Re: strange HTTP scan/attack?

[Anne Marcel Roorda <marcel () OUR DOMAINTJE COM>]

On Mon, 27 Nov 2000, Jim Bacon wrote:

> I am seeing someone repeating hitting a CGI script with a HEAD request and
> then submitting a query of the form:
>
> http://blah.blah.blah/cgi-bin/cgiscript/0/0/0/Angola
> http://blah.blah.blah/cgi-bin/cgiscript/0/0/0/England
> http://blah.blah.blah/cgi-bin/cgiscript/0/0/0/0/Angola
> http://blah.blah.blah/cgi-bin/cgiscript/0/0/0/0/England
>
> Where it cycles thru a list of all country names, then starts over with
> another 0 in the query string.
>
> This is coming into my server almost as fast as possible, and is somewhat
> annoying.
>
> Can anyone offer any clues tp what this is and what I can do about it?  It
> appears to be originating from a UUnet dialup in the UK, so any complaints
> to a live human are impossible and email complaints just an excercise in my
> typing practice.

Hi,

  If you had taken a look at the contact page on www.uk.uu.net then
you'd have found the following.

<quote>

Security issues - hacking, portscanning, denial of service attacks.

If you have been subject to an attack of this type. Please contact our
Abuse team immediately on 01223 250570. If the attack occurs out of hours,
please contact our 24x7 team on 01223 250122

Once you make contact with the Abuse team, they will require copies of the
logs showing dates, times and timezones of
the attack.

</quote>

- marcel