Starting August first I started noticing url's of the form: /?did=150&ver=1.51&duid=jxbkatoxiynnmtvqxmvbeqtpdrdlu showing up in logs. Seems to be coming from all over. The user gets the home page. No user agent or referrer is logged. I can't find a developer here who has a bad cgi or jscript. Doesn't seem to be generated in house, as I can't find the IP's of these users accessing any other pages. Steady traffic of a couple hundred thousand hits a day. Any thoughts on this will be greatly appreciated.
Yes, we got the Code Red trash as well. Still am, in fact but it doesn't affect us. I deployed a zero length default.ida because I got tired of seeing it in 404 reports.
However, I realized I should give more info about my architecture. I'm running Solaris 8 and Iplanet 4.1sp7 on these servers, and have been doing so for some time.
Also interesting, I'm seeing roughly the same traffic on ww1.sportsline.com and www.sportsline.com. ww1 is a server farm offive servers and www is a farm of dozens. But they're seeing the same total amount of traffic on these urls (about one every 1.6 seconds).
The duid= often has what looks like a generated password or identifier - always the same for the same IP.
a) no referrer? That's very suspect. It either means it is coming from a post'ed doc or there is something wrong in the logging system. Some browsers would have to leak a referral from time to time. b) possibly coming from https server? There should be some referral leaking even from there. c) sure the server is ok? That's where I'd start.
Hundred thousand hits? Someone is ip spoofing you in some sort of dos attack.
This server is is rarely up. Experimental, Apache on Win98. Started out coming from domains from around the world, then started consistantly coming from what appeared to be other customers of my isp. Usually hits me within an hour or so of starting Apache. No unauthorized servers detected. Always HTTP/1.0. Never a referer. Continued after an Fdisk, though the Apache binary stayed the same. The x's seems to be an attempt at a buffer overflow. Curious. Anyone with any info, thanks.
Found it don't bother answering. Strange behavior!
(edited by: Marcia at 10:31 am (gmt) on Sep. 9, 2001)