homepage Welcome to WebmasterWorld Guest from 54.243.23.129
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

This 73 message thread spans 3 pages: 73 ( [1] 2 3 > >     
CHINANET Beijing Province Network hammering my site!
They eat 403s but keeping coming like a mad-dog!
erlandc




msg:4421783
 10:24 pm on Feb 25, 2012 (gmt 0)

Hi,
Log files for just 1 day, various times.

Why do they keep coming?
Cyberwar?
Hold the course?
Thanks,
E

1.202.218.8 - - [25/Feb/2012:02:29:22 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:03:16:23 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:04:44:25 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:05:33:05 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:06:30:51 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:08:19:41 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:08:53:46 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:10:11:50 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:12:04:56 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"
1.202.218.8 - - [25/Feb/2012:12:14:55 -0800] "GET / HTTP/1.0" 403 4243 "-" "\"Mozilla/5.0"

 

Pfui




msg:4421791
 10:45 pm on Feb 25, 2012 (gmt 0)

With apologies to Alfred Lord Tennyson:

Ours is not to reason why, Ours is but to do: Deny.

erlandc




msg:4421792
 10:55 pm on Feb 25, 2012 (gmt 0)

Pfui, is that like pfffff?

ahhh, but don't they get it? are they like a love addict that just won't go away?

I'm going to send them an email and see what they say.

Anyone else?

Staffa




msg:4421803
 11:40 pm on Feb 25, 2012 (gmt 0)

Yep, I'm seeing the same idiot trying over and over again regardless what I throw at it (except content of course)

It used to call itself JikeSpider now it's logged as "Mozilla/5.0 (no closing quotes)and always comes with the same number.

erlandc




msg:4421805
 11:58 pm on Feb 25, 2012 (gmt 0)

Cyber it is: "U.S. cyber espionage report names China and Russia as main culprits"

"China has set up Project 863"

IP in question listed here: [abovetopsecret.com...]

Nothing I can do but let hammer their numskulls away.

Not sure if I want to email them as I might get spam. person: Hostmaster of Beijing Telecom corporation CHINA TELECOM
nic-hdl: HC55-AP
e-mail: bjnic@bjtelecom.net
address: Beijing Telecom
address: No. 107 XiDan Beidajie, Xicheng District Beijing
phone: +86-010-58503461
fax-no: +86-010-58503054
country: cn

lucy24




msg:4421831
 1:37 am on Feb 26, 2012 (gmt 0)

Very very few spiders react to a 403. It's like a routine shopping list: if the store is out of one item, you don't head straight for the checkout and abandon the rest of the list. Hey, who knows, maybe they'll let me in to the 84th page I ask for.

In fact I've only met one or two robots who seemed to behave differently when they didn't get the expected 403 --for example by arriving from an IP I didn't know about. And I have to say: those are scary. Better to be hit with a bunch of stupid robots than one with a brain. ("Store's out of eggplant, so don't bother about the next six items, which are all the other ingredients for eggplant parmigiana.")

erlandc




msg:4421836
 2:06 am on Feb 26, 2012 (gmt 0)

I don/t bother using my robot.txt much these days, easier to see where they are coming from, do quick research, and 9 times out of 10, they ain't good, so I just fatten up my htaccess file.

lucy24




msg:4421869
 6:31 am on Feb 26, 2012 (gmt 0)

Ditto. I use robots.txt to say which areas are off limits to everyone all the time. But if there's someone I don't want snuffling around, period, we go straight to the 403. You could probably count on the fingers of one hand the number of undesirable robots that faithfully obey robots.txt. I mean, if they're so polite, why would you want to block them? :)

erlandc




msg:4421871
 6:49 am on Feb 26, 2012 (gmt 0)

Not to say I don't use robots.txt, just that I scan to see if certain ones are respectful, & most of the time I find the answer here. The others can feel my sting, and as I wrote the initial post here, 1.202.218.8 has hit again. Should I?

erlandc




msg:4421993
 8:05 pm on Feb 26, 2012 (gmt 0)

They are still pounding away! How do fix my htaccess file so if they come back, to send them somewhere else?
thx

wilderness




msg:4421997
 8:22 pm on Feb 26, 2012 (gmt 0)

Their getting denied access.

Your not able to prevent the 403's from appearing in your logs (actually you may but its not worth the bother).

Your 403 file is 4243 (4.2kb) which presents no real server load.
You could serve them a more custom (almost empty 403) with 1/20th or less the file size.

Their hitting everybody, not just you.
Let 'em burn themselves out.

erlandc




msg:4422001
 8:29 pm on Feb 26, 2012 (gmt 0)

Thanks for your note wilderness.

I s'pose it wouldn't do any good to email them? Submit their email to dozens of newsletters? :)

bjnic@bjtelecom.net

Pfui




msg:4422002
 8:35 pm on Feb 26, 2012 (gmt 0)

Any additional denying/rewriting means more server steps, more server log lines, more wasted resources. If you don't care, send them packing to nowhere, a la:

RewriteRule .* http://127.0.0.1/ [L,R=301]

Thing is, they won't care. Best step? Ignore them and move on.

Make content, not war:)

Heck, be glad they're hitting as infrequently as they are. To me, hammering is more like upwards of 10 pages per second, not one or two an hour. THIS is hammering... [webmasterworld.com...]

erlandc




msg:4422003
 8:42 pm on Feb 26, 2012 (gmt 0)

Thanks Pfui for the reassurance,

I feel better, and thanks for the rule. If I get more hits, I'll try it.

wilderness




msg:4422004
 8:49 pm on Feb 26, 2012 (gmt 0)

I s'pose it wouldn't do any good


Why waste your time.
They likely only comprehend some obscure dialect of Manchurian anyway ;)

erlandc




msg:4422009
 9:04 pm on Feb 26, 2012 (gmt 0)

You're right wilderness,

Case closed. Gotta clean-up & prep for supper anyway.

Thanks alot everyone!

lucy24




msg:4422093
 1:12 am on Feb 27, 2012 (gmt 0)

If you don't care, send them packing to nowhere, a la:

RewriteRule .* http://127.0.0.1/ [L,R=301]

I did this for a while before realizing that they don't really go there, because robots have the option of not following redirects. But a 301 takes up even less room than a 403-- and some robots do slow down. (An earlier generation of my Ukrainians did.) Maybe they have to stop and figure out what to do next.

I've also seen the suggestion of redirecting them back to their own IP. Don't know what effect this would have if the source is an infected computer belonging to an unsuspecting human, rather than a genuine robot.

erlandc




msg:4422107
 1:46 am on Feb 27, 2012 (gmt 0)

Thanks lucy24,

I'll try it. It'll give me a little rush to mess them up.

I presume the IP (127.0.0.1) is a filler for the real one?

lucy24




msg:4422134
 3:39 am on Feb 27, 2012 (gmt 0)

No, 127.0.0.1 means yourself. It's the computer equivalent of contemplating your navel. You can try it by opening a new browser window and putting 127.0.0.1 in the address bar.

Can someone explain in words of two syllables where the "It works!" * comes from? Even Lynx and MSIE 5 say it :)


* Or, to be exact:

<html><body><h1>It works!</h1></body></html>

erlandc




msg:4422140
 4:01 am on Feb 27, 2012 (gmt 0)

Hmm, I see that 127.0.0.1 means loopback, which is new to me. Duh.
Now I'm lost.
Sorry.

wilderness




msg:4422141
 4:04 am on Feb 27, 2012 (gmt 0)

Now I'm lost.


Basically, it amounts to null, or "hold the line and I'll get back to you".

erlandc




msg:4422143
 4:17 am on Feb 27, 2012 (gmt 0)

Now I'm blind...what is null? "hold the line and I'll get back to you". ?

Sorry

wilderness




msg:4422146
 4:23 am on Feb 27, 2012 (gmt 0)

"what is null?"

Your computer must not have a google search on it ;)

erlandc




msg:4422147
 4:34 am on Feb 27, 2012 (gmt 0)

ok, thanks, no google around here, but what does that mean? not too familiar with your lingo, just trying to figure out my initial question, lucy sent me something other than Deny from, but can't decipher to well

Pfui




msg:4422283
 3:29 pm on Feb 27, 2012 (gmt 0)

(This thread is starting to remind me of Candid Camera or Punk'd!)

erlandc, you're overdue for some quality DIY time. Rather than expect everyone to explain everything, go to google.com (and/or wikipedia.com) and help yourself:

127.0.0.1
null
loopback
(etc.)

No need to reply;)

erlandc




msg:4422289
 3:42 pm on Feb 27, 2012 (gmt 0)

I was patient with my students when I taught ballroom, and I know this isn't a classroom, but you get my drift, thanks for your time Pfui

wilderness




msg:4422292
 3:49 pm on Feb 27, 2012 (gmt 0)

drifts work two ways, however apparently not from your perspective.

Why bother Annie.

Be glad to argue with you all day.

erlandc




msg:4422297
 4:13 pm on Feb 27, 2012 (gmt 0)

Sure! what's your number? I'm in the mood since the chinese got me all riled up! Plus, I was in '300' and always ready for a battle! :)

Who's Annie? She an orphan? LOL!

Pfui




msg:4422310
 4:38 pm on Feb 27, 2012 (gmt 0)

Who's Annie?


That would be me.

erlandc




msg:4422415
 10:34 pm on Feb 27, 2012 (gmt 0)

oh, still getting hammered. gonna try figure out with your help & others here to redirect them to the church of satan, so maybe that'll freak them out or convert them

This 73 message thread spans 3 pages: 73 ( [1] 2 3 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved