Forum Moderators: open
I just recently (Friday) decided to break out my video store into it's own sub-domain (from www.mysite.com to video.mydomain.com)... mainly to ease tracking and to monitor ROI.
So, late Friday night, I set up a new Virtual Host on a brand new, unused IP in my range. I have to wait until Monday to get the new domain name inserted into the DNS system, so as it site snow, the ONLY way to get in is via direct IP address.
So I spent a bit of Saturday tweaking the code and all, getting it reay to go live Monday. So, this morning (Sunday) I just go look at the log... guess what I find?
30 visitors to this IP! Well, 27- I was three of them.
Most were just one hit and go away things... and thus would be under the radar of most wm's detecting them... so a one-day experiment was kind of cool to get this sort of info. But a couple tried to gulp it all (all 25 pages or so... no big deal)
So, I just thought I woulds share. I never thought that there would be that many people in one day War-games dailingh IP addys...
Of course, YMMV!
dave
PS: Jim- tried to PM you with the particulars... your mailbox be full!
This sacraficial IP addy just sends anyone to my ban from hell file. I figured by it being the FIRST IP in my range, I would stop a lot of these trolling hackers.
Did some checks on the 27 IP's I mentioned above. A coule do appear on some of the other IP's in my range, and skip some. Some ONLY appear on this IP... so, kind of weird. I had thought the hackers would go sequencially through IP's. Looks like they skip through a bit, too!
Again, YMMV!
dave
They have one or two subdomains that they've obviously forgotten about still pointing at what is now my IP. I'm not complaining...!
So I spent a bit of Saturday tweaking the code and all, getting it reay to go live Monday. So, this morning (Sunday) I just go look at the log... guess what I find?30 visitors to this IP! Well, 27- I was three of them.
And the others were...?
I've seen this happen innumerable times at my office website and 99%-plus of those "mystery" hits were from machines infected with Code Red or some other worm. There are three virtual domains on my server which are serving no actual webpages (the IP was assigned for ftp site purposes, but no corresponding website is set up), but they still get between 2500 and 5000 hits a month by such worms.
I can post the IP's if you want...
Is that OK to do?
dave
>>> And the others were...?I can post the IP's if you want...
To determine if it's one of the worms, it's more useful to see the log entry indicating what "page" was requested.
If it's something like "GET /scripts
/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" or similr request that looks designed to trigger a Windows command, it's a worm banging on IP numbers to see if it can share its infection.
That kind of traffic makes up about 4-5% of the requests hitting my office webserver.
