Looks like you-re being spammed by an Outwar player. Outwar.com is hosting a free MMORPG. Some users use scripts to cheat the game recruiting system, which has a very strict anti-spam policy. You could eventually check their anti-spam policy at http://www.outwar.com/spampolicy.php and report the abuse, log excerpts attached. Regards, Carmen -----Original Message----- From: Travis Read [mailto:travisrat_private] Sent: Wednesday, February 26, 2003 3:57 AM To: incidentsat_private Subject: Weird apache logs Over the last few days I've noticed a number of weird GET requests in my apache logs. Has anybody else seen this kind of traffic or have any idea what's causing it? 66.31.196.92 - - [26/Feb/2003:05:51:24 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 66.31.196.92 - - [26/Feb/2003:05:58:22 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 66.31.196.92 - - [26/Feb/2003:06:03:23 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 66.31.196.92 - - [26/Feb/2003:06:07:23 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 66.31.196.92 - - [26/Feb/2003:06:29:06 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 62.0.128.157 - - [26/Feb/2003:06:40:34 +0800] "GET http://www.outwar.com/page.php?x=237155&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 172.171.210.56 - - [24/Feb/2003:11:55:02 +0800] "GET http://www.outwar.com/page.php?x=137196&pro=1e14c3925f8337fcb0d9b447f8164 93d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 24.147.33.83 - - [24/Feb/2003:20:27:38 +0800] "GET http://www.outwar.com/page.php?x=309737&pro=1e14c3925f8337fcb0d9b447f816493 d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 65.165.26.221 - - [26/Feb/2003:03:54:14 +0800] "GET http://www.outwar.com/page.php?x=131563 &pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 400 376 "-" "-" In a 24 hours period: pluto:/var/log# cat /var/log/apache/access.log | grep www.outwar.com | wc -l 189 * The traffic is from all over the place (i.e. distributed) * every now and again the GET request contains a white space after x=number which generates a different 400 error instead of a 404. The traffic doesn't hurt my network at all, but it is starting to fill log files. Are they just doing a probe to see what version of apache I'm running? I also noticed this once: 217.106.89.37 - - [25/Feb/2003:10:18:51 +0800] "\x05\x01" 200 889 "-" "-" The version of apache I'm running: pluto:/var/log# telnet 0 80 Trying 0.0.0.0... Connected to 0.0.0.0. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 26 Feb 2003 01:56:28 GMT Server: Apache/1.3.26 (Unix) Debian GNU/Linux mod_gzip/1.3.19.1a PHP/4.1.2 mod_perl/1.26 X-Powered-By: PHP/4.1.2 Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host. Kind regards, ---------------------------------------------------------------------------- -- Travis Read travisrat_private | Level 6, Durack House, 263 Adelaide Terrace ---------------------------------------------------------------------------- -- " there is a war going on, it's not about who has the most bullets, it's about who controls the information " - SNEAKERS ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 12:58:47 PST