Incidents
Re: Weird Traffic May 27 2008 08:31PM
Jonathan Adams (keirre adams gmail com) (2 replies)
Re: Weird Traffic May 28 2008 06:10AM
Richard Sammet (richard sammet googlemail com)
Hi Jonathan,

to get a quick overview of your http traffic for the last 24h, just
run something like this:

tmp=0; for i in `cat /var/log/apache2/access.log | awk -F'"' '{ print
$3 }' | awk '{ print $2 }' | grep -E '[0-9]+'` ; do tmp=`expr $tmp +
$i`; done ; echo $tmp

on the apache access logfiles containing the requests for the last 24h...

br,
richard

On Tue, May 27, 2008 at 10:31 PM, Jonathan Adams <keirre.adams (at) gmail (dot) com [email concealed]> wrote:
> Well since the last post, I've scanned the drive for large files
> (warez) nothing there...
>
> aside from the proxying Im getting alot of weird (botnet I guess) traffic
>
> looks like this:
> [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
> not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
> [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
> not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
> [Tue May 27 14:38:02 2008] [error] [client 217.128.102.142] File does
> not exist: /home/[snip]/www/voyageur.php
> [Tue May 27 14:55:42 2008] [error] [client 64.56.75.87] File does not
> exist: /home/[snip]/www/proxy.php
> [Tue May 27 15:23:47 2008] [error] [client 74.222.3.9] File does not
> exist: /home/[snip]/www/edit.php
> [Tue May 27 15:28:57 2008] [error] [client 74.222.3.9] File does not
> exist: /home/[snip]/www/edit.php
> [Tue May 27 15:31:39 2008] [error] [client 64.56.75.87] File does not
> exist: /home/[snip]/www/proxy.php
> [Tue May 27 15:31:47 2008] [error] [client 74.222.3.9] File does not
> exist: /home/[snip]/www/edit.php
> [Tue May 27 15:33:16 2008] [error] [client 128.194.135.85] request
> failed: error reading the headers
> [Tue May 27 16:07:29 2008] [error] [client 64.56.75.87] File does not
> exist: /home/[snip]/www/proxy.php
> [Tue May 27 16:42:58 2008] [error] [client 64.56.75.87] File does not
> exist: /home/[snip]/www/proxy.php
>
>
> The 64 address is a serial offender, I' ve over 700 hits from it in the logs
> Appears to be in LA California, most likely a hacked server - it has
> the normal ports open
> "IP: 64.56.75.87 Location:
> Los Angeles, CALIFORNIA, United States US (Vrtservers, Inc)"
>
>
> The china stuff in my logs has just shifted to different IPs since the
> last batch of update FW rules, but the traffic is high
>
> 123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
> http://history.jangseong.g
> o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
> (compatible; MSIE 6.0;
> Windows NT 5.0)"
> 123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
> http://history.jangseong.g
> o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
> (compatible; MSIE 6.0;
> Windows NT 5.0)"
> laubervilliers-153-52-7-142.w217-128.abo.wanadoo.fr - -
> [27/May/2008:14:38:02 -0
> 400] "GET http://www.tdm80.com/voyageur.php?voyageur=Lucario HTTP/1.1"
> 404 1277 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705;
> .NET CLR 1.1.4322)"
> llf520098.crawl.yahoo.net - - [27/May/2008:14:45:18 -0400] "GET
> /robots.txt HTTP /1.0"
> 200 116 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
> http://help.yahoo.com/
> help/us/ysearch/slurp)"
> lj513318.crawl.yahoo.net - - [27/May/2008:14:45:19 -0400] "GET
> /2008/p/?D=A HTTP /1.0"
> 200 653 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
> http://help.yahoo.com/
> help/us/ysearch/slurp)"
> msnbot-65-55-210-104.search.msn.com - - [27/May/2008:14:48:25 -0400]
> "GET /robot s.txt
> HTTP/1.1" 200 116 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
> 65.55.210.104 - - [27/May/2008:14:48:25 -0400] "GET
> /school_code_and_files/paper
> s_pres_etc/?M=D HTTP/1.1" 200 1274 "-" "msnbot/1.1
> (+http://search.msn.com/msnbo
> t.htm)"
> 64.56.75.87 - - [27/May/2008:14:55:42 -0400] "POST
> http://mp3lux.net/proxy.php H
> TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1; SV1)"
> 214.228.83-79.rev.gaoland.net - - [27/May/2008:15:17:24 -0400] "GET
> http://java-
> belle.antiville.fr/ HTTP/1.1" 200 1802 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; W indows NT
> 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
> 74.222.3.9 - - [27/May/2008:15:23:47 -0400] "GET
> http://ldvid.info/edit.php HTTP
> /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> 98; Win 9x 4.90)"
> 74.222.3.9 - - [27/May/2008:15:28:57 -0400] "GET
> http://ldvid.info/edit.php HTTP
> /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> 98; Win 9x 4.90)"
> 64.56.75.87 - - [27/May/2008:15:31:39 -0400] "POST
> http://mp3lux.net/proxy.php H
> TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1; SV1)"
> 74.222.3.9 - - [27/May/2008:15:31:47 -0400] "GET
> http://ldvid.info/edit.php HTTP
> /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> 98; Win 9x 4.90)"
> 128.194.135.85 - - [27/May/2008:15:33:16 -0400] "GET / HTTP/1.1" 400 367 "-" "-"
> 64.56.75.87 - - [27/May/2008:16:07:29 -0400] "POST
> http://mp3lux.net/proxy.php H
> TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1; SV1)"
> 64.56.75.87 - - [27/May/2008:16:42:58 -0400] "POST
> http://mp3lux.net/proxy.php H
> TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1; SV1)"
>
> This is definitely the source of my troubles.
>
> I've blackholed the serial offending IP's but Im sure it will shift again.
>
>
> On Tue, May 27, 2008 at 3:49 PM, Lukasz Piatek <lpiatek (at) mcts (dot) pl [email concealed]> wrote:
>> Have you checked what kind of traffic is flooding you (I mean did you
>> perform traffic analyze)?
>>
>> -----Original Message-----
>> From: Jonathan Adams [mailto:keirre.adams (at) gmail (dot) com [email concealed]]
>> Sent: Tuesday, May 27, 2008 1:59 PM
>> To: incidents (at) securityfocus (dot) com [email concealed]
>> Subject: Weird Traffic
>>
>> All,
>>
>> I have a leased server I use to host some websites and for the past
>> week I have been getting traffic warnings. The server has been
>> transferring > 1GB of data per day, which is unusually high,
>> especially since I moved my mail to Google Apps. I have noticed a
>> ridiculous amount of attempted proxying attemptes in my logs, but I do
>> not have mod proxy turned on. I suspect my server is on some list. I
>> firewalled off a large number of subnets from China and my traffic
>> dropped for a few days, then this morning, 2735MB transferred in 24
>> hrs.
>>
>> As of right now, I am planning to blackhole all China traffic, since
>> thats where most of this is comming from, along with the occasional
>> traffic from France and other places in Eur. Is this common? If so
>> are there any other remedies?
>>
>> --
>>
>> "Strength does not come from physical capacity. It comes from an
>> indomitable will." -
>> Mohandas Gandhi
>>
>>
>> __________ Information from ESET NOD32 Antivirus, version of virus signature
>> database 3135 (20080527) __________
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>> __________ Information from ESET NOD32 Antivirus, version of virus signature
>> database 3135 (20080527) __________
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams (at) gmail (dot) com [email concealed]
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi
>

--
The major quality problem of open mailing lists is that everybody can
take part. (/me)

ATTENTION!
PLEASE ENCRYPT MESSAGES AND ATTACHMENTS IF THEY CONTAIN PRIVATE INFORMATION!

[ reply ]
Re: Weird Traffic May 27 2008 09:15PM
Gary Baribault (gary baribault net) (1 replies)
Re: Weird Traffic May 27 2008 10:24PM
Michael Gorsuch (michael styledbits com)


 

Privacy Statement
Copyright 2010, SecurityFocus