Re: Weird Traffic

Hi Jonathan,

to get a quick overview of your http traffic for the last 24h, just
run something like this:

tmp=0; for i in `cat /var/log/apache2/access.log | awk -F'"' '{ print
$3 }' | awk '{ print $2 }' | grep -E '[0-9]+'` ; do tmp=`expr $tmp +
$i`; done ; echo $tmp

on the apache access logfiles containing the requests for the last 24h...


br,
richard


On Tue, May 27, 2008 at 10:31 PM, Jonathan Adams <keirre.adams@gmail.com> wrote:
> Well since the last post, I've scanned the drive for large files
> (warez) nothing there...
>
> aside from the proxying Im getting alot of weird (botnet I guess) traffic
>
> looks like this:
> [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
> not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
> [Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
> not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
> [Tue May 27 14:38:02 2008] [error] [client 217.128.102.142] File does
> not exist: /home/[snip]/www/voyageur.php
> [Tue May 27 14:55:42 2008] [error] [client 64.56.75.87] File does not
> exist: /home/[snip]/www/proxy.php
> [Tue May 27 15:23:47 2008] [error] [client 74.222.3.9] File does not
> exist: /home/[snip]/www/edit.php
> [Tue May 27 15:28:57 2008] [error] [client 74.222.3.9] File does not
> exist: /home/[snip]/www/edit.php
> [Tue May 27 15:31:39 2008] [error] [client 64.56.75.87] File does not
> exist: /home/[snip]/www/proxy.php
> [Tue May 27 15:31:47 2008] [error] [client 74.222.3.9] File does not
> exist: /home/[snip]/www/edit.php
> [Tue May 27 15:33:16 2008] [error] [client 128.194.135.85] request
> failed: error reading the headers
> [Tue May 27 16:07:29 2008] [error] [client 64.56.75.87] File does not
> exist: /home/[snip]/www/proxy.php
> [Tue May 27 16:42:58 2008] [error] [client 64.56.75.87] File does not
> exist: /home/[snip]/www/proxy.php
>
>
> The 64 address is a serial offender, I' ve over 700 hits from it in the logs
> Appears to be in LA California, most likely a hacked server - it has
> the normal ports open
> "IP: 64.56.75.87 Location:
> Los Angeles, CALIFORNIA, United States US (Vrtservers, Inc)"
>
>
> The china stuff in my logs has just shifted to different IPs since the
> last batch of update FW rules, but the traffic is high
>
> 123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
> http://history.jangseong.g
>  o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
> (compatible;                                               MSIE 6.0;
> Windows NT 5.0)"
> 123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
> http://history.jangseong.g
>  o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
> (compatible;                                               MSIE 6.0;
> Windows NT 5.0)"
> laubervilliers-153-52-7-142.w217-128.abo.wanadoo.fr - -
> [27/May/2008:14:38:02 -0
> 400] "GET http://www.tdm80.com/voyageur.php?voyageur=Lucario HTTP/1.1"
> 404 1277                                               "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705;
> .NET                                               CLR 1.1.4322)"
> llf520098.crawl.yahoo.net - - [27/May/2008:14:45:18 -0400] "GET
> /robots.txt HTTP                                              /1.0"
> 200 116 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
> http://help.yahoo.com/
> help/us/ysearch/slurp)"
> lj513318.crawl.yahoo.net - - [27/May/2008:14:45:19 -0400] "GET
> /2008/p/?D=A HTTP                                              /1.0"
> 200 653 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
> http://help.yahoo.com/
> help/us/ysearch/slurp)"
> msnbot-65-55-210-104.search.msn.com - - [27/May/2008:14:48:25 -0400]
> "GET /robot                                              s.txt
> HTTP/1.1" 200 116 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
> 65.55.210.104 - - [27/May/2008:14:48:25 -0400] "GET
> /school_code_and_files/paper
>   s_pres_etc/?M=D HTTP/1.1" 200 1274 "-" "msnbot/1.1
> (+http://search.msn.com/msnbo
>    t.htm)"
> 64.56.75.87 - - [27/May/2008:14:55:42 -0400] "POST
> http://mp3lux.net/proxy.php H
>    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1; SV1)"
> 214.228.83-79.rev.gaoland.net - - [27/May/2008:15:17:24 -0400] "GET
> http://java-
> belle.antiville.fr/ HTTP/1.1" 200 1802 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; W                                              indows NT
> 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
> 74.222.3.9 - - [27/May/2008:15:23:47 -0400] "GET
> http://ldvid.info/edit.php HTTP
>      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> 98; Win 9x 4.90)"
> 74.222.3.9 - - [27/May/2008:15:28:57 -0400] "GET
> http://ldvid.info/edit.php HTTP
>      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> 98; Win 9x 4.90)"
> 64.56.75.87 - - [27/May/2008:15:31:39 -0400] "POST
> http://mp3lux.net/proxy.php H
>    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1; SV1)"
> 74.222.3.9 - - [27/May/2008:15:31:47 -0400] "GET
> http://ldvid.info/edit.php HTTP
>      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> 98; Win 9x 4.90)"
> 128.194.135.85 - - [27/May/2008:15:33:16 -0400] "GET / HTTP/1.1" 400 367 "-" 
> "-"
> 64.56.75.87 - - [27/May/2008:16:07:29 -0400] "POST
> http://mp3lux.net/proxy.php H
>    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1; SV1)"
> 64.56.75.87 - - [27/May/2008:16:42:58 -0400] "POST
> http://mp3lux.net/proxy.php H
>    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.1; SV1)"
>
> This is definitely the source of my troubles.
>
> I've blackholed the serial offending IP's but Im sure it will shift again.
>
>
> On Tue, May 27, 2008 at 3:49 PM, Lukasz Piatek <lpiatek@mcts.pl> wrote:
> > Have you checked what kind of traffic is flooding you (I mean did you
> > perform traffic analyze)?
> >
> > -----Original Message-----
> > From: Jonathan Adams [mailto:keirre.adams@gmail.com]
> > Sent: Tuesday, May 27, 2008 1:59 PM
> > To: incidents@securityfocus.com
> > Subject: Weird Traffic
> >
> > All,
> >
> >  I have a leased server I use to host some websites and for the past
> > week I have been getting traffic warnings. The server has been
> > transferring > 1GB of data per day, which is unusually high,
> > especially since I moved my mail to Google Apps. I have noticed a
> > ridiculous amount of attempted proxying attemptes in my logs, but I do
> > not have mod proxy turned on. I suspect my server is on some list.  I
> > firewalled off a large number of subnets from China and my traffic
> > dropped for a few days, then this morning, 2735MB transferred in 24
> > hrs.
> >
> >  As of right now, I am planning to blackhole all China traffic, since
> > thats where most of this is comming from, along with the occasional
> > traffic from France and other places in Eur. Is this common?  If so
> > are there any other remedies?
> >
> > --
> >
> > "Strength does not come from physical capacity. It comes from an
> > indomitable will." -
> > Mohandas Gandhi
> >
> >
> > __________ Information from ESET NOD32 Antivirus, version of virus signature
> > database 3135 (20080527) __________
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> >
> > __________ Information from ESET NOD32 Antivirus, version of virus signature
> > database 3135 (20080527) __________
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams@gmail.com
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi



-- 
The major quality problem of open mailing lists is that everybody can
take part. (/me)

ATTENTION!
PLEASE ENCRYPT MESSAGES AND ATTACHMENTS IF THEY CONTAIN PRIVATE INFORMATION!