New User? Register here - Existing Users: Username: Password: [Advanced Login]

 

 

Current Poll

Your preferred Interactive shell?









( 1334 votes ~ 14 comments )

 

Weblog entry #17 for k2

See all weblog entries made by k2.

XML logo

#17
Burst of GET / requests on Apache2
Posted by k2 on Mon 9 Nov 2009 at 03:43
Tags: none.

Need comments/advice on the following log entries(just a few lines out of 100s similar ones) found on my Apache2 running on my Debian box (runs behind another Debian box which acts as gateway/router). It isn't one of those regular filname.php access request testing for vulnerabilities of php based web software. Notice that the source IPs were not the same for the same "referrer" page. How can I brace my box for such an attack in future? Thanks in advance.

60.195.130.248 - - [08/Nov/2009:07:28:51 -0500] "GET / HTTP/1.0" 200 858 "http://www.bulgarian.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
81.189.10.194 - - [08/Nov/2009:07:28:51 -0500] "GET / HTTP/1.0" 200 858 "http://www.kanev.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
62.75.216.206 - - [08/Nov/2009:07:28:51 -0500] "GET / HTTP/1.0" 200 858 "http://www.kanev.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
202.112.126.123 - - [08/Nov/2009:07:28:52 -0500] "GET / HTTP/1.1" 200 858 "http://quit.awardspace.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
210.51.10.197 - - [08/Nov/2009:07:28:52 -0500] "GET / HTTP/1.1" 200 858 "http://quit.awardspace.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
218.75.75.246 - - [08/Nov/2009:07:28:52 -0500] "GET / HTTP/1.1" 200 858 "http://www.bulgarian.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
61.153.149.205 - - [08/Nov/2009:07:28:52 -0500] "GET / HTTP/1.1" 200 1149 "http://www.kanev.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
61.244.157.239 - - [08/Nov/2009:07:28:52 -0500] "GET / HTTP/1.1" 200 801 "http://www.kanev.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
222.90.66.30 - - [08/Nov/2009:07:28:52 -0500] "GET / HTTP/1.1" 200 858 "http://www.bulgarian.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.232.120.254 - - [08/Nov/2009:07:28:53 -0500] "GET / HTTP/1.0" 200 858 "http://www.kanev.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
217.116.23.132 - - [08/Nov/2009:07:28:53 -0500] "GET / HTTP/1.1" 200 858 "http://www.bulgarian.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.154.97.22 - - [08/Nov/2009:07:28:53 -0500] "GET / HTTP/1.0" 200 858 "http://www.kanev.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
75.110.21.134 - - [08/Nov/2009:07:28:55 -0500] "GET http://ghaint.no-ip.org/ HTTP/1.1" 200 820 "http://www.kanev.biz.nf" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

Text overflows to the right (only in preview).

[ 3 Comments | Add Comment | XML logo ]
<<< Previous

 

Comments on this Entry

#1
Re: Burst of GET / requests on Apache2
Posted by simonw (84.45.xx.xx) on Wed 11 Nov 2009 at 08:24
[ Send Message | View Weblogs ]
First quick guess would be referrer spam.

I only see 4 or 5 requests a second in the example posted, so why is this volume an issue at all?

If all else fails stop answering requests for IE5 ;)

Simon

[ Parent | Reply to this comment ]

#3
Re: Burst of GET / requests on Apache2
Posted by k2 (69.165.xx.xx) on Wed 27 Jan 2010 at 02:24
[ Send Message | View Weblogs ]
Even that number of requests can have some affect on my bandwidth as the server sits behind a Debian box connected to a paltry ADSL modem.

Blocking MSIE 5.5 was the pointer I used. Thanks.

[ Parent | Reply to this comment ]

#2
Re: Burst of GET / requests on Apache2
Posted by Anonymous (89.115.xx.xx) on Tue 26 Jan 2010 at 18:21
No need to worry about those requests, they are the newest form of spam some bad guys have found ... they advertise for some websites (you can see them as referers in your requests) having in mind that the administrators are going to visit those websites, they will thus get some traffic (and some better ranking if the traffic is constant)... obviously the traffic comes from handcrafted bots placed on some infected machines all over the world, as there are sooooo damn many poorly coded websites inviting people to hack them down and seed their scripts inside. On the other hand, you cannot cope with these "attacks", they're pretty much like DDoS attacks, just let them go and take care of your daily stuff. It's not the best solution, but you cannot use the blacklisting method here, as you will eventually end up wasting your time with it ... I've seen so many in my logs (not in a concentrated timeframe, but just on a daily basis) .... what you can probably do is report those websites to their respective owners (you will see all those domains link to the same website)

drailean

[ Parent | Reply to this comment ]

 

 

Flattr