You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by haresh ghoghari <hd...@yahoo.com> on 2004/10/11 11:27:21 UTC
[users@httpd] How to stop request in Apache 1.3(request commming for proxy)
Dear all
I am facing one problem..
I am using apache 1.3
In my domain there are numourious connection
request is comming from different ip all IP accessing
only two page 6.jpg and 5.jpg but they are not present
in my webserver
Using netstat i see all connection are going to
establish
I also take access.log of 6 hours and i found there
are request from 29000 uniq IP and IP i srepeated
after 3v3ry 6 hours..
Bcoz of this i apache is goint to down and there is
not possible to drop coccnetion of 29000 ip using fire
wall like IPOTABLES
is there any module or anything from that i can stopn
request for two page 6.jps & 5.jpg
Using snort i analyz TCP header i got following common
in all request
"
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-
Referer:
http://www.amchogoa.com/Hotels/whispering/tariff.htm^M
Accept-Language: en-us^M
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1)^M
Via: 1.0 proxy2.timesgroup.com:80
(Squid/2.4.STABLE6)^M
X-Forwarded-For: 10.100.200.252^M
Host: www.amchogoa.com^M
Cache-Control: max-age=259200^M
Connection: keep-aliv
"
Thanking u
from
Haresh
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Re: How to stop request in Apache 1.3(request commming for proxy)
Posted by Michelle Konzack <li...@freenet.de>.
Hello Haresh,
Am 2004-10-12 21:16:00, schrieb haresh ghoghari:
> Thnax MIchelle taking interest in my problem..
> 1)
> I think it can not be dos attack bcoz all connetion
> are going to establish..
> Above is hear is getting using snort IDS
>
> I am sending accesslog of apache ..
>
> [Sun Oct 3 00:16:51 2004] [error] [client
> 68.155.149.14] File does not exist:
> /home/webdata/panash/gardameditech.com/htdocs/
> [Sun Oct 3 00:16:52 2004] [error] [client
> 80.55.107.58] File does not exist:
> /home/webdata/panash/gardameditech.com/htdocs/b
> [Sun Oct 3 00:16:52 2004] [error] [client
> 24.107.43.252] File does not exist:
> /home/webdata/panash/gardameditech.com/htdocs/
> [Sun Oct 3 00:16:52 2004] [error] [client
> 12.73.73.55] File does not exist:
> /home/webdata/panash/gardameditech.com/htdocs/b.
> [Sun Oct 3 00:16:52 2004] [error] [client
> 67.168.58.34] File does not exist:
> /home/webdata/panash/gardameditech.com/htdocs/b
> [Sun Oct 3 00:16:52 2004] [error] [client
> 66.42.1.110] File does not exist:
> /home/webdata/panash/gardameditech.com/htdocs/5.
Do the request come over the proxy2.... ?
I mean ALL ?
Then I think, the proxy had a crash.
I was using SQUID on WOODY on my router and I had a crash because a DoS
and after the crash I had a corupted Filesystem which had mangled my
filenames from cache if anyone had requested A Document from my Servers.
A possibility...
> That is error log of apache ...
>
> Thanking u
> HAresh
Greetings
Michelle
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSM LinuxMichi
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: [users@httpd] Re: How to stop request in Apache 1.3(request commming for proxy)
Posted by haresh ghoghari <hd...@yahoo.com>.
Thnax MIchelle taking interest in my problem..
1)
I think it can not be dos attack bcoz all connetion
are going to establish..
2)
Accept: image/gif, image/x-xbitmap, image/jpeg,
> > image/pjpeg, application/vnd.ms-
> > Referer:
> >
>
http://www.amchogoa.com/Hotels/whispering/tariff.htm^M
>
> I have checked out this HTML-Page and and there are
> no
> links to a 5.jpg or 6.jpg
>
> > Accept-Language: en-us^M
> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
> Windows
> > NT 5.1)^M
> > Via: 1.0 proxy2.timesgroup.com:80
> > (Squid/2.4.STABLE6)^M
>
Above is hear is getting using snort IDS
I am sending accesslog of apache ..
[Sun Oct 3 00:16:51 2004] [error] [client
68.155.149.14] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:52 2004] [error] [client
80.55.107.58] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/b
[Sun Oct 3 00:16:52 2004] [error] [client
24.107.43.252] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:52 2004] [error] [client
12.73.73.55] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/b.
[Sun Oct 3 00:16:52 2004] [error] [client
67.168.58.34] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/b
[Sun Oct 3 00:16:52 2004] [error] [client
66.42.1.110] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/5.
[Sun Oct 3 00:16:52 2004] [error] [client
200.158.49.62] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:52 2004] [error] [client
66.185.84.71] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/6
[Sun Oct 3 00:16:52 2004] [error] [client
12.151.176.10] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:52 2004] [error] [client
201.248.200.45] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:52 2004] [error] [client
200.203.38.247] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:52 2004] [error] [client
222.102.128.158] File does not exist:
/home/webdata/panash/gardameditech.com/htdoc
[Sun Oct 3 00:16:52 2004] [error] [client
222.102.128.158] File does not exist:
/home/webdata/panash/gardameditech.com/htdoc
[Sun Oct 3 00:16:52 2004] [error] [client
216.113.128.194] File does not exist:
/home/webdata/panash/gardameditech.com/htdoc
[Sun Oct 3 00:16:52 2004] [error] [client
213.66.222.156] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:52 2004] [error] [client
200.158.49.62] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:52 2004] [error] [client
200.203.38.247] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:52 2004] [error] [client
200.147.218.169] File does not exist:
/home/webdata/panash/gardameditech.com/htdoc
[Sun Oct 3 00:16:52 2004] [error] [client
66.41.103.50] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/6
[Sun Oct 3 00:16:52 2004] [error] [client 66.94.98.6]
File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/6.j
[Sun Oct 3 00:16:52 2004] [error] [client
200.162.26.30] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:52 2004] [error] [client
200.147.100.213] File does not exist:
/home/webdata/panash/gardameditech.com/htdoc
[Sun Oct 3 00:16:53 2004] [error] [client
200.11.89.2] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/6.
[Sun Oct 3 00:16:53 2004] [error] [client
213.226.133.83] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:53 2004] [error] [client
24.205.162.142] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:53 2004] [error] [client
217.144.192.72] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:53 2004] [error] [client
66.185.84.71] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/6
[Sun Oct 3 00:16:53 2004] [error] [client 4.8.88.117]
File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/6.j
[Sun Oct 3 00:16:53 2004] [error] [client
12.151.176.10] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:53 2004] [error] [client
24.107.43.252] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:53 2004] [error] [client
201.248.200.45] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:53 2004] [error] [client
24.211.41.81] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/b
[Sun Oct 3 00:16:53 2004] [error] [client
67.168.58.34] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/b
[Sun Oct 3 00:16:53 2004] [error] [client
24.205.162.142] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
[Sun Oct 3 00:16:53 2004] [error] [client
200.138.73.88] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:53 2004] [error] [client
24.245.0.224] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/b
[Sun Oct 3 00:16:53 2004] [error] [client
66.136.202.10] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs/
[Sun Oct 3 00:16:53 2004] [error] [client
200.147.218.169] File does not exist:
/home/webdata/panash/gardameditech.com/htdoc
[Sun Oct 3 00:16:53 2004] [error] [client
213.226.133.83] File does not exist:
/home/webdata/panash/gardameditech.com/htdocs
That is error log of apache ...
Thanking u
HAresh
--- Michelle Konzack <li...@freenet.de>
wrote:
> Am 2004-10-11 02:27:21, schrieb haresh ghoghari:
> > Dear all
>
> > request is comming from different ip all IP
> accessing
> > only two page 6.jpg and 5.jpg but they are not
> present
> > in my webserver
>
> Hmmm...
>
> > I also take access.log of 6 hours and i found
> there
> > are request from 29000 uniq IP and IP i
> srepeated
> > after 3v3ry 6 hours..
>
> Maybe a DoS attack...
>
> > Using snort i analyz TCP header i got following
> common
> > in all request
> > "
> > Accept: image/gif, image/x-xbitmap, image/jpeg,
> > image/pjpeg, application/vnd.ms-
> > Referer:
> >
>
http://www.amchogoa.com/Hotels/whispering/tariff.htm^M
>
> I have checked out this HTML-Page and and there are
> no
> links to a 5.jpg or 6.jpg
>
> > Accept-Language: en-us^M
> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
> Windows
> > NT 5.1)^M
> > Via: 1.0 proxy2.timesgroup.com:80
> > (Squid/2.4.STABLE6)^M
>
> Because they come via a proxy, maybe this is areal
> DoS attack
>
> Please can you check out other packages ariving on
> your server.
> It might be interesting whether the other requests
> are coming
> via proxys too.
>
> > X-Forwarded-For: 10.100.200.252^M
>
> Is this your Server ?
>
> > Thanking u
> > from
> > Haresh
>
> Michelle
>
> ATTACHMENT part 2 application/pgp-signature
name=signature.pgp
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: How to stop request in Apache 1.3(request commming for proxy)
Posted by Michelle Konzack <li...@freenet.de>.
Am 2004-10-11 02:27:21, schrieb haresh ghoghari:
> Dear all
> request is comming from different ip all IP accessing
> only two page 6.jpg and 5.jpg but they are not present
> in my webserver
Hmmm...
> I also take access.log of 6 hours and i found there
> are request from 29000 uniq IP and IP i srepeated
> after 3v3ry 6 hours..
Maybe a DoS attack...
> Using snort i analyz TCP header i got following common
> in all request
> "
> Accept: image/gif, image/x-xbitmap, image/jpeg,
> image/pjpeg, application/vnd.ms-
> Referer:
> http://www.amchogoa.com/Hotels/whispering/tariff.htm^M
I have checked out this HTML-Page and and there are no
links to a 5.jpg or 6.jpg
> Accept-Language: en-us^M
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1)^M
> Via: 1.0 proxy2.timesgroup.com:80
> (Squid/2.4.STABLE6)^M
Because they come via a proxy, maybe this is areal DoS attack
Please can you check out other packages ariving on your server.
It might be interesting whether the other requests are coming
via proxys too.
> X-Forwarded-For: 10.100.200.252^M
Is this your Server ?
> Thanking u
> from
> Haresh
Michelle
Re: [users@httpd] Re: How to stop request in Apache 1.3(request commming for proxy)
Posted by haresh ghoghari <hd...@yahoo.com>.
Thax
It may be DDos attack or proxy malfunctioning
Have any idea how to prevent this type of attack ?
Thax
Haresh
--- FloSoft <Fl...@gmx.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Perhaps a possible DDoS-Attack or some kind of proxy
> is
> malfunctioning ;)
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
>
iQCVAwUBQWwwQ8a99vJRRkghAQHZowP/R017zBV3kI64jo1QmoB/Fw8uyqfEzBn+
>
bUsNdvBtHcD1d/uKvHz0WSAjXJjNoE9E/eMZF8o+1pdz/N3Y/8TxRjksyf0Gce52
>
LoM/pGnXS9JfvXGBqjVSsbk0S8vxgvgwKEX2bihZgpXDcaetjM4kFtC9a/+ZsK2Q
> J9Zn4zLlWOY=
> =fzSM
> -----END PGP SIGNATURE-----
>
>
>
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
>
>
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: How to stop request in Apache 1.3(request commming for proxy)
Posted by FloSoft <Fl...@gmx.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Perhaps a possible DDoS-Attack or some kind of proxy is
malfunctioning ;)
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQCVAwUBQWwwQ8a99vJRRkghAQHZowP/R017zBV3kI64jo1QmoB/Fw8uyqfEzBn+
bUsNdvBtHcD1d/uKvHz0WSAjXJjNoE9E/eMZF8o+1pdz/N3Y/8TxRjksyf0Gce52
LoM/pGnXS9JfvXGBqjVSsbk0S8vxgvgwKEX2bihZgpXDcaetjM4kFtC9a/+ZsK2Q
J9Zn4zLlWOY=
=fzSM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org