Bots hitting my web server?

From: Adam Bultman (adambat_private)
Date: Wed Aug 28 2002 - 13:54:05 PDT

Next message: wykkydat_private: "Re: What's going on here?"

Previous message: Mark: "Re: What's going on here?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Question, fellas.

I know of two boxes that had apache running on them.  Apache 1.3.9, if I'm
not mistaken, with mod_proxy enabled.  As a result, they were exploited
and used by someone/something to fetch pages from remote servers. In many
cases, ads (like service.bfast.com, etc) but in most cases, porn. Of
course porn. Anyway, the night I actually found out, whomever was using
the servers to fetch every single webcam image from spotlife, and using
all of my 1 MBit connection to the internet from those two servers.  In my
own defense, I did not set these servers up.

Anyway, I obviously closed the hole on those servers ASAP, and was clearly
logging all data (ip, referrer, etc), expecting the users, as they noticed
things were broken, to stop using them.  If I closed down the apache
server, the requests would halt rather quickly.. But once apache was
restarted, they would come back in a torrent of requests. Well, since all
they get is a 2k error page, it didn't consume my bandwidth.

Well, a few months has gone by, and there are still requests. From all
over.  Canada, the US, other countries, all over.  I've called ISPs. I've
written abuse lines. I've done everything I can think of to track down who
is causing this, and excatly how.  Clearly, I've decided (maybe, an hour
after I noticed the traffic) that it was robots doing the hitting, but my
question is, what kind of site/robot whatever uses a proxy to just sit and
hit webcam pages?  Porn pages?  Ads?  The clients (of which were are
literally thousands) keep coming back, but getting denied. Is this from
zombies out on the net?  Companies who are referring to my servers for
their ads?  What's going on?  I no longer mind as much since they don't
hog my bandwidth, but I still don't know why I get so many hits, and why
to this day, if I tail my access logs, they still scroll past quite
rapidly.

Any help would be nice. Thanks.

Adam




-- 
Adam Bultman


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: wykkydat_private: "Re: What's going on here?"
Previous message: Mark: "Re: What's going on here?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 09:28:35 PDT