Security Incidents mailing list archives

Re: Weird Traffic

From: "Jonathan Adams" <keirre.adams () gmail com>
Date: Tue, 27 May 2008 16:31:56 -0400

Well since the last post, I've scanned the drive for large files
(warez) nothing there...

aside from the proxying Im getting alot of weird (botnet I guess) traffic

looks like this:
[Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
[Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
[Tue May 27 14:38:02 2008] [error] [client 217.128.102.142] File does
not exist: /home/[snip]/www/voyageur.php
[Tue May 27 14:55:42 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 15:23:47 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:28:57 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:31:39 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 15:31:47 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:33:16 2008] [error] [client 128.194.135.85] request
failed: error reading the headers
[Tue May 27 16:07:29 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 16:42:58 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php


The 64 address is a serial offender, I' ve over 700 hits from it in the logs
Appears to be in LA California, most likely a hacked server - it has
the normal ports open
"IP: 64.56.75.87 Location:
Los Angeles, CALIFORNIA, United States US (Vrtservers, Inc)"


The china stuff in my logs has just shifted to different IPs since the
last batch of update FW rules, but the traffic is high

123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
http://history.jangseong.g
 o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
(compatible;                                               MSIE 6.0;
Windows NT 5.0)"
123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
http://history.jangseong.g
 o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
(compatible;                                               MSIE 6.0;
Windows NT 5.0)"
laubervilliers-153-52-7-142.w217-128.abo.wanadoo.fr - -
[27/May/2008:14:38:02 -0
400] "GET http://www.tdm80.com/voyageur.php?voyageur=Lucario HTTP/1.1"
404 1277                                               "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705;
.NET                                               CLR 1.1.4322)"
llf520098.crawl.yahoo.net - - [27/May/2008:14:45:18 -0400] "GET
/robots.txt HTTP                                              /1.0"
200 116 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/
help/us/ysearch/slurp)"
lj513318.crawl.yahoo.net - - [27/May/2008:14:45:19 -0400] "GET
/2008/p/?D=A HTTP                                              /1.0"
200 653 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/
help/us/ysearch/slurp)"
msnbot-65-55-210-104.search.msn.com - - [27/May/2008:14:48:25 -0400]
"GET /robot                                              s.txt
HTTP/1.1" 200 116 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
65.55.210.104 - - [27/May/2008:14:48:25 -0400] "GET
/school_code_and_files/paper
   s_pres_etc/?M=D HTTP/1.1" 200 1274 "-" "msnbot/1.1
(+http://search.msn.com/msnbo
    t.htm)"
64.56.75.87 - - [27/May/2008:14:55:42 -0400] "POST
http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
214.228.83-79.rev.gaoland.net - - [27/May/2008:15:17:24 -0400] "GET
http://java-
belle.antiville.fr/ HTTP/1.1" 200 1802 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; W                                              indows NT
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
74.222.3.9 - - [27/May/2008:15:23:47 -0400] "GET
http://ldvid.info/edit.php HTTP
      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
74.222.3.9 - - [27/May/2008:15:28:57 -0400] "GET
http://ldvid.info/edit.php HTTP
      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
64.56.75.87 - - [27/May/2008:15:31:39 -0400] "POST
http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
74.222.3.9 - - [27/May/2008:15:31:47 -0400] "GET
http://ldvid.info/edit.php HTTP
      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
128.194.135.85 - - [27/May/2008:15:33:16 -0400] "GET / HTTP/1.1" 400 367 "-" "-"
64.56.75.87 - - [27/May/2008:16:07:29 -0400] "POST
http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
64.56.75.87 - - [27/May/2008:16:42:58 -0400] "POST
http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"

This is definitely the source of my troubles.

I've blackholed the serial offending IP's but Im sure it will shift again.


On Tue, May 27, 2008 at 3:49 PM, Lukasz Piatek <lpiatek () mcts pl> wrote:

Have you checked what kind of traffic is flooding you (I mean did you
perform traffic analyze)?

-----Original Message-----
From: Jonathan Adams [mailto:keirre.adams () gmail com]
Sent: Tuesday, May 27, 2008 1:59 PM
To: incidents () securityfocus com
Subject: Weird Traffic

All,

 I have a leased server I use to host some websites and for the past
week I have been getting traffic warnings. The server has been
transferring > 1GB of data per day, which is unusually high,
especially since I moved my mail to Google Apps. I have noticed a
ridiculous amount of attempted proxying attemptes in my logs, but I do
not have mod proxy turned on. I suspect my server is on some list.  I
firewalled off a large number of subnets from China and my traffic
dropped for a few days, then this morning, 2735MB transferred in 24
hrs.

 As of right now, I am planning to blackhole all China traffic, since
thats where most of this is comming from, along with the occasional
traffic from France and other places in Eur. Is this common?  If so
are there any other remedies?

--

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3135 (20080527) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3135 (20080527) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




-- 
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams () gmail com
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

Current thread:

Weird Traffic Jonathan Adams (May 27)
- RE: Weird Traffic Jackson, Ben (ITD) (May 27)
- Message not available
  - Re: Weird Traffic Jonathan Adams (May 27)
    - Re: Weird Traffic Gary Baribault (May 27)
    - Re: Weird Traffic Michael Gorsuch (May 27)
    - Re: Weird Traffic Richard Sammet (May 28)
- Message not available
  - Re: Weird Traffic Jonathan Adams (May 27)
    - Message not available
    - Re: Weird Traffic Jonathan Adams (May 28)
- Re: Weird Traffic Michael Loftis (May 27)
- Re: Weird Traffic pinowudi (May 28)
- Message not available
  - Re: [Pinguzilla] Weird Traffic Jonathan Adams (May 28)
    - Re: [Pinguzilla] Weird Traffic Jonathan Adams (May 28)
    - R: [Pinguzilla] Weird Traffic Vega - Brunello Ivan (May 29)

(Thread continues...)