Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Weird Traffic

from [Gary Baribault] Network Security [Permanent Link]
Subject: Re: Weird Traffic
Date: Tue, 27 May 2008 17:15:47 -0400
I've seen that type of stuff in my logs too .. their looking for known pages with vulnerabilities, but that shouldn't generate 1Gig of outbound trafic .. Your sending something out ..

Gary Baribault
Courriel: gary@baribault.net
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013



Jonathan Adams wrote: 
 Well since the last post, I've scanned the drive for large files
 (warez) nothing there...

 aside from the proxying Im getting alot of weird (botnet I guess) traffic

 looks like this:
 [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
 not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
 [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
 not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
 [Tue May 27 14:38:02 2008] [error] [client 217.128.102.142] File does
 not exist: /home/[snip]/www/voyageur.php
 [Tue May 27 14:55:42 2008] [error] [client 64.56.75.87] File does not
 exist: /home/[snip]/www/proxy.php
 [Tue May 27 15:23:47 2008] [error] [client 74.222.3.9] File does not
 exist: /home/[snip]/www/edit.php
 [Tue May 27 15:28:57 2008] [error] [client 74.222.3.9] File does not
 exist: /home/[snip]/www/edit.php
 [Tue May 27 15:31:39 2008] [error] [client 64.56.75.87] File does not
 exist: /home/[snip]/www/proxy.php
 [Tue May 27 15:31:47 2008] [error] [client 74.222.3.9] File does not
 exist: /home/[snip]/www/edit.php
 [Tue May 27 15:33:16 2008] [error] [client 128.194.135.85] request
 failed: error reading the headers
 [Tue May 27 16:07:29 2008] [error] [client 64.56.75.87] File does not
 exist: /home/[snip]/www/proxy.php
 [Tue May 27 16:42:58 2008] [error] [client 64.56.75.87] File does not
 exist: /home/[snip]/www/proxy.php


The 64 address is a serial offender, I' ve over 700 hits from it in
the logs 
 Appears to be in LA California, most likely a hacked server - it has
 the normal ports open
 "IP: 64.56.75.87 Location:
 Los Angeles, CALIFORNIA, United States US (Vrtservers, Inc)"


 The china stuff in my logs has just shifted to different IPs since the
 last batch of update FW rules, but the traffic is high

123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
http://history.jangseong.g
o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
(compatible; MSIE 6.0;
Windows NT 5.0)"
123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
http://history.jangseong.g
o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
(compatible; MSIE 6.0;
Windows NT 5.0)"
laubervilliers-153-52-7-142.w217-128.abo.wanadoo.fr - -
[27/May/2008:14:38:02 -0
400] "GET http://www.tdm80.com/voyageur.php?voyageur=Lucario HTTP/1.1"
404 1277 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705;
.NET CLR 1.1.4322)"
llf520098.crawl.yahoo.net - - [27/May/2008:14:45:18 -0400] "GET
/robots.txt HTTP /1.0"
200 116 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/
help/us/ysearch/slurp)"
lj513318.crawl.yahoo.net - - [27/May/2008:14:45:19 -0400] "GET
/2008/p/?D=A HTTP /1.0"
200 653 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/
help/us/ysearch/slurp)"
msnbot-65-55-210-104.search.msn.com - - [27/May/2008:14:48:25 -0400]
"GET /robot s.txt
HTTP/1.1" 200 116 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
65.55.210.104 - - [27/May/2008:14:48:25 -0400] "GET
/school_code_and_files/paper
s_pres_etc/?M=D HTTP/1.1" 200 1274 "-" "msnbot/1.1
(+http://search.msn.com/msnbo
t.htm)"
64.56.75.87 - - [27/May/2008:14:55:42 -0400] "POST
http://mp3lux.net/proxy.php H
TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
214.228.83-79.rev.gaoland.net - - [27/May/2008:15:17:24 -0400] "GET
http://java-
belle.antiville.fr/ HTTP/1.1" 200 1802 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; W indows NT
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
74.222.3.9 - - [27/May/2008:15:23:47 -0400] "GET
http://ldvid.info/edit.php HTTP
/1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
74.222.3.9 - - [27/May/2008:15:28:57 -0400] "GET
http://ldvid.info/edit.php HTTP
/1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
64.56.75.87 - - [27/May/2008:15:31:39 -0400] "POST
http://mp3lux.net/proxy.php H
TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
74.222.3.9 - - [27/May/2008:15:31:47 -0400] "GET
http://ldvid.info/edit.php HTTP
/1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
128.194.135.85 - - [27/May/2008:15:33:16 -0400] "GET / HTTP/1.1" 400
367 "-" "-" 
 64.56.75.87 - - [27/May/2008:16:07:29 -0400] "POST
 http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
 NT 5.1; SV1)"
 64.56.75.87 - - [27/May/2008:16:42:58 -0400] "POST
 http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
 NT 5.1; SV1)"

 This is definitely the source of my troubles.

 I've blackholed the serial offending IP's but Im sure it will shift again.


On Tue, May 27, 2008 at 3:49 PM, Lukasz Piatek <lpiatek@mcts.pl> wrote:
> Have you checked what kind of traffic is flooding you (I mean did you
> perform traffic analyze)?
>
> -----Original Message-----
> From: Jonathan Adams [mailto:keirre.adams@gmail.com]
> Sent: Tuesday, May 27, 2008 1:59 PM
> To: incidents@securityfocus.com
> Subject: Weird Traffic
>
> All,
>
> I have a leased server I use to host some websites and for the past
> week I have been getting traffic warnings. The server has been
> transferring > 1GB of data per day, which is unusually high,
> especially since I moved my mail to Google Apps. I have noticed a
> ridiculous amount of attempted proxying attemptes in my logs, but I do
> not have mod proxy turned on. I suspect my server is on some list. I
> firewalled off a large number of subnets from China and my traffic
> dropped for a few days, then this morning, 2735MB transferred in 24
> hrs.
>
> As of right now, I am planning to blackhole all China traffic, since
> thats where most of this is comming from, along with the occasional
> traffic from France and other places in Eur. Is this common? If so
> are there any other remedies?
>
> --
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
signature
> database 3135 (20080527) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
signature 
> database 3135 (20080527) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>




[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Weird Traffic, Jonathan Adams
Next by Date:  Re: Weird Traffic, Michael Gorsuch
Previous by Thread:  Re: Weird Traffic, Jonathan Adams
Next by Thread:  Re: Weird Traffic, Michael Gorsuch
Indexes:  [Date] [Thread] [Top] [All Lists]