SmartFeedSmartFeed          

Porsche Hangout


WELCOME - YOU ARE CURRENTLY VIEWING 419EATER AS A GUEST

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

ScamWarners.com - Internet Anti-Fraud Center - now open!


 Help: How to stop a zombie PC (EDIT: sort of OK now)

View next topic
View previous topic
 
Post new topicReply to topic
Author Message
wokabo
Master of Master Baiters


Joined: 23 Sep 2004
Posts: 825
Location: best beer country in onomatopoeia world


PostPosted: Tue Nov 18, 2008 10:12 am Reply with quoteBack to top

in my other unreal live, I'm running a small website/forum related to cars. The last few days traffic to my site has increased by 70%, and I noticed that 50% of that increase is coming from 1 single IP address, which is sending out about 150 requests per minute, 24/24h per day.

I've gotten so far as stopping the packets clogging up my forum, but they still keep coming.
Due to the nature of the packets (something like this:
Code:
GET http://www.partyfax.com/system-cgi/guestbook/guestbook.php?action=sign HTTP/1.0
GET http://www.dora.ne.jp/%7Esign-design/cgi-bin/clever.cgi?mode=res&no=106 HTTP/1.0
GET http://stolen.stoptape.com/ HTTP/1.0
GET http://www.shocknewmedia.com/ HTTP/1.0
GET http://alleminem.friendpages.com/ HTTP/1.0
GET http://www.stkorino.8m.net/guest_book.html HTTP/1.0
GET http://www.hre.ntou.edu.tw/%7Emsvlab/e-addguest.htm HTTP/1.0
GET http://kiss.kir.jp/ HTTP/1.0
GET http://stolen.stoptape.com/ HTTP/1.0
GET http://www.partyfax.com/ HTTP/1.0
GET http://www.dora.ne.jp/ HTTP/1.0
GET http://www.shocknewmedia.com/guestbook/ HTTP/1.0
GET http://www.stkorino.8m.net/ HTTP/1.0
GET http://jangbook.andrejshp.de/addentry.php HTTP/1.0
GET http://www.hre.ntou.edu.tw/ HTTP/1.0
GET http://stolen.stoptape.com/ HTTP/1.0
GET http://www.shocknewmedia.com/ HTTP/1.0
GET http://jangbook.andrejshp.de/ HTTP/1.0

, I assume it's all coming from a hijacked zombie PC.

How do you stop such a thing? I already sent an abuse message to it's ISP, but that didn't seem to help.
Any other suggestions?

_________________
pony pony pony

Fight My Brute

Last edited by wokabo on Wed Nov 19, 2008 9:15 am; edited 1 time in total
View user's profileSend private message
Jay leno
train boi


Joined: 04 Nov 2008
Posts: 697


PostPosted: Tue Nov 18, 2008 11:35 am Reply with quoteBack to top

Do you have the IP?

Block the IP on cPanel or Apache

It seems the IP your site was assigned (Assuming its a VPS or Dedi) has been recycled and used to be a proxy

If its shared hosting someone has tried setting up a proxy very badly

_________________
Closed lad accounts
Safari Western Union Modality
Leno Phone Modality
My MoneyGram form
Version2 of the Moneygram form courtesy of manbiteslion with a 9 digit MTCN

nope please do not worry abt me any more i quit - Barr Jimmy Tan
HAVE YOU EVER TASTED HELL.YOU HAVE A DISEASE AND YOU REFUSE TO CURE IT.THAT IS FREE VISA TO HELL.YOU JUST LIED AND DECEIVE, I HAVE REPORTED YOU TO FBI AND JAY LENO SHOW - Fred W1lly
Free Pastor Frank
View user's profileSend private message
Knuckles
Not quite a Newb


Joined: 04 Nov 2008
Posts: 35
Location: South Africa


PostPosted: Tue Nov 18, 2008 11:56 am Reply with quoteBack to top

On my own server I've used

/etc/hosts.deny

to stop some Russians that tried to hack into my server and persisted to do so over a period of days
View user's profileSend private message
Jay leno
train boi


Joined: 04 Nov 2008
Posts: 697


PostPosted: Tue Nov 18, 2008 12:09 pm Reply with quoteBack to top

What knuckles used is perfect aswell

_________________
Closed lad accounts
Safari Western Union Modality
Leno Phone Modality
My MoneyGram form
Version2 of the Moneygram form courtesy of manbiteslion with a 9 digit MTCN

nope please do not worry abt me any more i quit - Barr Jimmy Tan
HAVE YOU EVER TASTED HELL.YOU HAVE A DISEASE AND YOU REFUSE TO CURE IT.THAT IS FREE VISA TO HELL.YOU JUST LIED AND DECEIVE, I HAVE REPORTED YOU TO FBI AND JAY LENO SHOW - Fred W1lly
Free Pastor Frank
View user's profileSend private message
wokabo
Master of Master Baiters


Joined: 23 Sep 2004
Posts: 825
Location: best beer country in onomatopoeia world


PostPosted: Tue Nov 18, 2008 2:14 pm Reply with quoteBack to top

^^That would help if it was my own server. I don't think I have access to my host's /etc folder.

All I have to block IP's is a .htaccess file.

I also have something/someone posting silly messages in the forum, identifying itself/himself as XRumerTest. These come from different (random?) IP addresses.

[EDIT:]
adding a load of IP addresses in that .htaccess file seems to have done the trick, Xrumer blocked in the code too.

I'd still prefer to be able to stop it at the source though.

_________________
pony pony pony

Fight My Brute
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



E-Mail Header Analysis


All Content © 2003 - 419Eater.com
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT