On Sunday 06 June 2004 08.16, Ian Smith wrote:
> On Sat, 5 Jun 2004 [EMAIL PROTECTED] wrote:
> > I'm on a FreeBSD 4.10-STABLE machine on 217.209.211.x ,
> > and would like to send a message to Win-box ( on the same network, but
> > not my machine ) that's filling up my httpd-access.log with junk.
> Yes, these log-bombs are a pain, making it difficult (and slow) to scan
> webserver logs with, say, less .. I had to write a script run hourly to
> clean these out of our main apache and several vhost logs.
> How can you be sure that they're coming from a Windows box, though?
> > The only thing I know is his IP-adress.
> > Is this possible ? If it is, how.
> > Or do I have to block his IP ?
> Not much use if it changes, as you say yourself later .. best just send
> a few of these log entries, with your later list of times received, to
> your/his ISP asking for some action to hassle the (l)user concerned.
> > The junk I receive in my log looks like this :
> > -----------------
> > httpd-error.log :
> > <snip> [Sat Jun 05 14:13:43 2004] [error] [client 22.214.171.124]
> > request failed: URI too long (longer than 8190)
> Yes, they're all around 8300 bytes here, obvious buffer-overflow fodder,
> though I don't know which webserver/s are targetted. Some days we get
> between 10-20 per day from a range of IPs in the north-east Asia region,
> where it's almost never any use trying to contact the ISPs concerned.
> > -----------------
> > httpd-access.log :
> > <snip>
> > 126.96.36.199 - - [05/Jun/2004:14:11:28 +0200] "SEARCH /\x90\x02\xb1\
> > </snip>
> > and the last line ending with :
> > \x90\x90\x90\x90" 414 391 "-" "-"
> > ----------------
> Them's the ones. You're in a much better position than we are to stop
> these, being (at least apparently) from IPs of your own ISP.
> I'm unsure whether these are real attack attempts by some worm, or are
> just designed as log bombs. Either way, they got me scriptin' .. email
> me (anyone) if you could use my apache.logclean sh script. It's a bit
> heavy-duty (having to stop apache briefly to clean logs) but has made
> maintenance easier here, and kept log sizes down by up to 150K per day.
> Cheers, Ian
Well, cause he was such a pain in the .. , I took the liberty to let nmap scan
his IP-address and it reported the OS as Windows
I've started to receive more logentries from other IP-addresses in the same
range now, so it looks like it's escalating.
It's now reported to the ISP. Then we will see :-)
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"