Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#177037 - 26/08/2003 13:33 Strange web requests
mcomb
pooh-bah

Registered: 31/08/1999
Posts: 1649
Loc: San Carlos, CA
Is anybody else out there with their own website seeing a lot of strange web requests? In the last 10 days I have received 2400 requests from unique IP address all with the same browser string ("Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"), requesting the same page ("/"), none of which have a referrer. For comparison in a normal week I would get maybe 5 or 10 legitimate requests for that URL.

I am wondering if this is just the latest and greatest windows virus looking for new victims or if there is something else going on.

-Mike
_________________________
EmpMenuX - ext3 filesystem - Empeg iTunes integration

Top
#177038 - 26/08/2003 13:43 Re: Strange web requests [Re: mcomb]
RobotCaleb
pooh-bah

Registered: 15/01/2002
Posts: 1866
Loc: Austin
conspiracy

Top
#177039 - 26/08/2003 14:21 Re: Strange web requests [Re: mcomb]
DLF
addict

Registered: 24/07/2003
Posts: 500
Loc: Colorado, N.A.
I know some of the server-based "anonymizers" (using that term generically) pull out the referrer; they may mask the browser string as well, I don't know. Could it be their servers have been victimized?
_________________________
-- DLF

Top
#177040 - 26/08/2003 17:11 Re: Strange web requests [Re: mcomb]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
Nope. Nothing that I know of.
I've had trouble before when somebody for some odd reason decided to recursively suck my entire website in one go. But didn't configure it properly so it kept getting confused. It kept going for days and in the end I just blocked that IP in the firewall and left it.

Top
#177041 - 26/08/2003 18:12 Re: Strange web requests [Re: tman]
mcomb
pooh-bah

Registered: 31/08/1999
Posts: 1649
Loc: San Carlos, CA
I've had trouble before when somebody for some odd reason decided to recursively suck my entire website in one go.

Yeah, I thought it was something like that or a badly written spider until I realized that all the source IP addresses were different. This has to be either the worlds least impressive DDOS attack or some virus. I think that shoots down the annonymizer theory as well (all the source IPs would point to the annonymizer proxy IP). Whatever it is it is still happening

-Mike
_________________________
EmpMenuX - ext3 filesystem - Empeg iTunes integration

Top
#177042 - 26/08/2003 18:15 Re: Strange web requests [Re: mcomb]
mcomb
pooh-bah

Registered: 31/08/1999
Posts: 1649
Loc: San Carlos, CA
Would it be wrong of me to go find a nice juicy windows virus and put it at that URL and let all these people download it?

-Mike
_________________________
EmpMenuX - ext3 filesystem - Empeg iTunes integration

Top
#177043 - 26/08/2003 18:22 Re: Strange web requests [Re: mcomb]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
You could try logging the referer to see if that gives you anything. Probably going to end up with nothing but it's worth a try.
It sounds automated so the referer might not even be filled in.

Top
#177044 - 26/08/2003 18:26 Re: Strange web requests [Re: tman]
mcomb
pooh-bah

Registered: 31/08/1999
Posts: 1649
Loc: San Carlos, CA
try logging the referer

The referers are all blank. Every request looks like this (IPs obscured to protect the theoretically innocent)...

x.x.x.x - - [26/Aug/2003:18:22:54 -0700] "GET / HTTP/1.1" 200 306 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
y.y.y.y - - [26/Aug/2003:18:23:05 -0700] "GET / HTTP/1.1" 200 306 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
z.z.z.z - - [26/Aug/2003:18:23:32 -0700] "GET / HTTP/1.1" 200 306 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

-Mike
_________________________
EmpMenuX - ext3 filesystem - Empeg iTunes integration

Top
#177045 - 26/08/2003 18:31 Re: Strange web requests [Re: mcomb]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
My brother owns home.org (which is a massive spam magnet as people think it's cute to enter nobody@home.org etc...) and every so often I'll find a misconfigured ticoga (something like that) client trying to request it's configuration files. It's apparently some sort of remote configuration tool that home.com used. I've always wondered how many machines I could take over I wouldn't have been actively attacking them as they were the ones requesting the file from me...

Top
#177046 - 26/08/2003 19:21 Re: Strange web requests [Re: mcomb]
foxtrot_xray
addict

Registered: 03/03/2002
Posts: 687
Loc: Atlanta, Georgia
Nothing here, either. I *DO* have "/" as a valid URL, and that has about only 900 hits this MONTH. (People usually go straight to the forums.) Do have a few hits that match your crieteria (same browser, blank referrer) but nothing near what you have..

Now here's a dumb question - Running Apache, anyone give me a quick overview on how to pop-up the password box? I did notice, while checking this, that my stat folder's been hit a few times; and not by me or my employer. The only password checking I've done has been thru PHP. I just want something to pop up without running a script. I know there's a way to do it in Apache (using .htaccess or something?), but can't find anything on it..

Me.
_________________________
Mike 'Fox' Morrey 128BPM@124MPH. Love it! 2002 BRG Mini Cooper

Top
#177047 - 26/08/2003 20:35 Re: Strange web requests [Re: foxtrot_xray]
Attack
addict

Registered: 01/03/2002
Posts: 599
Loc: Florida
_________________________
Chad

Top
#177048 - 27/08/2003 06:34 Re: Strange web requests [Re: Attack]
JBjorgen
carpal tunnel

Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
Since the thread's already been hijacked...any ideas on how to get it to authenticate against the system passwd file instead of a .htpasswd (or similar file)? Or is that a bad idea security-wise?
_________________________
~ John

Top
#177049 - 27/08/2003 06:41 Re: Strange web requests [Re: JBjorgen]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Bad idea unless you want your local passwords passed in (essentially) clear text across the internet.
_________________________
Bitt Faulk

Top
#177050 - 27/08/2003 07:11 Re: Strange web requests [Re: mcomb]
g_attrill
old hand

Registered: 14/04/2002
Posts: 1172
Loc: Hants, UK
Nachi WebDav scanner?

Top
#177051 - 27/08/2003 07:27 Re: Strange web requests [Re: JBjorgen]
genixia
Carpal Tunnel

Registered: 08/02/2002
Posts: 3411
Or is that a bad idea security-wise?

Exceptionally bad idea.

Firstly, it opens an avenue of attack to get /etc/passwd, so an attacker would be more easily able to get a list of users.
Secondly, unlike login or sshd, there is no login throttling with apache, and failed logins are not generally logged to the syslog. So once the attacker has a valid user name (from /etc/passwd) they could write a bot to sit there brute-forcing an attack against your web server. Once the password has been found they could then use telnet or ssh to login for real, and then potentially launch a root attack from there.
_________________________
Mk2a 60GB Blue. Serial 030102962 sig.mp3: File Format not Valid.

Top
#177052 - 27/08/2003 11:22 Re: Strange web requests [Re: genixia]
foxtrot_xray
addict

Registered: 03/03/2002
Posts: 687
Loc: Atlanta, Georgia
Very cool guys, thanks. I swear I couldn't get it last time I tried messing with it. Got it now.

Me.
_________________________
Mike 'Fox' Morrey 128BPM@124MPH. Love it! 2002 BRG Mini Cooper

Top