[KLUG Members] WTF is going on? Update

Adam Bultman members@kalamazoolinux.org
Sat, 8 Jun 2002 07:15:48 -0400 (EDT)

Previous message: [KLUG Members] WTF is going on?
Next message: [KLUG Members] WTF is going on?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, I've been poking around, and I'm noticing an awful lot of traffic
going to my server.   It would appear that a few choice hosts are just
hammering away.  My problem is:

I get a million of these requests on my server.  Here's two lines from a
tcpdump log:
07:16:18.602983 d141-100-20.home.cgocable.net.2076 >

adam.box.com.http: S 2360157466:2360157466(0) win 16384 <mss
1460,nop,nop,sackOK> (DF) 07:16:18.603043 adams.box.com.http >
d141-100-20.home.cgocable.net.2076: R 0:0(0) ack 1 win 0

Now:  Does this mean that my box is saying "Sorry, I don't have that
page", or "Access denied" when it sends out that other packet? Or is it
actually doing something like, fetching a page? When I turn on httpd
(which normally runs) they would fetch pages off my server.. Is that
possible? Does someone somwehere know why I someone would try to fetch
stuff from another site? Is this an apache exploit?  I'm lost. I've been
looking for exploits to the daemons I run (big brother, ssh, httpd, and
BIND -- and don't tell me about BIND, I know, I know) and httpd is next in
line.

Oh, well. Thanks for any help, if any, or at least check your servers and
tell me if you are also being hacked, or something.

-- 
Adam Bultman
adam@glaven.org
[ http://www.glaven.org ]

On Sat, 8 Jun 2002, Adam Bultman wrote:

> Well, it's early in the morning, and I'm getting paged. A LOT.  It appears
> someones playing with my server. More importantly, 24.141.100.20.  This
> person is somehow trying to get web pages about 5 times a second.  Oh --
> did I mention? This is my DNS server, and they are getting pages like
> this:
> 24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
> http://www.spotlife.com/users2/stefanska/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> HTTP/1.0" 200 0
> 24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
> http://www.spotlife.com/users2/kateconfuzzled/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> HTTP/1.0" 200 0
> 24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "GET
> http://www.spotlife.com/users2/mycoolsunglesses/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> HTTP/1.0" 200 3262
> 24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
> http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> HTTP/1.0" 200 0
> 24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "GET
> http://www.spotlife.com/users2/dofka/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> HTTP/1.0" 200 11246
> 24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
> http://www.spotlife.com/users2/furtilizer/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> HTTP/1.0" 200 0
>
>
> Anyway, it's killing my server, and I'm wondering, "What on earth is going
> on?"
>

Previous message: [KLUG Members] WTF is going on?
Next message: [KLUG Members] WTF is going on?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]