joined:Sept 1, 2012
Yesterday, my website
came under continual attack (DoS?) from a yahoo referrer/user agent listed below. The hits occurred every 10-15 seconds and were continuous when they stopped in the early am. At least 1900 hits (I think).
The is the referrer/ua. (URI etc. changed)
220.127.116.11 - - [07/Sep/2012:02:57:48 -0400] "GET
/cgi-bin/referers.cgi?http://images.search.yahoo.com/images/view;_ylt=A0PDoTHcCUlQh38AzK.JzbkF;_ylu=X3oDMTBlMTQ4cGxyBHNlYwNzcgRzbGsDaW1n?back=http%3A%2F%2Fimages.search.yahoo.com%2Fsearch%2Fimages%3Fp%3Dkeyword_one%2Bkeyword_two %26_adv_prop%3Dimage%26va%3Dkeyword_one%2Bkeyword_two%26fr%3Dyfp-t-701%26tab%3Dorganic%26ri%3D122&w=750&h=500&imgurl=www.example.com%2Fpicture_gallery%2Fimages%2Flocation_of_image%2image.jpg& rurl=http%3A%2F%2Fwww.example.com%2Fpicture_gallery%2Fimage_location.html&size=81.9+KB&name=image_title%29&p=keyword_one+keyword_two&oid=c8a97c65e40bca9a6331f36da03145c4&fr2=&fr=yfp-t-701&tt=image_title%2529&b=121&ni=112&no=122&ts=&tab=organic&sigr=123rbb8eu&sigb=14545eqhn&sigi=13aikubif&.crumb=NZ.bhUZyY2s
HTTP/1.1" 404 486
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5;
.NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
According to my logs, this user agent seems to want the image contained in the folder www.example.com/picture_gallery//images/location_of_image/image.jpg.
Hosting company said no impact to their system because bytes served were low and server was returning 404.
The "GET" references a perl logging script using a 1px by 1px web beacon.
[edited by: incrediBILL at 2:45 am (utc) on Sep 12, 2012]
[edit reason] broke up long referer [/edit]