homepage Welcome to WebmasterWorld Guest from 54.166.65.9
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Help! This is to weird
Can you believe this attack?
walrus




msg:354795
 7:57 pm on Jul 24, 2004 (gmt 0)

Im really lost,in a couple years of webmastering ive never seen this before.Last night i found these ips all trying to grab mail and contact cgi files and folders within a 4 minute period.

207.30.229.130
200.48.218.178
eul0600086-pip.eu.verio.net
212.174.111.110
cheyuk.or.kr
shcprague-gts.comp.cz
mrtg.pwless.net
ip103-231.introweb.nl
218.185.66.178
fortim.terra.com.br
194.65.1.250
h-209-91-93-146.gen.cadvision.com
216.72.28.100
vtelinet-216-66-110-34.vermontel.net
68.152.174.70
211.215.21.154
pcp02584311pcs.7acres01.ar.comcast.net
205.155.196.131
207.30.229.130
200.48.218.178
binnig.uni2.net
eul0600086-pip.eu.verio.net
198.237.114.56
12.170.99.234
211.46.75.189
212.174.111.110

They were all like this, over 25 differnt ips and requests!

fortim.terra.com.br - - [24/Jul/2004:07:32:20 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.1" 404 226 "http://www.whatever.com/" "-"

Is'nt this deliberate sabatoge and how can i trace the person who started it.Will pay if necessary.I am considering starting an internet bounty hunting business and need a few pros that might want to
partner.

Walrus

 

robotsdobetter




msg:354796
 8:07 pm on Jul 24, 2004 (gmt 0)

It's very diffacult to track them down because they are using fake IPs, but I am not a expert in this area. You also can't block them because all those IPs are fake.

walrus




msg:354797
 8:52 pm on Jul 24, 2004 (gmt 0)

uh oh,
i just added them all to my htaccess,
sure i shouldnt block em?
Thanks
Walrus

microcars




msg:354798
 9:40 pm on Jul 24, 2004 (gmt 0)

I get those too, but they are trying to access non-existant cgi-bin files. (at least in my case...) The site in question has no cgi-bin folder!

pendanticist




msg:354799
 9:54 pm on Jul 24, 2004 (gmt 0)

I'm curious. How do you know they are fake?

uncle_bob




msg:354800
 10:17 pm on Jul 24, 2004 (gmt 0)

Because they don't all ask for the same file, I've always assumed they are zombied machines. If they were fake, I would assume there would be more requests for the same file.

pendanticist




msg:354801
 10:25 pm on Jul 24, 2004 (gmt 0)

Oh. I thought you were saying that the IP numbers themselves were fake.

walrus




msg:354802
 3:30 am on Jul 25, 2004 (gmt 0)

Thanks for the replies,
they didnt all ask for the same files ,and they are non existant on my site.
Im leaving them blocked for now.Maybe i should post the whole excerpt from the log?
Walrus

m_shroom




msg:354803
 4:14 pm on Jul 25, 2004 (gmt 0)

I report all my firewall hits to [dshield.org...] they my be of some help.

walrus




msg:354804
 8:54 pm on Jul 25, 2004 (gmt 0)

DSheilds a good idea.Ive also just forwarded them to my server to see if they can find the reverse path.
Man can see why they say hacks and viruses cost the economy so much.I'm spending hours chasing spectres and log anomolies,and less time maintaining and building my site.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved