Welcome to WebmasterWorld Guest from 54.226.194.180

Forum Moderators: phranque

Message Too Old, No Replies

8600 bad request's

Why

     

David

9:57 pm on Feb 11, 2002 (gmt 0)

10+ Year Member



In January I had this ip address make 2600 requests for mydomain.com/a within a couple of minutes. Today same IP address requested mydomain/a 8600 times. They then came back and took 244 pages, mostly same pages over and over again. The reffer for the IP has been disabled and its from a european IP block.

I just blocked the IP, but I am sitting here wondering what would be the purpose ? Since its directed at "mydomain" and not just an IP is this an attempt to crash my server?

David

wilderness

12:08 am on Feb 12, 2002 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Here is a simple solution to NO UA.

RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule ^.*$ [F]

You SHOULD be able to change it to:

RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule ^.*$ [F]

as well.

Air

12:31 am on Feb 12, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Are the requests structured somthing like this:


"GET/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dirHTTP/1.0"
"GET/scripts/..%252f../winnt/system32/cmd.exe?/c+dirHTTP/1.0"
"GET /scripts/root.exe?/c+dir HTTP/1.0"
"GET /MSADC/root.exe?/c+dir HTTP/1.0"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

If they are, then you are being hit by a server infected with the NIMDA virus looking for another server to infect. If you're not hosted on NT/IIS then you don't need to worry, but it is a waste of bandwidth and makes the logs a pain to go through.

David

1:53 am on Feb 12, 2002 (gmt 0)

10+ Year Member



Thanks Air, Its not Nimda.

It looks like a person running a bot at me. I dug into my logs and found this order of things.

IP address XX.XX.XX.XX does a search on google.com.pl on a keyword (I see the refer in the logs). They are using IE6 , WIN NT and they view a few pages like a user would.

Then a minute or so later the same IP sends a bot that grabs up pages "244 today repeating the same pages" while that is happening it is also making a bad request for "http://mydomain.com/a" 8600 of that bad request today. All that happens in less then 5 minutes.

I was visted twice in January and today was the first for February.

Whats funny is the keywords they are used. One is a two word phrase that I sit at number 4 out of 500,000. But the other is a one word search that I sit at 470 out of 2 million. They clicked that link at 470.

But in total today 8900 requests to the server in less then 5 minutes is a bit much.

Any thoughts ?

Air

2:41 am on Feb 12, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's kind of difficult to say what they're up to, as a DOS it's a pretty feeble attempt, maybe it's just a bad script. Is there some reason why you don't just ban them if it's the same IP doing the damage?

David

2:53 am on Feb 12, 2002 (gmt 0)

10+ Year Member



I banned them earlier today. This one is just wierd,and I am a little paranoid. Your right it would be a pretty weak DOS attack. Where I live when the ground moves you tend to brace yourself for a serious shaking.

Thanks

 

Featured Threads

Hot Threads This Week

Hot Threads This Month