You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Chris Cioffi <ot...@stopthesanity.org> on 2002/08/29 00:24:15 UTC
[users@httpd] Help: Getting HUGE number of hits from wrong sites
Hi there,
I've been monitoring my access logs for the last several days and have
noticed that I get a HUGE number (20k+/day) of page requests for domains
that have nothing to do with me.
Most of the sites are pr0n related. I've gone through the DNS records with
dig and I can't figure out why the requests are being sent to me.
Here's a sample line:
stopthesanity.org 24.90.155.12 - - \
[28/Aug/2002:17:55:14 -0400] \
"GET http://www.southern-charms.com/accalia/private/members.htm HTTP/1.0"
\
404 221 "http://anonymous:nobody@nowhere.com@www.southern-\
charms.com/accalia/private/members.htm" \
"Mozilla/4.72 ( compatible; MSIE 4.0; Windows NT5.0; DigiExt )"
The requesting IP isn't related to anything on my or my ISPs network
(64.83.*) and dig gives the following southern-charms.com report:
; <<>> DiG 8.3 <<>> southern-charms.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; southern-charms.com, type = A, class = IN
;; ANSWER SECTION:
southern-charms.com. 6d15h30m39s IN A 64.159.87.117
;; AUTHORITY SECTION:
southern-charms.com. 5h33m43s IN NS NS1.CANDIDHOSTING.com.
southern-charms.com. 5h33m43s IN NS NS2.CANDIDHOSTING.com.
;; ADDITIONAL SECTION:
NS1.CANDIDHOSTING.com. 11h45m58s IN A 64.159.90.4
NS2.CANDIDHOSTING.com. 11h45m58s IN A 64.159.90.10
;; Total query time: 30 msec
;; FROM: discord.stopthesanity.org to SERVER: default -- 127.0.0.1
;; WHEN: Wed Aug 28 18:19:20 2002
;; MSG SIZE sent: 37 rcvd: 135
I've done dozen's of digs on various domains. It's not just coming from a
single hosting company.
If it helps, I've also run an error log report from ScanErr. It reports
many thousands (100k+) of proxy errors over the last month. Could this be
caused by a misconfigured proxy server? Does anyone know of a way I might
backtrack to where this is comming from?
TIA. This is really cutting into my bandwidth and since I only have a 384k
DSL line I'd like to resolve this issue. As a last resort I'm considering
requesting new IPs from my ISP, but that would be *very* disruptive. (I not
only host my own stuff, but I do DNS and mail backup for a few other
companies.)
Chris
--
Chris <ch...@stopthesanity.org>
Junior Birdman(TM) in training
http://stopthesanity.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help: Getting HUGE number of hits from wrong sites
Posted by Chris Cioffi <ot...@stopthesanity.org>.
Thanks for the reply. I verified that I'm at least not a wide open proxy.
Chris
--
Chris <ch...@stopthesanity.org>
Junior Birdman(TM) in training
http://stopthesanity.org
----- Original Message -----
From: "Anders Widman" <an...@tnonline.net>
To: "Chris Cioffi" <us...@httpd.apache.org>
Sent: Wednesday, August 28, 2002 6:31 PM
Subject: Re: [users@httpd] Help: Getting HUGE number of hits from wrong
sites
[snip]
>
> Are you sure you are not wide open to use as a proxy from the net.
> Double check your configuration files.
>
> - Anders
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help: Getting HUGE number of hits from wrong sites
Posted by Anders Widman <an...@tnonline.net>.
> Hi there,
> I've been monitoring my access logs for the last several days and have
> noticed that I get a HUGE number (20k+/day) of page requests for domains
> that have nothing to do with me.
> Most of the sites are pr0n related. I've gone through the DNS records with
> dig and I can't figure out why the requests are being sent to me.
> Here's a sample line:
> stopthesanity.org 24.90.155.12 - - \
> [28/Aug/2002:17:55:14 -0400] \
> "GET http://www.southern-charms.com/accalia/private/members.htm HTTP/1.0"
> \
> 404 221 "http://anonymous:nobody@nowhere.com@www.southern-\
> charms.com/accalia/private/members.htm" \
> "Mozilla/4.72 ( compatible; MSIE 4.0; Windows NT5.0; DigiExt )"
This looks like they are trying to use as a proxy server...
> The requesting IP isn't related to anything on my or my ISPs network
> (64.83.*) and dig gives the following southern-charms.com report:
> ; <<>> DiG 8.3 <<>> southern-charms.com
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> ;; QUERY SECTION:
> ;; southern-charms.com, type = A, class = IN
> ;; ANSWER SECTION:
> southern-charms.com. 6d15h30m39s IN A 64.159.87.117
> ;; AUTHORITY SECTION:
> southern-charms.com. 5h33m43s IN NS NS1.CANDIDHOSTING.com.
> southern-charms.com. 5h33m43s IN NS NS2.CANDIDHOSTING.com.
> ;; ADDITIONAL SECTION:
> NS1.CANDIDHOSTING.com. 11h45m58s IN A 64.159.90.4
> NS2.CANDIDHOSTING.com. 11h45m58s IN A 64.159.90.10
> ;; Total query time: 30 msec
> ;; FROM: discord.stopthesanity.org to SERVER: default -- 127.0.0.1
> ;; WHEN: Wed Aug 28 18:19:20 2002
> ;; MSG SIZE sent: 37 rcvd: 135
> I've done dozen's of digs on various domains. It's not just coming from a
> single hosting company.
> If it helps, I've also run an error log report from ScanErr. It reports
> many thousands (100k+) of proxy errors over the last month. Could this be
> caused by a misconfigured proxy server? Does anyone know of a way I might
> backtrack to where this is comming from?
Are you sure you are not wide open to use as a proxy from the net.
Double check your configuration files.
- Anders
> TIA. This is really cutting into my bandwidth and since I only have a 384k
> DSL line I'd like to resolve this issue. As a last resort I'm considering
> requesting new IPs from my ISP, but that would be *very* disruptive. (I not
> only host my own stuff, but I do DNS and mail backup for a few other
> companies.)
> Chris
> --
> Chris <ch...@stopthesanity.org>
> Junior Birdman(TM) in training
> http://stopthesanity.org
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help: Getting HUGE number of hits from wrong sites
Posted by Chris Cioffi <ot...@stopthesanity.org>.
Well, I've contacted my ISP to start trying to figure out what's going on
here.
I was running an Apache proxy back to a Zope server, but that config was
straight from the Zope docs and only permited access back to and from the
Zope server on the same box.
Since the volume increase only started in July (I hadn't been paying much
attention to my logs) I don't think this was a historical proxy.
Thanks for the link, tho. Better than 99% of the requests resulted in
either 404's or 401's. I had already done something similar to the virtual
host solution suggested, but since that solution looked more elegant I redid
the config for that.
C
--
Chris <ch...@stopthesanity.org>
Junior Birdman(TM) in training
http://stopthesanity.org
----- Original Message -----
From: "Joshua Slive" <jo...@slive.ca>
To: "Apache Users" <us...@httpd.apache.org>
Sent: Wednesday, August 28, 2002 6:39 PM
Subject: Re: [users@httpd] Help: Getting HUGE number of hits from wrong
sites
> On Wed, 28 Aug 2002, Chris Cioffi wrote:
>
[snip]
>
> Given the quantity, it is very likely that at some point in the past you,
> or someone else on that IP, was running an open proxy server. The IP is
> probably in some hacker's list of open proxy servers. More details about
> the issue are available in the FAQ:
> http://httpd.apache.org/docs/misc/FAQ.html#proxyscan
>
> But there is really nothing you can do from Apache to stop these things,
> other than make sure you are not running an open proxy. If it is really
> eating up your bandwidth, then it should be considered a denial-of-service
> attack and you should ask your ISP and the ISP of the malicious client to
> help you get it stopped.
>
> Joshua.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Help: Getting HUGE number of hits from wrong sites
Posted by Koen Vingerhoets <ko...@ubench.com>.
Hi,
hackerz use proxies like yours to stay anonymous.
We had the same problem, until i reviewed the firewall.
In 2 days time, it stopped.
Met vriendelijke groet,
Koen Vingerhoets
***** UBench nv *****
http://www.ubench.com
____________________________________________
The information contained in this electronic mail message is privileged and
confidential,
and is intended only for use of the addressee. If you are not the intended
recipient, you
are hereby notified that any disclosure,reproduction, distribution or other
use of this
communication is strictly prohibited.
If you have received this communication in error, please notify the sender
by reply
transmission and delete the message without copying or disclosing it.
-----Original Message-----
From: Craig [mailto:craigm@nsutah.com]
Sent: 29 August 2002 14:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] Help: Getting HUGE number of hits from wrong
sites
Joshua Slive wrote:> On Wed, 28 Aug 2002, Chris Cioffi wrote:
>>
>>I've been monitoring my access logs for the last several days and have
>>noticed that I get a HUGE number (20k+/day) of page requests for domains
>>that have nothing to do with me.
>
> But there is really nothing you can do from Apache to stop these things,
> other than make sure you are not running an open proxy. If it is really
> eating up your bandwidth, then it should be considered a denial-of-service
> attack and you should ask your ISP and the ISP of the malicious client to
> help you get it stopped.
Really? I was seeing this same situation earlier this year. I have
proxying turned on to proxy for some machines inside our net and had
trouble at first getting it configured right. Either it would proxy for
everybody or nobody. I finally got it figured out so that it would only
allow proxy requests from internal machines (10.*) and reject all others.
At first, my logs were FULL of fulfilled proxy requests (from external
addresses), then after I made the change, it was full of 403 (rejected)
proxy requests. Now I have a few proxy requests from the outside, but
not many.
In short, isn't there some sort of "search tool" that finds proxy
servers then uses that accumulated knowledge--kinda like email
scavengers and web searches? I would be fairly certain that they bounce
these requests off your proxy to provide some sort of "anonymous" service.
Craig.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help: Getting HUGE number of hits from wrong sites
Posted by Craig <cr...@nsutah.com>.
Joshua Slive wrote:> On Wed, 28 Aug 2002, Chris Cioffi wrote:
>>
>>I've been monitoring my access logs for the last several days and have
>>noticed that I get a HUGE number (20k+/day) of page requests for domains
>>that have nothing to do with me.
>
> But there is really nothing you can do from Apache to stop these things,
> other than make sure you are not running an open proxy. If it is really
> eating up your bandwidth, then it should be considered a denial-of-service
> attack and you should ask your ISP and the ISP of the malicious client to
> help you get it stopped.
Really? I was seeing this same situation earlier this year. I have
proxying turned on to proxy for some machines inside our net and had
trouble at first getting it configured right. Either it would proxy for
everybody or nobody. I finally got it figured out so that it would only
allow proxy requests from internal machines (10.*) and reject all others.
At first, my logs were FULL of fulfilled proxy requests (from external
addresses), then after I made the change, it was full of 403 (rejected)
proxy requests. Now I have a few proxy requests from the outside, but
not many.
In short, isn't there some sort of "search tool" that finds proxy
servers then uses that accumulated knowledge--kinda like email
scavengers and web searches? I would be fairly certain that they bounce
these requests off your proxy to provide some sort of "anonymous" service.
Craig.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help: Getting HUGE number of hits from wrong
sites
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 28 Aug 2002, Chris Cioffi wrote:
> Hi there,
>
> I've been monitoring my access logs for the last several days and have
> noticed that I get a HUGE number (20k+/day) of page requests for domains
> that have nothing to do with me.
>
> Most of the sites are pr0n related. I've gone through the DNS records with
> dig and I can't figure out why the requests are being sent to me.
>
> Here's a sample line:
> stopthesanity.org 24.90.155.12 - - \
> [28/Aug/2002:17:55:14 -0400] \
> "GET http://www.southern-charms.com/accalia/private/members.htm HTTP/1.0"
> \
> 404 221 "http://anonymous:nobody@nowhere.com@www.southern-\
> charms.com/accalia/private/members.htm" \
> "Mozilla/4.72 ( compatible; MSIE 4.0; Windows NT5.0; DigiExt )"
>
> TIA. This is really cutting into my bandwidth and since I only have a 384k
> DSL line I'd like to resolve this issue. As a last resort I'm considering
> requesting new IPs from my ISP, but that would be *very* disruptive. (I not
> only host my own stuff, but I do DNS and mail backup for a few other
> companies.)
Given the quantity, it is very likely that at some point in the past you,
or someone else on that IP, was running an open proxy server. The IP is
probably in some hacker's list of open proxy servers. More details about
the issue are available in the FAQ:
http://httpd.apache.org/docs/misc/FAQ.html#proxyscan
But there is really nothing you can do from Apache to stop these things,
other than make sure you are not running an open proxy. If it is really
eating up your bandwidth, then it should be considered a denial-of-service
attack and you should ask your ISP and the ISP of the malicious client to
help you get it stopped.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org