homepage Welcome to WebmasterWorld Guest from 54.235.36.164
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
8600 bad request's
Why
David




msg:671417
 9:57 pm on Feb 11, 2002 (gmt 0)

In January I had this ip address make 2600 requests for mydomain.com/a within a couple of minutes. Today same IP address requested mydomain/a 8600 times. They then came back and took 244 pages, mostly same pages over and over again. The reffer for the IP has been disabled and its from a european IP block.

I just blocked the IP, but I am sitting here wondering what would be the purpose ? Since its directed at "mydomain" and not just an IP is this an attempt to crash my server?

David

 

wilderness




msg:671418
 12:08 am on Feb 12, 2002 (gmt 0)

Here is a simple solution to NO UA.

RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule ^.*$ [F]

You SHOULD be able to change it to:

RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule ^.*$ [F]

as well.

Air




msg:671419
 12:31 am on Feb 12, 2002 (gmt 0)

Are the requests structured somthing like this:


"GET/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dirHTTP/1.0"
"GET/scripts/..%252f../winnt/system32/cmd.exe?/c+dirHTTP/1.0"
"GET /scripts/root.exe?/c+dir HTTP/1.0"
"GET /MSADC/root.exe?/c+dir HTTP/1.0"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

If they are, then you are being hit by a server infected with the NIMDA virus looking for another server to infect. If you're not hosted on NT/IIS then you don't need to worry, but it is a waste of bandwidth and makes the logs a pain to go through.

David




msg:671420
 1:53 am on Feb 12, 2002 (gmt 0)

Thanks Air, Its not Nimda.

It looks like a person running a bot at me. I dug into my logs and found this order of things.

IP address XX.XX.XX.XX does a search on google.com.pl on a keyword (I see the refer in the logs). They are using IE6 , WIN NT and they view a few pages like a user would.

Then a minute or so later the same IP sends a bot that grabs up pages "244 today repeating the same pages" while that is happening it is also making a bad request for "http://mydomain.com/a" 8600 of that bad request today. All that happens in less then 5 minutes.

I was visted twice in January and today was the first for February.

Whats funny is the keywords they are used. One is a two word phrase that I sit at number 4 out of 500,000. But the other is a one word search that I sit at 470 out of 2 million. They clicked that link at 470.

But in total today 8900 requests to the server in less then 5 minutes is a bit much.

Any thoughts ?


Air




msg:671421
 2:41 am on Feb 12, 2002 (gmt 0)

It's kind of difficult to say what they're up to, as a DOS it's a pretty feeble attempt, maybe it's just a bad script. Is there some reason why you don't just ban them if it's the same IP doing the damage?

David




msg:671422
 2:53 am on Feb 12, 2002 (gmt 0)

I banned them earlier today. This one is just wierd,and I am a little paranoid. Your right it would be a pretty weak DOS attack. Where I live when the ground moves you tend to brace yourself for a serious shaking.

Thanks

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved