Hey Mark,
>Looking through analyses of web server log files I've occasionally
>seen pages get reloaded continually by a browser for no apparent
>reason. If the URL was exactly the same I would have put it down to
>some obscure browser bug rather than anything suspicious/malicious,
>but as the domain keeps changing it does look like some kind of
>script. I suggest blocking the IP if it continues and is unwelcome
>traffic.
As a matter of interest, I found 505653 of these requests, the first being
having the a timestamp of 21/May/2001:20:28:07 -0700. I also noticed that
individual hosts were making requests from the same (unchanging) consecutive
ports (ie: :6000 :6001 :6002 would hit /cgi-bin/reg_system.cgi at random
intervals). It seems to be an efficient way for making up lost time from
the
random delay.
In the end I added a quick check to see if the User-Agent header was set
to "Mozilla Compatible (MS IE 3.01 WinNT)") (my primary idenfitier
being the space in "MS IE").
Matthew
--
Matthew Asham, VE7UDP
Left Coast Systems Corp, SuperWebhost.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mark Sheppard
Sent: Friday, September 14, 2001 8:10 AM
To: [EMAIL PROTECTED]
Subject: Re: bulk domain checking script whacking reg_system.cgi
Hi,
Referrer checking doesn't achieve much in the way of preventing abuse,
if someone wants to automate something they will. Before I started
using OpenSRS I used CSL GmbH (joker.com) and wrote scripts to talk to
their website for registering and updating domains. I added
"Referrer:" headers into those scripts as a matter of course without
bothering to check if they were needed. I've seen people recommend
using referrer checking to prevent formmail.cgi spamming, but that
would only hold someone up for a couple of minutes until they found
the calling page. Not very effective.
With regards to the Host: header in HTTP/1.0 requests - they're very
common. So common in fact that I had assumed it was part of the 1.0
spec until you said otherwise. After looking at w3.org I found this
from a presentation about HTTP/1.1 which shows that it was a case of
the standard following practise:
http://www.w3.org/Talks/9608HTTP/sld012.htm
Looking through analyses of web server log files I've occasionally
seen pages get reloaded continually by a browser for no apparent
reason. If the URL was exactly the same I would have put it down to
some obscure browser bug rather than anything suspicious/malicious,
but as the domain keeps changing it does look like some kind of
script. I suggest blocking the IP if it continues and is unwelcome
traffic.
Mark.
On Fri, Sep 14, 2001 at 09:05:36AM +0930, Allen Bolderoff wrote:
>
> IMHO, why not use the web server for this? most intelligent web servers
> handle this for you, and if needed get caudium http://www.caudium.net . I
> Know you can use it to do referry based denying.
>
> No need to re-invent the wheel and bloat the scripts...
>
>
>
> > The scripts do not do any HTTP_REFERRER checking, but that could easily
> > be built in to any version of the scripts
> >
> > Charles Daminato
> > TUCOWS Product Manager
> > [EMAIL PROTECTED]
> >
> > On Thu, 13 Sep 2001, Matthew Asham wrote:
> >
> > > Since September 4th we've had 16987 identical requests from
> 24.27.115.199 to
> > > our reg_system.cgi.
> > >
> > > The request is an HTTP/1.0 post request with
> > > action=lookup&domain=somedomain.foo&affiliate_id=
> > >
> > > The UserAgent is reported as Mozilla Compatible (MS IE 3.01 WinNT) and
> > > it sends a Host header even though it's doing an HTTP/1.0 request.
> > >
> > > A quick grep through a few minutes worth of snort caps show lookups
> > > for many domain names : mmb.net, tdt.net, mof.com, aol.org, ugm.com,
> > > byq.org, kof.org, y2k.net, 3fs.com, zvv.com, v2t.com, etc.).
> > >
> > > The script is not hammering us at all (no doubt how they avoided
> > > attention this long), requests are coming in at intervals of 4 seconds
> up
> > > over a minute.
> > >
> > > I've already contacted RR about this, but I figured I'd mention it
just
> in
> > > case others are experiencing the same.
> > >
> > > Do the 2.4 scripts do HTTP_REFERER checking? If not, then I would
> really
> > > like to
> > > see this get added in some build.
> > >
> > > Thanks and good night
> > >
> > > MAtthew
> > >
> > > --
> > > Matthew Asham, VE7UDP
> > > Left Coast Systems Corp, SuperWebhost.com
> > >
> > >
> > >
> >
