
http://cryptome.org/stats/ http://cryptome.org/stuff/ http://cryptome.org/log/
http://cryptome.org/cgi-bin/ http://cryptome.org/ar/ http://cryptome.org/wa/
...and some things that can be found on most webservers:
http://cryptome.org/icons/ (typically present on Apache servers)
http://cryptome.org/robots.txt (which in your case does not reveal anything
other than you not liking crawlers) No software was found that is known to
contain vulnerabilities. -
I read the report about this IP.
I think your website tested by security scanner software from this IP.
As you see in first step the security tools crawl your website to find
directories and files and in next step the tools start scanning your website
for security problems.
And here is the signature of tools:
22.214.171.124 - - [28/Jul/2013:07:20:16 -0400] "GET /admin.back HTTP/1.1"
404 575 "-" "Nessus"
Based on the log data you provided 126.96.36.199 is most certainly performing
a Nessus scan against cryptome. This is a widely used and freely available
vulnerability assesment tool available at
Chain of companies, all under apparent leadership of Melih Abdulhayoglu,
US resident (but not citizen) residing at nr 1 Watchung Ave, Montclair, NJ.
for more details and some history. Play with the links.
your logs show an obvious vuln scan by that IP - the question is - why Comodo
network? open wifi? spoofed IP?
The IP address in question is performing a Nessus scan against cryptome.org,
which is a program that automatically probes security.
A Nessus scan is designed to find poorly configured servers and scripts.
In this case, the type of scan is easily identifiable because the string
"nessus" appears throughout the log. It is a prevalent tool for penetration
testing in the network security world. You can tell its tests were unsuccessful
by the repeating "404" found throughout the logs.
This IP address from which the scan originates is associated with comment
spam by projecthoneypot.org. The "user agent" value is exactly the same as
that which appears in your logs. Projecthoneypot identified 3,500 web posts
made with this IP.
It is unlikely this scan indicates a targeted attack, as it would only be
effective against the "lowest-hanging fruits" of the Internet.
I hope this answers your questions, and doesn't somehow land me in Guantanamo
Look at the end of the logs published in
The cross_site_scripting.nasl is a plugin for Nessus and OpenVAS vulnerability
scanners, which is probably what someone ran against your host.
Personally I wouldn't be too concerned. Of course scanning a host without
written permission from the owner is prohibited, and the owner can (and probably
should) notify the relevant authorities (in most countries the police). If
I was the owner I would do so, just out of curiosity. BTW periodically doing
a vulnerability assesment of _your_ host (for example using OpenVAS, nessus,
nikto etc) is a really good idea, just be careful if doing this using a hosting
provider (then the host be yours, or it may belong to the provider, depending
on what service you paid for).
Looks like they pointed a scanner at your site looking for common CMS admin
entry points and other common but hidden directories. Typically sites like
Wordpress put the administration functions on the site as well. Try as an
Perhaps just doing a free security scan or perhaps trying to find a weakness
This is a general scan for configuration information and general vulnerabilities.
I get these all the time on my own web server. When I get these I don't figure
that I have been singled out.
somebody's running a garden-variety web vulnerability scan, it looks like
(Nessus would be my guess from logs)
looks like 188.8.131.52 is probing for any possible vuln it has handy...
appears to be the usual scan for known exploit vectors.
are you hacked? you are sending a word doc?
weird. never ever seen the HTTP method GVBXDB. Is that a thing?
That IP is associated with Comodo Hacker Guardian Service
Indecipherable message. Please resend.