Welcome to WebmasterWorld Guest from 35.175.200.4

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

Anyone else notice an increase in coordinated site mirroring attempts?

Coordinated attacks and mirroring attempts

     
3:34 am on Mar 30, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 11, 2002
posts:65
votes: 0


Hi all.

Lately, I have noticed an increase in coordinated site mirroring attempts on our website, occassional coinciding requests for/POSTs to formmail.pl, and also occassional attacks from those same IP addresses via the web and/or virus laden email files. (email attacks, web exploit attacks, and/or Formmail.pl requests do not always coincide with these mirror attempts.)

Really very weird. It is as if someone is writing bots to infect machines on the 'net and have them attempt to mirror our sites, (occassionally) access and use (the nonexistant) formmail.pl script, and also in some few cases send emails with virii attached to our webmaster email address. I've blocked a few dozen (if not few hundred) IP addresses so far...

Here's one example... note the valid request followed by the attack at roughly the same time. The IP address is being sent an error message on the valid request and a page that says their attack attempt has been logged on the attack attempts btw...


64.174.210.27 - - [29/Mar/2003:22:46:48 +0500] "GET /CITIES/Simi_Valley/ HTTP/1.1" 200 267
64.174.210.27 - - [29/Mar/2003:22:46:48 +0500] "GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1" 200 43
64.174.210.27 - - [29/Mar/2003:22:46:49 +0500] "GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1" 200 43

The site traversal is definitely pattern based, and script generated (and can be detected as such when we return a page with no links and a human readable error with http return code of 200, and the bot then tries the next link and the next as if there was something to click and it wasnt following the links it had previously cached from the nav bar of the previous pages).

I've seen these types of attacks before, and as in the past, some are coordinated to start at a certain time, while others just seem to start when a machine gets infected. They also coincide often (as is the case lately) with numerous bots (identifiable by their user agent ie: "Mozilla/4.0", etc, accessing spider trap pages and other traps) trying to mirror pages and directories, and ignoring 403 errors.

Has anyone successfully dealt with such things? This is consuming a large amount of bandwidth currently and is the equivalent of thousands of unique users per day worth of traffic.

Thanks,
Robert