Any one seen this before? I cant really find anything usefull info from google.
Its from the apache/access.log
Edit: Forgot to mention that I have alot of the line in the log file.

That's the HTTP user-agent. Apparently (if we take the label at face value) it's a tool to discover HTTP servers by scanning IP addresses.

Just my thought too the HTTP and Discover kinda gives it away, but since I couldnt find any usable info on google thought I'd ask here.

I'm also getting lots of:

[22/Jan/2007:17:02:42 +0000] "GET / HTTP/1.1" 206 533 "-" "EZI_HTTP_NETDEV_DISCOVER"

Anyone got any ideas?

There *is* no more info except what Chort already wrote.

I (deliberately) have an open wireless network and I have been seeing some unusual traffic from one box. I have been watching this machine with wireshark and it appears to be doing some kind of scan of the local network by using 'ARP Who has' requests on all the possible ip addresses. The scans are in numeric sequence, sending out a new request every second.

It is also trying to access the web interface of my router using the user agent string "EZI_HTTP_NETDEV_DISCOVER". As it doesn't know the password for the router, it just gets an 'wrong password' page. It seems to not want to give up trying the router as it repeats this every 30 seconds.

There are also requests to dell-alive.singleclicksystems.com/inet_check.php with "EZI_HTTP_INET_REQUEST" as the user agent string. If you bung that address in a web browser, it replies with a single byte: the ASCII code for "1".

Also there are requests to isp.singleclicksystems.com/isp_info/get_isp_info.php with "EZI_HTTP_ISP_REQUEST" as the UA string.

At first when I saw this traffic I thought that someone was trying to hack into some of the other machines on my network, then as I watched more, I started to think that it was a windoze box that had been turned into a zombie. But now I am beginning to think that it is some strange software that Dell have installed on one of their laptops. I assume that the requests to dell-alive.singleclicksystems.com/inet_check.php (with the reply "1") are part of some kind of background process that checks if the laptop has access to the internet for the user.

Whatever it is, I don't rely like the fact that it is scanning the local network or trying to peek at my router. I will probably watch it for a bit longer, then maybe if I get bored/annoyed with it, I will MAC filter it out. ;-)

BTW, I also have Apache running on my machine to serve stuff locally (ie not to the Internet), but this thing doesn't seem to have found it yet.

What is the situation with other people seeing this user agent -- is it being seen on outward facing web servers, or are you seeing it in the logs on your internal networks routers?

Hello and welcome to LQ, hope you like it here. BTW, nice work Sherlock ;-p

After your post I stumbled on this which shows two more URI's but since I don't do even Kyoiku Kanji all I can see is it appears to be "Dell Network Assistant" or products by "SingleClickSystems". HTH

Looking at the SingleClickSystems site, it appears that one of their products includes a feature that can "Discover and manage all devices on a network", which would explain why the thing looks like it's trying to scan the entire network and auto-login to the router.

Can you tell if the passwords are different with each login attempt (i.e is it bruteforcing the router)? At 1 attempt every 30 seconds I would guess no, otherwise it would take decades to complete even a fairly trivial dictionary list.

Again, nice work on this.

/me kicks himself for not bothering to look at http://www.singleclicksystems.com/ web site. Doh!

I got google to tyranslate that site you linked to unSpawn : http://translate.google.com/translat...Den%26hs%3DtDD - it looks like someone else has been doing some detective work on this thing too. That link mentions that there are occasional pings to 200.200.200.200 which I have also seen.

Capt_Caveman asks "Can you tell if the passwords are different with each login attempt..."
No, as far as I can see it doesn't seem to be supplying a password. -- I sopse I probably should have said that it is trying to view the contents of the routers web interface rather than actively trying to log in by trying usernames/passwords.

The Japanese page seems to be saying that this thing is also scanning some ports ("TCP 80 and the like is scanned UDP 161 (SNMP), TCP 139, TCP 445, UDP 10421, UDP 10426 "), but I haven't seen this yet.

I will look again next time the machine hops back onto my network.

Hi,

My apache usage stats also show this User Agent. If I assume only one IP uses this agent, then the matching IP for January and February 2007 stats is 219.132.138.237. From other search I have made, this guy seems to be doing a scan on port 8080.

Luckily some people report and so we have http://www.dshield.org/ipinfo.html?ip=219.132.138.237

Hi, my name is Scot Zarkiewicz and I am the CEO of SingleClick Systems. We are the manufacturer of the tool that is in question in this thread. I wanted to quickly describe to people what they are seeing. Dell Network Assistant (AKA: HomeNet Manager, Network Now, Network Now Pro!) is a Home Networking tool that provides, as one of its capabilities, a Network Scan feature, to detect all the devices that are connected to the Home Network. When we find a device we do probe port 80 to see if that device is exposing a management interface. This actually provides for a very useful function to less technically savy customers who may not know how to open a management interface to a device such as a print server. Additionally we do probe the router to determine what type of device the user has, and provide one click access to this device as well. The URL that is mentioned above is used for Internet Health monitoring to determine when the user has lost their connection to the Internet (and take corrective action to resolve that problem.) I wanted to reassure the readers of this message board that the network traffic generated by our applications is not meant to be harmful in anyway, and is only taking place to give the more novice user a simpler way to setup and manage their Home Network. If there are additional questions or concerns about this topic please don't hesitate to contact me directly at: scotz@singleclicksystems.com