On Sunday 06 June 2004 08.16, Ian Smith wrote:
> On Sat, 5 Jun 2004 [EMAIL PROTECTED] wrote:
>  > I'm on a FreeBSD 4.10-STABLE machine on 217.209.211.x ,
>  > and would like to send a message to Win-box ( on the same network, but
>  > not my machine ) that's filling up my  httpd-access.log with junk.
>
> Yes, these log-bombs are a pain, making it difficult (and slow) to scan
> webserver logs with, say, less .. I had to write a script run hourly to
> clean these out of our main apache and several vhost logs.
>
> How can you be sure that they're coming from a Windows box, though?
>
>  > The only thing I know is his IP-adress.
>  > Is this possible ? If it is, how.
>  > Or do I have to block his IP ?
>
> Not much use if it changes, as you say yourself later .. best just send
> a few of these log entries, with your later list of times received, to
> your/his ISP asking for some action to hassle the (l)user concerned.
>
>  > The junk I receive in my log looks like this :
>  > -----------------
>  > httpd-error.log :
>  > <snip> [Sat Jun 05 14:13:43 2004] [error] [client 217.209.211.183]
>  > request failed: URI too long (longer than 8190)
>
> Yes, they're all around 8300 bytes here, obvious buffer-overflow fodder,
> though I don't know which webserver/s are targetted. Some days we get
> between 10-20 per day from a range of IPs in the north-east Asia region,
> where it's almost never any use trying to contact the ISPs concerned.
>
>  > -----------------
>  > httpd-access.log :
>  > <snip>
>  > 217.209.211.183 - - [05/Jun/2004:14:11:28 +0200] "SEARCH /\x90\x02\xb1\
>  > </snip>
>  > and the last line ending with :
>  > \x90\x90\x90\x90" 414 391 "-" "-"
>  > ----------------
>
> Them's the ones.  You're in a much better position than we are to stop
> these, being (at least apparently) from IPs of your own ISP.
>
> I'm unsure whether these are real attack attempts by some worm, or are
> just designed as log bombs.  Either way, they got me scriptin' .. email
> me (anyone) if you could use my apache.logclean sh script.  It's a bit
> heavy-duty (having to stop apache briefly to clean logs) but has made
> maintenance easier here, and kept log sizes down by up to 150K per day.
>
> Cheers, Ian
>
> _______________________________________________
Well, cause he was such a pain in the .. , I took the liberty to let nmap scan 
his IP-address and it reported the OS as Windows

I've started to receive more logentries from other IP-addresses in the same 
range now, so it looks like it's escalating.

It's now reported to the ISP. Then we will see :-)

/ Hasse.
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to