Strange Apache logs - maybe DDOS?

From: Christian Schwede (cschwede@delphi-gmbh.de)
Date: Fri Nov 15 2002 - 01:31:30 PST

Next message: H C: "re: Help - a possible bot"

Previous message: Security Consultant: "Spoofed RFC1918 Network Source Addresses..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Hi everybody, I have a little problem with our apache server. This is what my logs show me: access_log: [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "\xe3I" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "-" 408 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100] "\xe3;" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100] "\xe37" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100] "\xe3I" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:30 +0100] "-" 408 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100] "\xe3I" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100] "\xe34" 501 - error_log: [Wed Nov 13 12:39:50 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?I [Wed Nov 13 12:39:50 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?E [Wed Nov 13 12:39:51 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?I [Wed Nov 13 12:39:52 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?E [Wed Nov 13 12:39:52 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?J [Wed Nov 13 12:39:52 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?= [Wed Nov 13 12:39:52 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?7 [Wed Nov 13 12:39:54 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?4 [Wed Nov 13 12:39:55 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?I [Wed Nov 13 12:39:55 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?@ So, what the heck is trying to access my server? I looked around at google for spyware or worm signatures, but none of them fits. Has anybody else seen this? It started on Monday, 21.Oct. 2002. We already had 630.000 (in words: more than sixhundredthousands!) requests of this type. That are more than 200.000 requests a week. I really don't know what this is, but i think it's spyware. Can i prevent apache from responding to this requests? Maybe with the <FilesMatch> directive? Please Help me, tia! Christian ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: H C: "re: Help - a possible bot"
Previous message: Security Consultant: "Spoofed RFC1918 Network Source Addresses..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Nov 17 2002 - 06:11:09 PST