Author |
Message |
wokabo
Master of Master Baiters
Joined: 23 Sep 2004
Posts: 825
Location: best beer country in onomatopoeia world
|
Posted:
Tue Nov 18, 2008 10:12 am |
|
in my other unreal live, I'm running a small website/forum related to cars. The last few days traffic to my site has increased by 70%, and I noticed that 50% of that increase is coming from 1 single IP address, which is sending out about 150 requests per minute, 24/24h per day.
I've gotten so far as stopping the packets clogging up my forum, but they still keep coming.
Due to the nature of the packets (something like this:
Code: |
GET http://www.partyfax.com/system-cgi/guestbook/guestbook.php?action=sign HTTP/1.0
GET http://www.dora.ne.jp/%7Esign-design/cgi-bin/clever.cgi?mode=res&no=106 HTTP/1.0
GET http://stolen.stoptape.com/ HTTP/1.0
GET http://www.shocknewmedia.com/ HTTP/1.0
GET http://alleminem.friendpages.com/ HTTP/1.0
GET http://www.stkorino.8m.net/guest_book.html HTTP/1.0
GET http://www.hre.ntou.edu.tw/%7Emsvlab/e-addguest.htm HTTP/1.0
GET http://kiss.kir.jp/ HTTP/1.0
GET http://stolen.stoptape.com/ HTTP/1.0
GET http://www.partyfax.com/ HTTP/1.0
GET http://www.dora.ne.jp/ HTTP/1.0
GET http://www.shocknewmedia.com/guestbook/ HTTP/1.0
GET http://www.stkorino.8m.net/ HTTP/1.0
GET http://jangbook.andrejshp.de/addentry.php HTTP/1.0
GET http://www.hre.ntou.edu.tw/ HTTP/1.0
GET http://stolen.stoptape.com/ HTTP/1.0
GET http://www.shocknewmedia.com/ HTTP/1.0
GET http://jangbook.andrejshp.de/ HTTP/1.0
|
, I assume it's all coming from a hijacked zombie PC.
How do you stop such a thing? I already sent an abuse message to it's ISP, but that didn't seem to help.
Any other suggestions? |
_________________
Fight My Brute
Last edited by wokabo on Wed Nov 19, 2008 9:15 am; edited 1 time in total |
|
|
|
Jay leno
train boi
Joined: 04 Nov 2008
Posts: 697
|
Posted:
Tue Nov 18, 2008 11:35 am |
|
Do you have the IP?
Block the IP on cPanel or Apache
It seems the IP your site was assigned (Assuming its a VPS or Dedi) has been recycled and used to be a proxy
If its shared hosting someone has tried setting up a proxy very badly |
_________________
Western Union Modality
Leno Phone Modality
My MoneyGram form
Version2 of the Moneygram form courtesy of manbiteslion with a 9 digit MTCN
nope please do not worry abt me any more i quit - Barr Jimmy Tan
HAVE YOU EVER TASTED HELL.YOU HAVE A DISEASE AND YOU REFUSE TO CURE IT.THAT IS FREE VISA TO HELL.YOU JUST LIED AND DECEIVE, I HAVE REPORTED YOU TO FBI AND JAY LENO SHOW - Fred W1lly
Free Pastor Frank |
|
|
|
Knuckles
Not quite a Newb
Joined: 04 Nov 2008
Posts: 35
Location: South Africa
|
Posted:
Tue Nov 18, 2008 11:56 am |
|
On my own server I've used
/etc/hosts.deny
to stop some Russians that tried to hack into my server and persisted to do so over a period of days |
|
|
|
|
Jay leno
train boi
Joined: 04 Nov 2008
Posts: 697
|
Posted:
Tue Nov 18, 2008 12:09 pm |
|
|
|
|
wokabo
Master of Master Baiters
Joined: 23 Sep 2004
Posts: 825
Location: best beer country in onomatopoeia world
|
Posted:
Tue Nov 18, 2008 2:14 pm |
|
^^That would help if it was my own server. I don't think I have access to my host's /etc folder.
All I have to block IP's is a .htaccess file.
I also have something/someone posting silly messages in the forum, identifying itself/himself as XRumerTest. These come from different (random?) IP addresses.
[EDIT:]
adding a load of IP addresses in that .htaccess file seems to have done the trick, Xrumer blocked in the code too.
I'd still prefer to be able to stop it at the source though. |
_________________
Fight My Brute |
|
|
|
|