[KLUG Members] WTF is going on?

[Adam Bultman]

No! They weren't.  And, if I start the old server and make the request,
the only thing it really returns is the main page.  Well, I guess I dont'
know.  That' definately not a valid page on my server (Mm.. webcams on a
DNS server).  I looked through older logs, and this has been happening for
a while.  However, not to this extent:  www.glaven.org/images/hack2.jpg

I have stuff here saing that this has pretty much been happening all the
time, but never to the extent it was in the picture.

My question: Just WHAT is going on? Why my DNS server?  Where there just
tons of exploits for apache 1.3.9 where you could redirect on someone
elses bandwidth?  I don't understand what's going on with this, and I have
never known of this kind of problem (or hack?) before.  If it's an IIS
worm, it's at last hitting me rather hard.  I guess I'll have to research
this some more.  But for now, I'm flabbergasted.   Is this just some wacky
INternet mix-up where my DNS servers are seen as the servers for freaking
spotlife, or is spotlife taking advantage of me?  Any ideas? Was I just
0wnz0r3d or something?  I have a hard time believing it's a wacky internet
mix up, but then, how would one go about making this type of (hack? DDoS?)
happen?  Get slave computers to ask my DNS servers for web pages until
they die?

Oh, well, back to the grindstone.

Adam

-- 
Adam Bultman
adam@glaven.org
[ http://www.glaven.org ]


On 8 Jun 2002, Adam Williams wrote:

> >Well, it's early in the morning, and I'm getting paged. A LOT.  It appears
> >someones playing with my server. More importantly, 24.141.100.20.  This
> >person is somehow trying to get web pages about 5 times a second.  Oh --
> >did I mention? This is my DNS server, and they are getting pages like
> >this:
> >24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
> >http://www.spotlife.com/users2/stefanska/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> >HTTP/1.0" 200 0
> >24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
> >http://www.spotlife.com/users2/kateconfuzzled/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> >HTTP/1.0" 200 0
> >24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "GET
> >http://www.spotlife.com/users2/mycoolsunglesses/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> >HTTP/1.0" 200 3262
> >24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
> >http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> >HTTP/1.0" 200 0
> >24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "GET
> >http://www.spotlife.com/users2/dofka/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> >HTTP/1.0" 200 11246
> >24.141.100.20 - - [08/Jun/2002:05:29:49 -0400] "HEAD
> >http://www.spotlife.com/users2/furtilizer/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> >HTTP/1.0" 200 0
> >Anyway, it's killing my server, and I'm wondering, "What on earth is going
> >on?"
>
> Result 200 is "OK".  Are these legitimate objects on your server?
>
> It feels like an IIS worm spinning somewhere.
>
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
> 
>