Bots hitting my web server?

From: Adam Bultman (adambat_private)
Date: Wed Aug 28 2002 - 13:54:05 PDT

  • Next message: wykkydat_private: "Re: What's going on here?"

    Question, fellas.
    I know of two boxes that had apache running on them.  Apache 1.3.9, if I'm
    not mistaken, with mod_proxy enabled.  As a result, they were exploited
    and used by someone/something to fetch pages from remote servers. In many
    cases, ads (like, etc) but in most cases, porn. Of
    course porn. Anyway, the night I actually found out, whomever was using
    the servers to fetch every single webcam image from spotlife, and using
    all of my 1 MBit connection to the internet from those two servers.  In my
    own defense, I did not set these servers up.
    Anyway, I obviously closed the hole on those servers ASAP, and was clearly
    logging all data (ip, referrer, etc), expecting the users, as they noticed
    things were broken, to stop using them.  If I closed down the apache
    server, the requests would halt rather quickly.. But once apache was
    restarted, they would come back in a torrent of requests. Well, since all
    they get is a 2k error page, it didn't consume my bandwidth.
    Well, a few months has gone by, and there are still requests. From all
    over.  Canada, the US, other countries, all over.  I've called ISPs. I've
    written abuse lines. I've done everything I can think of to track down who
    is causing this, and excatly how.  Clearly, I've decided (maybe, an hour
    after I noticed the traffic) that it was robots doing the hitting, but my
    question is, what kind of site/robot whatever uses a proxy to just sit and
    hit webcam pages?  Porn pages?  Ads?  The clients (of which were are
    literally thousands) keep coming back, but getting denied. Is this from
    zombies out on the net?  Companies who are referring to my servers for
    their ads?  What's going on?  I no longer mind as much since they don't
    hog my bandwidth, but I still don't know why I get so many hits, and why
    to this day, if I tail my access logs, they still scroll past quite
    Any help would be nice. Thanks.
    Adam Bultman
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 09:28:35 PDT