Welcome to WebmasterWorld Guest from 22.214.171.124 , register , free tools , login , search , pro membership , help , library , announcements , recent posts , open posts Become a Pro Member
Help! This is to weird Can you believe this attack? walrus
Im really lost,in a couple years of webmastering ive never seen this before.Last night i found these ips all trying to grab mail and contact cgi files and folders within a 4 minute period.
126.96.36.199 eul0600086-pip.eu.verio.net 188.8.131.52 cheyuk.or.kr shcprague-gts.comp.cz mrtg.pwless.net ip103-231.introweb.nl 184.108.40.206 fortim.terra.com.br 220.127.116.11 h-209-91-93-146.gen.cadvision.com 18.104.22.168 vtelinet-216-66-110-34.vermontel.net 22.214.171.124 126.96.36.199 pcp02584311pcs.7acres01.ar.comcast.net 188.8.131.52 184.108.40.206 220.127.116.11 binnig.uni2.net eul0600086-pip.eu.verio.net 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
They were all like this, over 25 differnt ips and requests!
fortim.terra.com.br - - [24/Jul/2004:07:32:20 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.1" 404 226 "http://www.whatever.com/" "-"
Is'nt this deliberate sabatoge and how can i trace the person who started it.Will pay if necessary.I am considering starting an internet bounty hunting business and need a few pros that might want to
It's very diffacult to track them down because they are using fake IPs, but I am not a expert in this area. You also can't block them because all those IPs are fake. walrus
uh oh, i just added them all to my htaccess, sure i shouldnt block em? Thanks Walrus microcars
I get those too, but they are trying to access non-existant cgi-bin files. (at least in my case...) The site in question has no cgi-bin folder! pendanticist
I'm curious. How do you know they are fake? uncle_bob
Because they don't all ask for the same file, I've always assumed they are zombied machines. If they were fake, I would assume there would be more requests for the same file. pendanticist
Oh. I thought you were saying that the IP numbers themselves were fake. walrus
Thanks for the replies, they didnt all ask for the same files ,and they are non existant on my site. Im leaving them blocked for now.Maybe i should post the whole excerpt from the log? Walrus m_shroom
I report all my firewall hits to [ ...] they my be of some help. dshield.org walrus
DSheilds a good idea.Ive also just forwarded them to my server to see if they can find the reverse path. Man can see why they say hacks and viruses cost the economy so much.I'm spending hours chasing spectres and log anomolies,and less time maintaining and building my site.