Analecta Cyber Company Blog: Scanning Activity

2015-03-15

Scanning Activity

Synopsis

From 2015-03-12T06:41:04 until 2015-03-12T06:42:25 abnormal scanning behavior was identified originating from IP address 173.70.141.168 claiming a User Agent of "panscient.com".

User Agent

Panscient (website) purports to be a content supplier for search engines. They claim to focus on people related data. Requests made to Panscient to determine whether the observed activity was related to legitimate company activity were not returned.

Origin IP Address

The source IP address (173.70.141.168) resolves to pool-173-70-141-148.nwrknj.fios.verizon.net - typically indicative of a commercial or residential IP address operated by the Verizon FiOS Internet services (in Newark, New Jersey).

Activity

Most activity was consistent with a couple specific exceptions:

  1. robots.txt file was requested - but not as the initial request. Legitimate indexing bots should request the robots.txt file first - as it includes directives for the indexing bot.
  2. Malformed requests were identified.

Malformed Requests

All cross-referenced resources within the site were individually retrieved - common for a crawler. However, additional requests were made but not based on any reference internal to the site:

/js/?===c&(g+=m.css(a,c+T%5Bf%5D,!0,e)),d?
/js/?)),c.overflow&(p.overflow=
/js/?C=N;O=D

Research into the likely source of this request resulted in no immediate leads. Analysts with Analecta are continuing research into likely explanations.

Damage Assessment

No damage was sustained by the server from these requests.