Forum Moderators: phranque
I have a problem... People are trying to download shield.swf and each IP tries as many as 5 times a sec to get the same file. Below see an example of my log.
It got to a point where my load (linux) went up to 101. That means 101 processes in queue to be executed by the processor. It is INSANE!
I have made modifications to Apache but still I would like to get rid of this infestation completely.
I searched in google for shield.swf and it seems like a LOT of sites
have it. What the heck is shield.swf and why is it so much wanted?
I can't find any documentation on this stuff.
Thanks for your help. I can be reached at richard.dib@bandwidthtechnologies.com.
200.81.8.242 - - [31/Dec/2003:11:23:36 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
80.58.35.46 - - [31/Dec/2003:11:23:36 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
200.81.8.242 - - [31/Dec/2003:11:23:36 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
200.43.22.122 - - [31/Dec/2003:11:23:36 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; DigExt)"
200.72.180.139 - - [31/Dec/2003:11:23:36 -0600] "GET /staticpages/music.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
200.43.22.122 - - [31/Dec/2003:11:23:36 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; DigExt)"
80.58.35.46 - - [31/Dec/2003:11:23:36 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
200.81.8.242 - - [31/Dec/2003:11:23:36 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
80.58.35.46 - - [31/Dec/2003:11:23:37 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
200.81.8.242 - - [31/Dec/2003:11:23:37 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
200.43.22.122 - - [31/Dec/2003:11:23:37 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; DigExt)"
200.43.22.122 - - [31/Dec/2003:11:23:37 -0600] "GET /staticpages/shield.swf HTTP/1.1" 302 297 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; DigExt)"
[edited by: tedster at 5:52 pm (utc) on Dec. 31, 2003]
Now, this guy is linking to a directory (/staticpages/shield.swf).
Staticpages is a directory that Geeklog uses for a module (Geeklog.net,
a weblog). There have never been any files there besides a index.php that handles this feature.
This is some sort of attack or something, but I cant figure it out.
See the logs...
Richard
-------
The same IP tries to download this file 5 times a second. This happens for a lot of IPs out there.
Normal users would not be downloading this stuf 5 times a second NOR
this shield.swf file would be so common out there (search google) it it did not have some meaning to it.
Richard
------
As for the shield.swf, I agree with hannamyluv, it could be a popular flash game, and someone has linked it to your site.
Sid
I appreciate your comments but still does not match what its happening.
I now DO have a file there called shield.swf. I added the file to avoid
the errors. The file has a single period (.) to make it very small.
Again, I added this file to the directory to avoid the 404 errors that were costing the server a lot of CPU power (I had 404 redirected to the main page).
STILL, with this file there, I still get people downloading it many many times. If it was this "available offline" feature it would only be
downloaded once (I presume).
Again, I appreciate your comments. Perhaps one of you would know what this means.
Richard
------
It seems to be something that a LOT of websites put
on their sites. I never knew this and still do not know
why.
See these:
[ccjsj.com...]
[pr.ngb.army.mil...]
[garage-dri.com...]
[lechateauduvignoble.com...]
[clickhereanditsyours.com...]
[ficmusic.com...]
There are TONS in the Google results. Why do so many
websites have a shield.swf on their sites, all of which are
totaly different but still have in common the purpose
of being like a signature to the website.
I thought I was quite knowledgable about Internet but
this is not making sense to me.
Thanks again guys!
Richard
--------
I still get people downloading it many many times. If it was this "available offline" feature it would only be
downloaded once (I presume).
I've banned DigExt because of my spamtrap statistic (link at top). Who is using this 'make those pages available offline' function? Modem Users, or?
Sid
