Strange UA (User Agents) What is this? Guru Needed

Steamcast is a stand alone server that combines the features of SHOUTcast and Icecast2 and more to make one mega awesome server.
Post Reply
User avatar
Deltamusic
Posts: 43
Joined: Wed Jul 21, 2004 7:21 am
Location: Mississippi USA
Contact:

Strange UA (User Agents) What is this? Guru Needed

Post by Deltamusic »

I try to monitor my logs for various reasons. In the past few weeks I wonder if I am being hacked, spoofed or something. They all are cominng from the same area. Below is a few shots of my log today after watching "kicking & baning" I ran a trace on the ip's in question The second trace is the one that scared me as you can see there are only 3 nodes.... Just a direct shot to my router.

Really wish there was a way to put these these logs into a database.
Log entries...
[dest] <84.56.166.153> Connection Opened (A: 192.168.1.2:8000/) [L: 1] {UA: 4be69191}
[dest] <88.76.87.255> Connection Opened (A: 192.168.1.2:8000/) [L: 2] {UA: 9c96a298}
14:50:54> [dest] <84.57.216.210> Connection Opened (A: 192.168.1.2:8000/) [L: 5] {UA: 43fa4123}
14:50:55> [dest] <84.57.216.210> Connection Closed [L: 4] {41957905 bytes} (3489 secs)
14:57:14> [dest] <84.57.216.210> Connection Closed [L: 2] {4785209 bytes} (380 secs) RE: Unknown

14:57:39> [dest] <84.57.216.210> [403] (Banned) "Request: GET /" {UA: 58e9593f}
14:57:39> [dest] <84.57.216.210> [403] (Banned) "Request: GET /" {UA: NSPlayer/11.0.6001.7000 WMFSDK/11.0}
14:58:00> [dest] <84.57.216.210> [403] (Banned) "Request: GET /" {UA: 472e11b4}
14:58:04> [dest] <84.57.216.210> [403] (Banned) "Request: GET /" {UA: f987cb7f}
14:58:05> [dest] <84.57.216.210> [403] (Banned) "Request: GET /" {UA: 35aa2895}

=============================
==============================
NeoTrace Version 3.25 Trace Results
Target: 84.57.216.210
Date: 7/10/2008 (Thursday), 6:50:49 PM
Nodes: 24

Node Data
Node Net Reg IP Address Location Node Name
1 1 - 192.168.1.2 33.118N, 89.055W delta6
2 1 - 192.168.1.1 Unknown
3 2 - 10.20.52.1 Unknown
4 3 1 12.215.19.193 Unknown 12-215-19-193.client.mchsi.com
5 4 1 12.215.7.2 Unknown 12-215-7-2.client.mchsi.com
6 5 2 12.122.103.74 Houston tbr2.hs1tx.ip.att.net
7 6 2 12.122.21.205 Houston cr2.hs1tx.ip.att.net
8 7 2 12.122.28.157 Dallas cr1.dlstx.ip.att.net
9 8 2 12.122.18.154 Dallas tbr1.dlstx.ip.att.net
10 9 2 12.123.16.193 Dallas ggr3.dlstx.ip.att.net
11 10 - 192.205.35.142 28.761N, 81.344W
12 11 3 4.68.19.254 Dallas vlan99.csw4.dallas1.level3.net
13 11 3 4.69.136.165 Dallas ae-93-93.ebr3.dallas1.level3.net
14 11 3 4.69.134.22 Atlanta ae-7.ebr3.atlanta2.level3.net
15 11 3 4.69.132.86 WASH D.C. ae-2.ebr1.washington1.level3.net
16 11 3 4.69.134.142 WASH D.C. ae-91-91.csw4.washington1.level3.net
17 11 3 4.69.134.157 WASH D.C. ae-92-92.ebr2.washington1.level3.net
18 11 3 4.69.137.49 PARIS ae-41.ebr2.paris1.level3.net
19 11 3 4.69.132.142 Frankfurt am Main ae-2.ebr1.frankfurt1.level3.net
20 11 3 4.69.134.1 München ae-4-4.car1.munich1.level3.net
21 12 - 62.67.32.178 Frankfurt am Main
22 13 4 145.254.16.209 München mue-145-254-16-209.arcor-ip.net
23 14 4 145.254.19.233 Stuttgart stg-145-254-19-233.arcor-ip.net
24 15 4 84.57.216.210 Stuttgart dslb-084-057-216-210.pools.arcor-ip.net

================
================

NeoTrace Version 3.25 Trace Results
Target: 88.76.87.255
Date: 7/10/2008 (Thursday), 3:23:31 PM
Nodes: 3

Node Data
Node Net Reg IP Address Location Node Name
1 1 - 192.168.1.2 33.118N, 89.055W delta6
2 1 - 192.168.1.1 Unknown
3 2 1 88.76.87.255 Düsseldorf dslb-088-076-087-255.pools.arcor-ip.net

===============
===============

NeoTrace Trace Version 3.25 Results
Target: 84.56.154.89
Date: 7/10/2008 (Thursday), 3:22:44 PM
Nodes: 25


Node Data
Node Net Reg IP Address Location Node Name
1 1 - 192.168.1.2 33.118N, 89.055W delta6
2 1 - 192.168.1.1 Unknown
3 2 - 10.20.52.1 Unknown
4 3 1 12.215.19.193 Unknown 12-215-19-193.client.mchsi.com
5 4 1 12.215.7.2 Unknown 12-215-7-2.client.mchsi.com
6 5 2 12.122.103.74 Houston tbr2.hs1tx.ip.att.net
7 6 2 12.122.21.213 Houston cr2.hs1tx.ip.att.net
8 7 2 12.122.28.157 Dallas cr1.dlstx.ip.att.net
9 8 2 12.122.18.162 Dallas tbr1.dlstx.ip.att.net
10 9 2 12.123.16.193 Dallas ggr3.dlstx.ip.att.net
11 10 192.205.35.142 28.761N, 81.344W
12 11 3 4.68.19.190 Dallas vlan89.csw3.dallas1.level3.net
13 11 3 4.69.136.161 Dallas ae-83-83.ebr3.dallas1.level3.net
14 11 3 4.69.134.22 Atlanta ae-7.ebr3.atlanta2.level3.net
15 11 3 4.69.132.86 WASH D.C. ae-2.ebr1.washington1.level3.net
16 11 3 4.69.134.134 WASH D.C. ae-71-71.csw2.washington1.level3.net
17 11 3 4.69.134.149 WASH D.C. ae-72-72.ebr2.washington1.level3.net
18 11 3 4.69.137.57 PARIS ae-43.ebr2.paris1.level3.net
19 11 3 4.69.132.142 Frankfurt am Main ae-2.ebr1.frankfurt1.level3.net
20 11 3 4.69.134.1 München ae-4-4.car1.munich1.level3.net

21 12 3 212.162.47.106 München arcor-ag-co.car1.munich1.level3.net
22 13 4 145.254.16.209 München mue-145-254-16-209.arcor-ip.net
23 14 4 145.254.19.233 Stuttgart stg-145-254-19-233.arcor-ip.net
24 15 - 145.254.14.206 Stuttgart
25 16 4 84.56.154.89 Stuttgart dslb-084-056-154-089.pools.arcor-ip.net
"Its's not a Bug... It's A Feature!!"
Image
Lane
Posts: 154
Joined: Mon May 09, 2005 4:16 pm

Post by Lane »

ALL YOUR BASE ARE BELONG TO THEM.

you could probably write a script to parse the log info for use in a database. what did you have in mind?
Post Reply