Welcome to WebmasterWorld Guest from 54.226.46.6

Forum Moderators: phranque

Message Too Old, No Replies

Help! This is to weird

Can you believe this attack?

     

walrus

7:57 pm on Jul 24, 2004 (gmt 0)

10+ Year Member



Im really lost,in a couple years of webmastering ive never seen this before.Last night i found these ips all trying to grab mail and contact cgi files and folders within a 4 minute period.

207.30.229.130
200.48.218.178
eul0600086-pip.eu.verio.net
212.174.111.110
cheyuk.or.kr
shcprague-gts.comp.cz
mrtg.pwless.net
ip103-231.introweb.nl
218.185.66.178
fortim.terra.com.br
194.65.1.250
h-209-91-93-146.gen.cadvision.com
216.72.28.100
vtelinet-216-66-110-34.vermontel.net
68.152.174.70
211.215.21.154
pcp02584311pcs.7acres01.ar.comcast.net
205.155.196.131
207.30.229.130
200.48.218.178
binnig.uni2.net
eul0600086-pip.eu.verio.net
198.237.114.56
12.170.99.234
211.46.75.189
212.174.111.110

They were all like this, over 25 differnt ips and requests!

fortim.terra.com.br - - [24/Jul/2004:07:32:20 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.1" 404 226 "http://www.whatever.com/" "-"

Is'nt this deliberate sabatoge and how can i trace the person who started it.Will pay if necessary.I am considering starting an internet bounty hunting business and need a few pros that might want to
partner.

Walrus

robotsdobetter

8:07 pm on Jul 24, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's very diffacult to track them down because they are using fake IPs, but I am not a expert in this area. You also can't block them because all those IPs are fake.

walrus

8:52 pm on Jul 24, 2004 (gmt 0)

10+ Year Member



uh oh,
i just added them all to my htaccess,
sure i shouldnt block em?
Thanks
Walrus

microcars

9:40 pm on Jul 24, 2004 (gmt 0)

10+ Year Member



I get those too, but they are trying to access non-existant cgi-bin files. (at least in my case...) The site in question has no cgi-bin folder!

pendanticist

9:54 pm on Jul 24, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm curious. How do you know they are fake?

uncle_bob

10:17 pm on Jul 24, 2004 (gmt 0)

10+ Year Member



Because they don't all ask for the same file, I've always assumed they are zombied machines. If they were fake, I would assume there would be more requests for the same file.

pendanticist

10:25 pm on Jul 24, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Oh. I thought you were saying that the IP numbers themselves were fake.

walrus

3:30 am on Jul 25, 2004 (gmt 0)

10+ Year Member



Thanks for the replies,
they didnt all ask for the same files ,and they are non existant on my site.
Im leaving them blocked for now.Maybe i should post the whole excerpt from the log?
Walrus

m_shroom

4:14 pm on Jul 25, 2004 (gmt 0)

10+ Year Member



I report all my firewall hits to [dshield.org...] they my be of some help.

walrus

8:54 pm on Jul 25, 2004 (gmt 0)

10+ Year Member



DSheilds a good idea.Ive also just forwarded them to my server to see if they can find the reverse path.
Man can see why they say hacks and viruses cost the economy so much.I'm spending hours chasing spectres and log anomolies,and less time maintaining and building my site.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month