homepage Welcome to WebmasterWorld Guest from 54.161.214.221
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

This 73 message thread spans 3 pages: < < 73 ( 1 [2] 3 > >     
CHINANET Beijing Province Network hammering my site!
They eat 403s but keeping coming like a mad-dog!
erlandc




msg:4421783
 10:24 pm on Feb 25, 2012 (gmt 0)

Hi,
Log files for just 1 day, various times.

Why do they keep coming?
Cyberwar?
Hold the course?
Thanks,
E

1.202.218.8 - - [25/Feb/2012:02:29:22 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:03:16:23 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:04:44:25 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:05:33:05 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:06:30:51 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:08:19:41 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:08:53:46 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:10:11:50 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:12:04:56 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:12:14:55 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"

 

wilderness




msg:4422437
 11:36 pm on Feb 27, 2012 (gmt 0)

Sure! what's your number? I'm in the mood


"hold the line and I'll get back to you"
OR null


Get the drift mow!

Staffa




msg:4422453
 12:09 am on Feb 28, 2012 (gmt 0)

erlandc, as a last resort, setup a single html page on your website NOT linked to any other pages and with NO links on it, just an orphan.
Fill the page with any text that you can find on the net putting CN in a bad light.
Redirect all visits of this bot to that page.
They won't like it and most likely go away.

erlandc




msg:4422454
 12:11 am on Feb 28, 2012 (gmt 0)

mow?

erlandc




msg:4422457
 12:35 am on Feb 28, 2012 (gmt 0)

Thanks alot Staffa! will do!

lucy24




msg:4422483
 1:50 am on Feb 28, 2012 (gmt 0)

Who's Annie?

That would be me.

Didn't know that myself until a few days ago. Always pictured more of an Agatha. Or Clytemnestra, or possibly Xanthippe. What was the character's name in Young Frankenstein who always made the horses whinny in terror?

* * *

Whoops! Didn't see the Next Page link hiding among all those Tweets and Likes and +1 buttons.

For some reason I've never got especially riled about Chinese robots. I just lock them out, end of story. For a while I was absolutely enraged by the Ukrainians, but I guess you develop tolerance. Or maybe they developed inverse tolerance, so they no longer come by in batches of 15. Just 6, and only once or twice a day.

Now, hotlinkers...

erlandc




msg:4422488
 2:08 am on Feb 28, 2012 (gmt 0)

ah, Ukrainians, blocked them out too. S'pose I'll just let them eat 403s. don't want to waste time like someone said here. will attempt to re-direct them with the stuff you said. maybe I'll test it on myself 1st. ho-hum

erlandc




msg:4422522
 5:22 am on Feb 28, 2012 (gmt 0)

Whew! Anyone?

does this look right?

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REMOTE_HOST} 1\.202\.218\.8
RewriteRule \.php$

thanks

lucy24




msg:4422535
 6:34 am on Feb 28, 2012 (gmt 0)

So far so good. What happens after they ask for .php files?

Pfui




msg:4422635
 12:56 pm on Feb 28, 2012 (gmt 0)

Wait. There's more. [webmasterworld.com...]

erlandc




msg:4422785
 7:19 pm on Feb 28, 2012 (gmt 0)

I tested this on myself:

RewriteCond %{REMOTE_HOST} 70\.83\.210\.151
RewriteRule \.php$ [siteisentthemto.com...] [R=301,L]

didn't work...

thanks for your time

lucy24




msg:4422885
 11:26 pm on Feb 28, 2012 (gmt 0)

You mean you went to your own site in your own name-- er, I mean from your own IP-- asked for something ending in .php and you didn't get redirected?

###. What happened instead?

That's assuming for the sake of discussion that you have a fixed IP. Mine changes at random intervals-- most recently yesterday when the power was out for many hours. (Planned and pre-announced repairs, but try explaining why the fish are in the dark, the rat cage is cold and the cats' fountains don't work :()

erlandc




msg:4422892
 11:42 pm on Feb 28, 2012 (gmt 0)

yes, I went to my site, grabbed my IP, put it in htaccess, nada, was able to view my site, didn't get re-directed.
numb

lucy24




msg:4422924
 1:15 am on Feb 29, 2012 (gmt 0)

And you're in your logs as a perfectly normal 200?

Does other stuff in htaccess work? This is probably not the time to find out that the server has override permissions turned off (AllowOverride None) so you can't do anything with htaccess anyway :( Luckily this is a wildly unlikely explanation because Apache Docs seem to say that if you try to do something you're not allowed to do, you get walloped with a 500-class error. You'd have noticed.

More likely there's something else intercepting your request before you get as far as the attempted lockout. Put it right at the top of your Rewrites. That's where it ought to go anyway: normally you'd list directives in order of seriousness, from [F] to [G] to [R=301] to internal rewrites.

And, ahem, did you clear your browser cache (or preferably use a different browser than usual) and refresh the page? Everyone gets bitten by that one sooner or later.

erlandc




msg:4422932
 1:33 am on Feb 29, 2012 (gmt 0)

yes, showed 200, and some 304s, and no, I didn't use a different browser, or did a refresh.
as I said in revisited, I'm not an expert at this. I'll try decipher what you wrote.
that IP is all over the web now, smashing. this is why I wanna send off to a site that'll blow their little minds.
can't seem to find this directive anywhere, and what I did find, it didn't work. did you see "revisited'?
thanks

erlandc




msg:4427234
 3:45 am on Mar 10, 2012 (gmt 0)

I did it! Whew! Did a test on my IP & it worked. Thanks for your time ya'll!

Now that site can go to h e l l !

Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_HOST} 1.202.218.8
RewriteRule .* [churchofsatan.com...] [R=301,L]

wilderness




msg:4427235
 3:50 am on Mar 10, 2012 (gmt 0)

so what happens when they simply change to 1.202.218.9 or one of the their other ranges?

Denying to the precise Class D is a bad practice.

erlandc




msg:4427239
 4:06 am on Mar 10, 2012 (gmt 0)

not sure what Class D is, as I said, I'm no expert at this. Bad practice? me? who me? they're the bad guys if you think it's me.

I think I messed up. I took off my IP & added theirs, now when I come to my site, I get re-directed to satan's site as well. back to the drawing bored

I'll block the whole range, I hope.
RewriteCond %{REMOTE_HOST} 1.0.0.0/8
Not sure if it'll work, but I'm here to learn

wilderness




msg:4427242
 4:22 am on Mar 10, 2012 (gmt 0)

1.202.218.8

Class A 1.
Class B 202.
Class C 218.
Class D 8

Just change this portion
RewriteCond %{REMOTE_HOST} 1.0.0.0/8

to
RewriteCond %{REMOTE_HOST} ^1.

erlandc




msg:4427246
 4:32 am on Mar 10, 2012 (gmt 0)

thanks alot, done. but now I still go to the re-direct site when I go to my site.

RewriteCond %{REMOTE_HOST} ^1.
RewriteCond %{REQUEST_URI} /www.mysite.com$
RewriteRule .* [churchofsatan.com...] [R=301,L]

has it got something to do with the 301?

wilderness




msg:4427247
 4:38 am on Mar 10, 2012 (gmt 0)

wtf is this?
RewriteCond %{REQUEST_URI} /www.mysite.com$

at 10:45 PM EST you submitted the following as functioning:
Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_HOST} 1.202.218.8
RewriteRule .* [churchofsatan.com...] [R=301,L]


no such line existed in that code?

BTW use of example.com prevents links, however I'm quite sure you've been told that previously.

erlandc




msg:4427249
 4:46 am on Mar 10, 2012 (gmt 0)

thanks, I took off RewriteCond %{REQUEST_URI} /www.mysite.com$

question is, when I go to my site, I still go the church etc site. what did I do wrong?

erlandc




msg:4427250
 4:48 am on Mar 10, 2012 (gmt 0)

this is what I have now

Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_HOST} ^1.
RewriteRule .* [churchofsatan.com...] [R=301,L]

and I'm still going the hell site

wilderness




msg:4427254
 4:54 am on Mar 10, 2012 (gmt 0)

I did it! Whew! Did a test on my IP & it worked. Thanks for your time ya'll!

Now that site can go to h e l l !


Apparently not!

erlandc




msg:4427256
 4:56 am on Mar 10, 2012 (gmt 0)

it worked, then I re-tested and whack!

Apparently not! you are right!

everyone coming to my site now will go to h e l l !

kinda funny 'tho

back to the drawing board

#*$!

erlandc




msg:4427263
 5:55 am on Mar 10, 2012 (gmt 0)

wilderness, what did I do wrong? thanks

wilderness




msg:4427266
 6:10 am on Mar 10, 2012 (gmt 0)

#Turn on Rewrite, unless on previously
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^1\.
RewriteRule .* - [F]

erlandc




msg:4427267
 6:15 am on Mar 10, 2012 (gmt 0)

like this? want to send them that h e l l site

Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_ADDR} ^1.
RewriteRule .* [churchofsatan.com...] [F]

thx

lucy24




msg:4427318
 8:54 am on Mar 10, 2012 (gmt 0)

RewriteCond %{REMOTE_ADDR} ^1\.

Well, it's about ### time someone noticed that detail ;)

Erland, you have to escape the period \. otherwise it will mean "any character". So any IP that happens to begin in 1-- whether it's 12. or 198. or 15. or 137. or, et cetera-- will be caught by the rule.

erlandc




msg:4427359
 9:11 am on Mar 10, 2012 (gmt 0)

Hi Lucy,
oh gee! I'll try decipher what you said. I thought I did it right but it didn't quite work. It re-directed to that site, but from me too, of which I didn't put my IP, so I figured everyone coming to my site would go there as well. So I took it off for & left the deny IP. It's 4:10 AM & I'm going slightly mad about this. Must sleep.
Thanks for popping Lucy.
I'll be back after some tweep.

erlandc




msg:4427625
 9:12 pm on Mar 10, 2012 (gmt 0)

lucy
does escape the period mean delete?

erlandc




msg:4427633
 9:51 pm on Mar 10, 2012 (gmt 0)

is this correct?

Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_ADDR} ^1.
RewriteRule .* [churchof*****.com...] [F]

but I'd like to actually test on myself, like last night when it worked, but I guessed all my visitors were re-directed too. so I have to remove it. (BTW that IP in increasing its visits)

This 73 message thread spans 3 pages: < < 73 ( 1 [2] 3 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved