Forum Moderators: DixonJones
I'm getting quite a few page requests (each about 50k requests per month) of two types:
1. Different IPs all over the world, asking for the homepage root, without a referrer but valid UA (IE 5.0 or 5.5) and without downloading any of the inline images as any normal browser would have done, e.g.
82.80.62.XXX - - [14/Mar/2004:15:05:48 +0200] "GET / HTTP/1.1" 200 1807 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
202.156.2.XXX - - [14/Mar/2004:15:07:49 +0200] "GET / HTTP/1.1" 200 1807 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
61.255.191.XXX - - [14/Mar/2004:15:10:36 +0200] "GET / HTTP/1.1" 200 1807 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
61.253.81.XXX - - [14/Mar/2004:15:15:08 +0200] "GET / HTTP/1.1" 200 1807 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
200.151.209.XXX - - [14/Mar/2004:15:15:18 +0200] "GET / HTTP/1.1" 200 1807 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
83.152.168.XXX - - [14/Mar/2004:15:17:37 +0200] "GET / HTTP/1.1" 200 1807 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
221.10.44.XXX - - [14/Mar/2004:15:17:46 +0200] "GET / HTTP/1.1" 200 1807 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
220.159.91.XXX - - [14/Mar/2004:15:21:42 +0200] "GET / HTTP/1.1" 200 1807 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
2. Same IP sending a flood of HEAD / requests within a short period of time, no referrer and no UA
62.178.179.XXX - - [08/Mar/2004:03:31:15 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:15 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:16 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:16 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:16 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:16 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:17 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:17 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:17 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:17 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:17 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:17 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:17 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
62.178.179.XXX - - [08/Mar/2004:03:31:17 +0200] "HEAD / HTTP/1.0" 200 0 "-" "-"
First one seems like hijacked (by virus/trojan) random PCs all over the world, which attempt to harvest info e.g. emails from random sites, like mine in this case. They never go beyond root level though.
The second type (flood of HEAD requests) I can't explain... looks like DoS but think I'm not that significant for anyone to care ;-)
Other than bandwidth concerns, are there any other issues to consider?
Thanks in advance,
Dimitris
[edited by: engine at 4:21 pm (utc) on Mar. 15, 2004]
[edit reason] specifics snipped [/edit]
I did notice that the one day I hardly received any checks against my root, I had a drastic drop in SPAM levels on that one day.
Maybe a coincidence, or maybe a certain group of spammers took a day off, I just assume it's random compromized machines all over the globe being used as temporary scanners by spammers? Or maybe spammers/hackers(spackers) scanning massive ranges of IPs through random open proxies to hide their real source?
Problem is with the IP changing constantly, the limited info request and the UA spoofed, it's really just guessing what it is. But it's definately there with an unknown purpose...
