Security Incidents mailing list archives
Re: Weird Traffic
From: "Jonathan Adams" <keirre.adams () gmail com>
Date: Tue, 27 May 2008 16:31:56 -0400
Well since the last post, I've scanned the drive for large files (warez) nothing there... aside from the proxying Im getting alot of weird (botnet I guess) traffic looks like this: [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does not exist: /home/[snip]/www/sibbs3/admin/board/prx.php [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does not exist: /home/[snip]/www/sibbs3/admin/board/prx.php [Tue May 27 14:38:02 2008] [error] [client 217.128.102.142] File does not exist: /home/[snip]/www/voyageur.php [Tue May 27 14:55:42 2008] [error] [client 64.56.75.87] File does not exist: /home/[snip]/www/proxy.php [Tue May 27 15:23:47 2008] [error] [client 74.222.3.9] File does not exist: /home/[snip]/www/edit.php [Tue May 27 15:28:57 2008] [error] [client 74.222.3.9] File does not exist: /home/[snip]/www/edit.php [Tue May 27 15:31:39 2008] [error] [client 64.56.75.87] File does not exist: /home/[snip]/www/proxy.php [Tue May 27 15:31:47 2008] [error] [client 74.222.3.9] File does not exist: /home/[snip]/www/edit.php [Tue May 27 15:33:16 2008] [error] [client 128.194.135.85] request failed: error reading the headers [Tue May 27 16:07:29 2008] [error] [client 64.56.75.87] File does not exist: /home/[snip]/www/proxy.php [Tue May 27 16:42:58 2008] [error] [client 64.56.75.87] File does not exist: /home/[snip]/www/proxy.php The 64 address is a serial offender, I' ve over 700 hits from it in the logs Appears to be in LA California, most likely a hacked server - it has the normal ports open "IP: 64.56.75.87 Location: Los Angeles, CALIFORNIA, United States US (Vrtservers, Inc)" The china stuff in my logs has just shifted to different IPs since the last batch of update FW rules, but the traffic is high 123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET http://history.jangseong.g o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" 123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET http://history.jangseong.g o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" laubervilliers-153-52-7-142.w217-128.abo.wanadoo.fr - - [27/May/2008:14:38:02 -0 400] "GET http://www.tdm80.com/voyageur.php?voyageur=Lucario HTTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)" llf520098.crawl.yahoo.net - - [27/May/2008:14:45:18 -0400] "GET /robots.txt HTTP /1.0" 200 116 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/ help/us/ysearch/slurp)" lj513318.crawl.yahoo.net - - [27/May/2008:14:45:19 -0400] "GET /2008/p/?D=A HTTP /1.0" 200 653 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/ help/us/ysearch/slurp)" msnbot-65-55-210-104.search.msn.com - - [27/May/2008:14:48:25 -0400] "GET /robot s.txt HTTP/1.1" 200 116 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)" 65.55.210.104 - - [27/May/2008:14:48:25 -0400] "GET /school_code_and_files/paper s_pres_etc/?M=D HTTP/1.1" 200 1274 "-" "msnbot/1.1 (+http://search.msn.com/msnbo t.htm)" 64.56.75.87 - - [27/May/2008:14:55:42 -0400] "POST http://mp3lux.net/proxy.php H TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 214.228.83-79.rev.gaoland.net - - [27/May/2008:15:17:24 -0400] "GET http://java- belle.antiville.fr/ HTTP/1.1" 200 1802 "-" "Mozilla/4.0 (compatible; MSIE 6.0; W indows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)" 74.222.3.9 - - [27/May/2008:15:23:47 -0400] "GET http://ldvid.info/edit.php HTTP /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)" 74.222.3.9 - - [27/May/2008:15:28:57 -0400] "GET http://ldvid.info/edit.php HTTP /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)" 64.56.75.87 - - [27/May/2008:15:31:39 -0400] "POST http://mp3lux.net/proxy.php H TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 74.222.3.9 - - [27/May/2008:15:31:47 -0400] "GET http://ldvid.info/edit.php HTTP /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)" 128.194.135.85 - - [27/May/2008:15:33:16 -0400] "GET / HTTP/1.1" 400 367 "-" "-" 64.56.75.87 - - [27/May/2008:16:07:29 -0400] "POST http://mp3lux.net/proxy.php H TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 64.56.75.87 - - [27/May/2008:16:42:58 -0400] "POST http://mp3lux.net/proxy.php H TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" This is definitely the source of my troubles. I've blackholed the serial offending IP's but Im sure it will shift again. On Tue, May 27, 2008 at 3:49 PM, Lukasz Piatek <lpiatek () mcts pl> wrote:
Have you checked what kind of traffic is flooding you (I mean did you perform traffic analyze)? -----Original Message----- From: Jonathan Adams [mailto:keirre.adams () gmail com] Sent: Tuesday, May 27, 2008 1:59 PM To: incidents () securityfocus com Subject: Weird Traffic All, I have a leased server I use to host some websites and for the past week I have been getting traffic warnings. The server has been transferring > 1GB of data per day, which is unusually high, especially since I moved my mail to Google Apps. I have noticed a ridiculous amount of attempted proxying attemptes in my logs, but I do not have mod proxy turned on. I suspect my server is on some list. I firewalled off a large number of subnets from China and my traffic dropped for a few days, then this morning, 2735MB transferred in 24 hrs. As of right now, I am planning to blackhole all China traffic, since thats where most of this is comming from, along with the occasional traffic from France and other places in Eur. Is this common? If so are there any other remedies? -- "Strength does not come from physical capacity. It comes from an indomitable will." - Mohandas Gandhi __________ Information from ESET NOD32 Antivirus, version of virus signature database 3135 (20080527) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3135 (20080527) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
-- ___________________________ Jon Adams web: http://www.scis.nova.edu/~jonaadam mail: keirre.adams () gmail com --------------------------------------------- "Strength does not come from physical capacity. It comes from an indomitable will." - Mohandas Gandhi
Current thread:
- Weird Traffic Jonathan Adams (May 27)
- RE: Weird Traffic Jackson, Ben (ITD) (May 27)
- Message not available
- Re: Weird Traffic Jonathan Adams (May 27)
- Re: Weird Traffic Gary Baribault (May 27)
- Re: Weird Traffic Michael Gorsuch (May 27)
- Re: Weird Traffic Richard Sammet (May 28)
- Re: Weird Traffic Jonathan Adams (May 27)
- Message not available
- Re: Weird Traffic Jonathan Adams (May 27)
- Message not available
- Re: Weird Traffic Jonathan Adams (May 28)
- Re: Weird Traffic Jonathan Adams (May 27)
- Re: [Pinguzilla] Weird Traffic Jonathan Adams (May 28)
- Re: [Pinguzilla] Weird Traffic Jonathan Adams (May 28)
- R: [Pinguzilla] Weird Traffic Vega - Brunello Ivan (May 29)