Fake Dynamic IP changing continusly

Forum Moderators: open

Message Too Old, No Replies

Fake Dynamic IP changing continusly

Robot with Dynamic changing IP

nilloc

1:15 am on Jul 25, 2003 (gmt 0)

Hi,

Some robot or User is downloading my entire website at a unbelievable speed (hammering my site).

Seems like a new technique, as the IP is changing continuely. But when looking up with Sam Spade all these IP's are giving as result: FAKE IP on the second line of the traceroute and then following with DNS error.

It is very easy to follow as all my pages are getting downloaded in cronologic order from folder to folder.

The agent name they are using is:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
so not possible to block on the agent-name, I would be blocking half of the world.

Dynamic IP's are:
68.17.21.1
204.1.121.114
216.173.7.222
212.31.98.18
63.109.54.39
24.242.138.117
202.103.216.170
66.12.154.134
63.109.64.17
213.9.244.4
etc...etc...etc (over 500 IP addresses)

and no I am not dreaming, as pages are accessed as:
page 1
page 2
page 3
page 4
page 5

at a tempo of 20 pages per second

So what to Do?

Regards,

nilloc

1:40 pm on Jul 25, 2003 (gmt 0)

Hi,

The downloading has stopped now!
they used about 160 Mbytes of my bandwidth with what went on

Regards,

cyberkat

3:13 pm on Jul 26, 2003 (gmt 0)

Don't feel bad. We had this happen 19 times in a row and still reported to each ISP as formmail hacking. They only get 403 from our spam trap. I thought this was very interesting. They usually come from 1 IP with 2 to 8 hits. Seemed this person was desperate.

207.248.228.154 - - [04/Jul/2003:20:59:43 -0400] "POST /cgi-bin/FormMail2.cgi HTTP/1.0" 403 219 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

200.251.234.144 - - [04/Jul/2003:20:59:43 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 403 218 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

203.15.126.10 - - [04/Jul/2003:20:59:44 -0400] "POST /cgi-bin/formmail.pl HTTP/1.0" 403 217 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

199.3.20.212 - - [04/Jul/2003:20:59:44 -0400] "POST /cgi-bin/mail.pl HTTP/1.0" 403 213 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

203.38.116.243 - - [04/Jul/2003:20:59:44 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.0" 403 218 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

216.206.18.12 - - [04/Jul/2003:20:59:44 -0400] "POST /cgi-bin/GMFormMail.pl HTTP/1.0" 403 219 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

209.151.129.82 - - [04/Jul/2003:20:59:44 -0400] "POST /cgi-bin/mailform HTTP/1.0" 403 214 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

208.147.1.2 - - [04/Jul/2003:20:59:44 -0400] "POST /cgi-bin/FormMail.cgi HTTP/1.1" 403 230 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

200.42.95.50 - - [04/Jul/2003:20:59:45 -0400] "POST /cgi-bin/form2mail.pl HTTP/1.0" 403 218 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

194.27.49.2 - - [04/Jul/2003:20:59:45 -0400] "POST /cgi-bin/mailto.pl HTTP/1.1" 403 227 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

207.106.227.5 - - [04/Jul/2003:20:59:45 -0400] "POST /cgi-bin/email.cgi HTTP/1.0" 403 215 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

195.141.38.20 - - [04/Jul/2003:20:59:45 -0400] "POST /cgi-bin/mailform.pl HTTP/1.1" 403 229 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

210.187.41.2 - - [04/Jul/2003:20:59:45 -0400] "POST /cgi-bin/mailto HTTP/1.0" 403 212 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

66.207.120.227 - - [04/Jul/2003:20:59:45 -0400] "GET /cgi-bin/gmformmail.pl HTTP/1.0" 403 219 "-" "Mozilla/5.0"

213.249.155.237 - - [04/Jul/2003:20:59:45 -0400] "POST /cgi-bin/gmformmail.pl HTTP/1.0" 403 219 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

211.248.114.2 - - [04/Jul/2003:20:59:45 -0400] "POST /cgi-bin/formmail2.cgi HTTP/1.0" 403 219 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

200.41.4.3 - - [04/Jul/2003:20:59:45 -0400] "POST /cgi-bin/email HTTP/1.1" 403 223 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

203.94.72.219 - - [04/Jul/2003:20:59:46 -0400] "POST /cgi-bin/mail HTTP/1.0" 403 210 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

80.58.4.107 - - [04/Jul/2003:20:59:49 -0400] "POST /cgi-bin/formmail2.pl HTTP/1.0" 403 218 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

200.30.110.246 - - [04/Jul/2003:20:59:49 -0400] "POST /cgi-bin/form2mail.cgi HTTP/1.1" 403 231 "http://OUR DOMAIN NAME IS REMOVED/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"