Incidents
Re: Weird Traffic May 27 2008 08:31PM
Jonathan Adams (keirre adams gmail com) (2 replies)
Re: Weird Traffic May 28 2008 06:10AM
Richard Sammet (richard sammet googlemail com)
Re: Weird Traffic May 27 2008 09:15PM
Gary Baribault (gary baribault net) (1 replies)
Re: Weird Traffic May 27 2008 10:24PM
Michael Gorsuch (michael styledbits com)
Just to be sure, you aren't running a nightly backup job that sends
your data offsite, are you? ;-) I had a similar experience, as I
ship a fair amount of data off to Amazon S3 every night.

I think you ought to try trending your traffic. Set up something like
MRTG or Cacti to monitor your ethernet interface and see when this
traffic change is occurring. Spikes in activity may help you identify
the process.

As was previously mentioned, NTOP might help here as well. In fact,
if you are only seeing 1 or 2 GB, I imagine that it will handle it
just fine. Fire it up during a spike, and you ought to be able to
look at the activity by 'host'. You should see where you are sending
all of this data fairly quickly.

Best of Luck,

Michael Gorsuch
http://www.styledbits.com

On Tue, May 27, 2008 at 5:15 PM, Gary Baribault <gary (at) baribault (dot) net [email concealed]> wrote:
> I've seen that type of stuff in my logs too .. their looking for known pages
> with vulnerabilities, but that shouldn't generate 1Gig of outbound trafic ..
> Your sending something out ..
>
> Gary Baribault
> Courriel: gary (at) baribault (dot) net [email concealed]
> GPG Key: 0x4346F013
> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>
>
>
> Jonathan Adams wrote:
>>
>> Well since the last post, I've scanned the drive for large files
>> (warez) nothing there...
>>
>> aside from the proxying Im getting alot of weird (botnet I guess) traffic
>>
>> looks like this:
>> [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
>> not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
>> [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
>> not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
>> [Tue May 27 14:38:02 2008] [error] [client 217.128.102.142] File does
>> not exist: /home/[snip]/www/voyageur.php
>> [Tue May 27 14:55:42 2008] [error] [client 64.56.75.87] File does not
>> exist: /home/[snip]/www/proxy.php
>> [Tue May 27 15:23:47 2008] [error] [client 74.222.3.9] File does not
>> exist: /home/[snip]/www/edit.php
>> [Tue May 27 15:28:57 2008] [error] [client 74.222.3.9] File does not
>> exist: /home/[snip]/www/edit.php
>> [Tue May 27 15:31:39 2008] [error] [client 64.56.75.87] File does not
>> exist: /home/[snip]/www/proxy.php
>> [Tue May 27 15:31:47 2008] [error] [client 74.222.3.9] File does not
>> exist: /home/[snip]/www/edit.php
>> [Tue May 27 15:33:16 2008] [error] [client 128.194.135.85] request
>> failed: error reading the headers
>> [Tue May 27 16:07:29 2008] [error] [client 64.56.75.87] File does not
>> exist: /home/[snip]/www/proxy.php
>> [Tue May 27 16:42:58 2008] [error] [client 64.56.75.87] File does not
>> exist: /home/[snip]/www/proxy.php
>>
>>
>> The 64 address is a serial offender, I' ve over 700 hits from it in
>
> the logs
>>
>> Appears to be in LA California, most likely a hacked server - it has
>> the normal ports open
>> "IP: 64.56.75.87 Location:
>> Los Angeles, CALIFORNIA, United States US (Vrtservers, Inc)"
>>
>>
>> The china stuff in my logs has just shifted to different IPs since the
>> last batch of update FW rules, but the traffic is high
>>
>> 123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
>> http://history.jangseong.g
>> o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
>> (compatible; MSIE 6.0;
>> Windows NT 5.0)"
>> 123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
>> http://history.jangseong.g
>> o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
>> (compatible; MSIE 6.0;
>> Windows NT 5.0)"
>> laubervilliers-153-52-7-142.w217-128.abo.wanadoo.fr - -
>> [27/May/2008:14:38:02 -0
>> 400] "GET http://www.tdm80.com/voyageur.php?voyageur=Lucario HTTP/1.1"
>> 404 1277 "-"
>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705;
>> .NET CLR 1.1.4322)"
>> llf520098.crawl.yahoo.net - - [27/May/2008:14:45:18 -0400] "GET
>> /robots.txt HTTP /1.0"
>> 200 116 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
>> http://help.yahoo.com/
>> help/us/ysearch/slurp)"
>> lj513318.crawl.yahoo.net - - [27/May/2008:14:45:19 -0400] "GET
>> /2008/p/?D=A HTTP /1.0"
>> 200 653 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
>> http://help.yahoo.com/
>> help/us/ysearch/slurp)"
>> msnbot-65-55-210-104.search.msn.com - - [27/May/2008:14:48:25 -0400]
>> "GET /robot s.txt
>> HTTP/1.1" 200 116 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
>> 65.55.210.104 - - [27/May/2008:14:48:25 -0400] "GET
>> /school_code_and_files/paper
>> s_pres_etc/?M=D HTTP/1.1" 200 1274 "-" "msnbot/1.1
>> (+http://search.msn.com/msnbo
>> t.htm)"
>> 64.56.75.87 - - [27/May/2008:14:55:42 -0400] "POST
>> http://mp3lux.net/proxy.php H
>> TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>> NT 5.1; SV1)"
>> 214.228.83-79.rev.gaoland.net - - [27/May/2008:15:17:24 -0400] "GET
>> http://java-
>> belle.antiville.fr/ HTTP/1.1" 200 1802 "-" "Mozilla/4.0 (compatible;
>> MSIE 6.0; W indows NT
>> 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
>> 74.222.3.9 - - [27/May/2008:15:23:47 -0400] "GET
>> http://ldvid.info/edit.php HTTP
>> /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>> 98; Win 9x 4.90)"
>> 74.222.3.9 - - [27/May/2008:15:28:57 -0400] "GET
>> http://ldvid.info/edit.php HTTP
>> /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>> 98; Win 9x 4.90)"
>> 64.56.75.87 - - [27/May/2008:15:31:39 -0400] "POST
>> http://mp3lux.net/proxy.php H
>> TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>> NT 5.1; SV1)"
>> 74.222.3.9 - - [27/May/2008:15:31:47 -0400] "GET
>> http://ldvid.info/edit.php HTTP
>> /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>> 98; Win 9x 4.90)"
>> 128.194.135.85 - - [27/May/2008:15:33:16 -0400] "GET / HTTP/1.1" 400
>
> 367 "-" "-"
>>
>> 64.56.75.87 - - [27/May/2008:16:07:29 -0400] "POST
>> http://mp3lux.net/proxy.php H
>> TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>> NT 5.1; SV1)"
>> 64.56.75.87 - - [27/May/2008:16:42:58 -0400] "POST
>> http://mp3lux.net/proxy.php H
>> TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>> NT 5.1; SV1)"
>>
>> This is definitely the source of my troubles.
>>
>> I've blackholed the serial offending IP's but Im sure it will shift
>> again.
>>
>>
>> On Tue, May 27, 2008 at 3:49 PM, Lukasz Piatek <lpiatek (at) mcts (dot) pl [email concealed]> wrote:
>> > Have you checked what kind of traffic is flooding you (I mean did you
>> > perform traffic analyze)?
>> >
>> > -----Original Message-----
>> > From: Jonathan Adams [mailto:keirre.adams (at) gmail (dot) com [email concealed]]
>> > Sent: Tuesday, May 27, 2008 1:59 PM
>> > To: incidents (at) securityfocus (dot) com [email concealed]
>> > Subject: Weird Traffic
>> >
>> > All,
>> >
>> > I have a leased server I use to host some websites and for the past
>> > week I have been getting traffic warnings. The server has been
>> > transferring > 1GB of data per day, which is unusually high,
>> > especially since I moved my mail to Google Apps. I have noticed a
>> > ridiculous amount of attempted proxying attemptes in my logs, but I do
>> > not have mod proxy turned on. I suspect my server is on some list. I
>> > firewalled off a large number of subnets from China and my traffic
>> > dropped for a few days, then this morning, 2735MB transferred in 24
>> > hrs.
>> >
>> > As of right now, I am planning to blackhole all China traffic, since
>> > thats where most of this is comming from, along with the occasional
>> > traffic from France and other places in Eur. Is this common? If so
>> > are there any other remedies?
>> >
>> > --
>> >
>> > "Strength does not come from physical capacity. It comes from an
>> > indomitable will." -
>> > Mohandas Gandhi
>> >
>> >
>> > __________ Information from ESET NOD32 Antivirus, version of virus
>
> signature
>>
>> > database 3135 (20080527) __________
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>> >
>> > __________ Information from ESET NOD32 Antivirus, version of virus
>
> signature
>>
>> > database 3135 (20080527) __________
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>> >
>>
>>
>>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus