[KLUG Members] WTF is going on?
Adam Williams
members@kalamazoolinux.org
08 Jun 2002 08:40:54 -0400
>Well, it's early in the morning, and I'm getting paged. A LOT. It appears
>someones playing with my server. More importantly, 24.141.100.20. This
>person is somehow trying to get web pages about 5 times a second. Oh --
>did I mention? This is my DNS server, and they are getting pages like
>this:
>24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
>http://www.spotlife.com/users2/stefanska/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 200 0
>24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
>http://www.spotlife.com/users2/kateconfuzzled/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 200 0
>24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "GET
>http://www.spotlife.com/users2/mycoolsunglesses/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 200 3262
>24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
>http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 200 0
>24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "GET
>http://www.spotlife.com/users2/dofka/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 200 11246
>24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
>http://www.spotlife.com/users2/furtilizer/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 200 0
>Anyway, it's killing my server, and I'm wondering, "What on earth is going
>on?"
Result 200 is "OK". Are these legitimate objects on your server?
It feels like an IIS worm spinning somewhere.