Does anyone know what this web application is?
October 5, 2007 7:06 PM Subscribe
Does anyone know what this web application is?
It's a "WebUI Administration tool". There's a background image and a favicon. It's setting two cookies named mingzi and kouling.
The website I'm referencing is just a random example, I've found other sites that have the same exact login screen, which makes me think that it's a commercial or free package of some kind.
But the big question is... what is it? What does it do?
Figured I'd post in case someone recognizes it and can let me know.
It's a "WebUI Administration tool". There's a background image and a favicon. It's setting two cookies named mingzi and kouling.
The website I'm referencing is just a random example, I've found other sites that have the same exact login screen, which makes me think that it's a commercial or free package of some kind.
But the big question is... what is it? What does it do?
Figured I'd post in case someone recognizes it and can let me know.
sycophant is correct about the Virata EmWeb:
telnet www.bonestellgallery.com 80
Trying 63.87.155.2...
Connected to www.bonestellgallery.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 5 Oct 2007 19:50:26
Server: Virata-EmWeb/R6_0_1
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection closed by foreign host.
posted by dereisbaer at 7:52 PM on October 5, 2007
telnet www.bonestellgallery.com 80
Trying 63.87.155.2...
Connected to www.bonestellgallery.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 5 Oct 2007 19:50:26
Server: Virata-EmWeb/R6_0_1
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection closed by foreign host.
posted by dereisbaer at 7:52 PM on October 5, 2007
Response by poster: Thanks. I had already noticed the Virata EmWeb server as well, but at the time I wasn't sure if it was really a good clue or not.
But I just did the same check on another site where this login screen is being seen... and it shows this same server as well.
So I definitely think it's meaningful now.
The reason I'm trying to investigate this is that an IP address is hammering a bad URL on my site over and over again. And I tracked it down to a login screen like this. And just trying to figure out what it is and what inside it would be doing this.
posted by andytmp at 8:11 PM on October 5, 2007
But I just did the same check on another site where this login screen is being seen... and it shows this same server as well.
So I definitely think it's meaningful now.
The reason I'm trying to investigate this is that an IP address is hammering a bad URL on my site over and over again. And I tracked it down to a login screen like this. And just trying to figure out what it is and what inside it would be doing this.
posted by andytmp at 8:11 PM on October 5, 2007
Do a whois and send an email to the administrative contact as a first step.
posted by IronLizard at 8:32 PM on October 5, 2007
posted by IronLizard at 8:32 PM on October 5, 2007
And just trying to figure out what it is and what inside it would be doing this.
Odds are good that the app itself isn't doing the hammering, but someone using the appliance on which this app runs as a gateway is hammering your site.
As a temporary workaround, set up an apache redirect (or equivalent) for that exact URL that sends the user right back to the login screen you found. It will reduce your server load, get him/her out of your error logs, and his site will have to withstand the hammering.
Then maybe he'll set up a redirect back to you, and both of your servers will explode! not really
posted by davejay at 9:03 PM on October 5, 2007
Odds are good that the app itself isn't doing the hammering, but someone using the appliance on which this app runs as a gateway is hammering your site.
As a temporary workaround, set up an apache redirect (or equivalent) for that exact URL that sends the user right back to the login screen you found. It will reduce your server load, get him/her out of your error logs, and his site will have to withstand the hammering.
Then maybe he'll set up a redirect back to you, and both of your servers will explode! not really
posted by davejay at 9:03 PM on October 5, 2007
By the way, a quick search on Bonestell Gallery brings up this legitimate site:
http://www.bonestell.com/
Odds are good, then, that "bonestell.com" is their public-facing website, and "bonestellgallery.com" is their internal network (and the login screen is a way to get into webmail services, or at least configure their modem.)
So you can always contact the gallery directly as well.
posted by davejay at 9:05 PM on October 5, 2007
http://www.bonestell.com/
Odds are good, then, that "bonestell.com" is their public-facing website, and "bonestellgallery.com" is their internal network (and the login screen is a way to get into webmail services, or at least configure their modem.)
So you can always contact the gallery directly as well.
posted by davejay at 9:05 PM on October 5, 2007
Response by poster: In my original post I noted that the "bonestell" site was just being used as an example of the login screen and wasn't actually the offending site. So I think you read a little too quickly davejay and went on a short wild goose chase. :)
The hits are actually coming from here.
I'm probably not going to redirect the requests, but thanks for that suggestion. The url being hit isn't even one that serves up valid content, which is why I started to get so curious about them.
posted by andytmp at 10:06 PM on October 5, 2007
The hits are actually coming from here.
I'm probably not going to redirect the requests, but thanks for that suggestion. The url being hit isn't even one that serves up valid content, which is why I started to get so curious about them.
posted by andytmp at 10:06 PM on October 5, 2007
It's likely part of a botnet. Someone hacked into a DSL modem manufactured by IntraCom using the default name/password (probably admin/admin or the like). Many DSL modems and routers have built-in web administration, and come with default passwords that are never changed--often because the user never opened the manual to configure it properly. If the system is has a static IP address, it's only a matter of time before a hacker gains access to it.
Since most of these routers use stripped-down Linux kernels, it's trivial to reconfigure them once access has been gained to respond to the hacker's whims: DDoS botnets are the logical choice. Why your system is being hammered, I can only guess. Maybe you pissed someone off. Maybe it's completely random. Maybe your IP address just happens to be the next one in line and they're seeing if you have any exploitable security holes so as to add your system to their control.
posted by Civil_Disobedient at 11:42 PM on October 5, 2007
Since most of these routers use stripped-down Linux kernels, it's trivial to reconfigure them once access has been gained to respond to the hacker's whims: DDoS botnets are the logical choice. Why your system is being hammered, I can only guess. Maybe you pissed someone off. Maybe it's completely random. Maybe your IP address just happens to be the next one in line and they're seeing if you have any exploitable security holes so as to add your system to their control.
posted by Civil_Disobedient at 11:42 PM on October 5, 2007
I think that it's more likely that the system that's hammering you is a Windows box that's being NATed behind the DSL modem at 64.124.135.99 and that it has been infected with some malware. Alternatively it could just be a misconfiguration issue and someone's put the wrong IP address into some device that's now trying to connect to completely the wrong system.
What's the bad URL that's being hammered? Do your logs include a User-Agent string? How often is it 'hammering' you? Is your site on a static IP address?
If you can post the answers to the above then the hive-mind should be able to make an educated guess as to what the problem is.
You could also try contacting admin (at) presidiumlearning (dot) com and letting them know that one of their systems is misbehaving (as the netblock that .99 comes from is a small one that belongs to Presidium Learning (and looks like they actually use it).
posted by koshmar at 12:55 AM on October 6, 2007
What's the bad URL that's being hammered? Do your logs include a User-Agent string? How often is it 'hammering' you? Is your site on a static IP address?
If you can post the answers to the above then the hive-mind should be able to make an educated guess as to what the problem is.
You could also try contacting admin (at) presidiumlearning (dot) com and letting them know that one of their systems is misbehaving (as the netblock that .99 comes from is a small one that belongs to Presidium Learning (and looks like they actually use it).
posted by koshmar at 12:55 AM on October 6, 2007
Except that the IP resolves to presiduim.com, not presidium.com
posted by Civil_Disobedient at 7:08 AM on October 6, 2007
posted by Civil_Disobedient at 7:08 AM on October 6, 2007
It does but that's a typo - 64.124.135.109 (which is in the same netblock as 64.124.135.99) is hosting the presidium-learning website (and there's no such domain as presiduim.com)
posted by koshmar at 7:26 AM on October 6, 2007
posted by koshmar at 7:26 AM on October 6, 2007
Ah, strange. It's not often I see typos in DNS entries.
posted by Civil_Disobedient at 7:44 AM on October 6, 2007
posted by Civil_Disobedient at 7:44 AM on October 6, 2007
This thread is closed to new comments.
The company (Virata) seems to have vanished, maybe purchased by Conexant
posted by sycophant at 7:42 PM on October 5, 2007