homepage Welcome to WebmasterWorld Guest from 54.226.147.84
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
Forum Library, Charter, Moderators: Receptional & mademetop

Website Analytics - Tracking and Logging Forum

    
Unusual url in web logs
Can't determine where traffic is coming from
NickR

10+ Year Member



 
Msg#: 192 posted 5:21 pm on Aug 27, 2001 (gmt 0)

Starting August first I started noticing url's of the form:
/?did=150&ver=1.51&duid=jxbkatoxiynnmtvqxmvbeqtpdrdlu
showing up in logs. Seems to be coming from all over. The user gets the home page. No user agent or referrer is logged. I can't find a developer here who has a bad cgi or jscript. Doesn't seem to be generated in house, as I can't find the IP's of these users accessing any other pages. Steady traffic of a couple hundred thousand hits a day.
Any thoughts on this will be greatly appreciated.

Nick

 

agerhart

WebmasterWorld Senior Member agerhart us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 192 posted 5:27 pm on Aug 27, 2001 (gmt 0)

welcome to WmW NickR,

I am not 100% on this, but a few weeks ago we were seeing the same amount of hits in our logs from Code Red

NickR

10+ Year Member



 
Msg#: 192 posted 5:41 pm on Aug 27, 2001 (gmt 0)

Thanks for your reply and welcome,

Yes, we got the Code Red trash as well. Still am, in fact but it doesn't affect us. I deployed a zero length default.ida because I got tired of seeing it in 404 reports.

However, I realized I should give more info about my architecture. I'm running Solaris 8 and Iplanet 4.1sp7 on these servers, and have been doing so for some time.

Also interesting, I'm seeing roughly the same traffic on ww1.sportsline.com and www.sportsline.com. ww1 is a server farm offive servers and www is a farm of dozens. But they're seeing the same total amount of traffic on these urls (about one every 1.6 seconds).

The duid= often has what looks like a generated password or identifier - always the same for the same IP.

Regards,
Nick

Brett_Tabke

WebmasterWorld Administrator brett_tabke us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 192 posted 4:14 pm on Aug 28, 2001 (gmt 0)

Interesting. I'd follow trouble shooting methods.

a) no referrer? That's very suspect.
It either means it is coming from a post'ed doc or there is something wrong in the logging system. Some browsers would have to leak a referral from time to time.
b) possibly coming from https server? There should be some referral leaking even from there.
c) sure the server is ok? That's where I'd start.

Hundred thousand hits? Someone is ip spoofing you in some sort of dos attack.

my_wan

10+ Year Member



 
Msg#: 192 posted 9:45 am on Sep 9, 2001 (gmt 0)

Similar problem in my server logs.
/default.ida?

This server is is rarely up. Experimental, Apache on Win98. Started out coming from domains from around the world, then started consistantly coming from what appeared to be other customers of my isp. Usually hits me within an hour or so of starting Apache. No unauthorized servers detected. Always HTTP/1.0. Never a referer. Continued after an Fdisk, though the Apache binary stayed the same. The x's seems to be an attempt at a buffer overflow. Curious. Anyone with any info, thanks.

Found it don't bother answering. Strange behavior!

{X's removed)

(edited by: Marcia at 10:31 am (gmt) on Sep. 9, 2001)

Marcia

WebmasterWorld Senior Member marcia us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 192 posted 10:32 am on Sep 9, 2001 (gmt 0)

my_wan, that's the code red worm. Here's one thread about it, you'll find much more using the site search at page-top on the left.

[webmasterworld.com...]

my_wan

10+ Year Member



 
Msg#: 192 posted 12:33 am on Sep 10, 2001 (gmt 0)

Yes, I jumped the gun on that post before looking much. I didn't pay much attention to the code red worm running apache. It's funny it didn't start hitting my logs until it's second cycle.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved