Re: strange msg lines..
On 17 Nov Dinesh Nair wrote: On 11/17/05 06:56 dick hoogendijk said the following: These are not normal requests to my apache server. But it seems to listen to them. Am I 'in danger?' apparently, the nameservers responsible for those domains are returning your IP address to a DNS query. all the sites seem to share the same DNS provider, so you could try getting in touch with them. No way. foto-porno-amatoriale.com ; puttane-grandi-tette.com ; video-porno-anale.com ALL resolve to different IP's when checked with host fotocom etc.. I don't understand why all of a sudden all kind of computers try to contact these porno sites and do this on my IP. The dns'es seem to be OK, so this shouldn't happen then..? And because it's a normal http request it can't be blocked? Or can I make the apache module mod_security do something like filtering for me? Apart for the logfile to grow there is no danger as I understand, but still, any help would be appreciated. -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.0 +++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange msg lines..
On 17-nov-2005, at 15:51, dick hoogendijk wrote: On 17 Nov Dinesh Nair wrote: apparently, the nameservers responsible for those domains are returning your IP address to a DNS query. all the sites seem to share the same DNS provider, so you could try getting in touch with them. No way. foto-porno-amatoriale.com ; puttane-grandi-tette.com ; video-porno-anale.com ALL resolve to different IP's when checked with host fotocom etc.. I don't understand why all of a sudden all kind of computers try to contact these porno sites and do this on my IP. The dns'es seem to be OK, so this shouldn't happen then..? It looks like referer spam. http://en.wikipedia.org/wiki/Referer_spam Referer spam is a kind of search engine-targeted spam. The technique involves making repeated web site requests using a fake referer url pointing to a spam-advertised site. Sites that publicize their referer statistics will then also link to the spammer's site. This benefits the spammer because of the free link, and also gives the spammer's site improved search engine link placement due to link- counting algorithms that search engines use What you are seeing in your logs: 83.30.48.99 - - [16/Nov/2005:23:44:18 +0100] GET / HTTP/1.1 200 1860 http://puttane-grandi-tette.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) Is a request for / on your server with http://puttane-grandi- tette.com being (claimed as) the referer. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
strange msg lines..
Re: freebsd-questions Digest, Vol 113, Issue 12 Message: 28 Date: Wed, 16 Nov 2005 23:56:06 +0100 From: dick hoogendijk [EMAIL PROTECTED] I get a lot of these rules in my log file lately. Don't know why they are not logged in the error.log file. And if they are harmful or not. ==--== 83.30.48.99 - - [16/Nov/2005:23:44:18 +0100] GET / HTTP/1.1 200 1860 http://puttane-grandi-tette.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 85.106.229.37 - - [16/Nov/2005:23:44:24 +0100] GET / HTTP/1.1 200 1860 http://hosting-siti-adulti.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) [.. etc ..] I've seen Dinesh's reply, and your later response, but I've seen batches of these at various times too, and think it's something other than DNS (though it did look like maybe a test of a distributed fetch, many IPs) These are not normal requests to my apache server. But it seems to listen to them. Am I 'in danger?' No, they're not errors, they're just requests for your home page (GET /) which is presumably 1860 bytes .. the Referer (sic) in each case is one of these apparent porn sites, but could easily be forged - it's unlikely that the pages at the URLs given do in fact have any link to your site; more than likely they want you go check out their stuff looking for one! So there's no danger involved, unless there are enough of them to DoS your server. I tend to deal with such as these by blocking them in apache|httpd.conf so they just get a 403 access denied response, eg: # 1/3/5 multiple browsers, multiple IPs, all the same referrer: SetEnvIfNoCase Referer buy-vicodin-online\.us go_away or in this other case, various different GETs attempting to access various porn URLs as wannabe proxy requests, all from the one IP: # 6/10/5 porn link referers regularly, different browsers .. SetEnvIf Remote_Addr 209\.172\.35\.44 go_away In your case, the browser identification, most likely bogus, is a common factor in each, and could be blocked with such as: BrowserMatch Mozilla/4\.0 \(compatible; MSIE 6\.0b; Windows NT 5\.0; \.NET CLR 1\.0\.2914\) go_away or some unique part of that string. whereas others as above will cycle through different browser strings - there's usually some common thread to such bot-made requests. I only hit on them when they become annoying (but sometimes I'm easily annoyed :) Then of course you'd need something along the lines of: Directory /usr/local/www/data [.. other stuff ..] # 18Mar02 - allow only this file to otherwise denied bots Files robots.txt order allow,deny allow from all /Files order allow,deny allow from all deny from env=go_away /Directory Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange msg lines..
On Fri, 18 Nov 2005 05:01:49 +1100 (EST) Ian Smith [EMAIL PROTECTED] wrote: Cheers, Ian Thank you for your information. I will incorporate most of your suggestions asap. There's no danger, so I will wait till the weekend. :-) -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.0 ++ The Power to Serve + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange msg lines..
On 11/17/05 22:51 dick hoogendijk said the following: foto-porno-amatoriale.com ; puttane-grandi-tette.com ; video-porno-anale.com ALL resolve to different IP's when checked with host fotocom etc.. they come from the nameserver though, so i'm thinking something must be pointing them to you. either that or there's some sort of DNS poisoning going on. And because it's a normal http request it can't be blocked? Or can I make the apache module mod_security do something like filtering for me? you could use mod_rewrite to redirect them to either another url or bury them in a 404 of sorts. -- Regards, /\_/\ All dogs go to heaven. [EMAIL PROTECTED](0 0)http://www.alphaque.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo The opinions here in no way reflect the opinions of my $a $b. | | done; done | +=+ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
strange msg lines..
I get a lot of these rules in my log file lately. Don't know why they are not logged in the error.log file. And if they are harmful or not. ==--== 83.30.48.99 - - [16/Nov/2005:23:44:18 +0100] GET / HTTP/1.1 200 1860 http://puttane-grandi-tette.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 85.106.229.37 - - [16/Nov/2005:23:44:24 +0100] GET / HTTP/1.1 200 1860 http://hosting-siti-adulti.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 81.214.204.104 - - [16/Nov/2005:23:46:38 +0100] GET / HTTP/1.1 200 1860 http://hosting-siti-adulti.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 213.219.227.97 - - [16/Nov/2005:23:46:50 +0100] GET / HTTP/1.1 200 1860 http://hosting-siti-adulti.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 85.99.124.253 - - [16/Nov/2005:23:47:48 +0100] GET / HTTP/1.1 200 1860 http://foto-porno-amatoriale.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 85.102.158.174 - - [16/Nov/2005:23:48:33 +0100] GET / HTTP/1.1 200 1860 http://puttane-grandi-tette.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 61.240.180.73 - - [16/Nov/2005:23:50:11 +0100] GET / HTTP/1.1 200 1860 http://foto-porno-amatoriale.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 207.46.98.79 - - [16/Nov/2005:23:51:13 +0100] GET /favicon.ico HTTP/1.0 200 2238 - msnbot/1.0 (+http://search.msn.com/msnbot.htm) 85.102.124.254 - - [16/Nov/2005:23:51:31 +0100] GET / HTTP/1.1 200 1860 http://foto-porno-amatoriale.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 217.10.38.59 - - [16/Nov/2005:23:52:00 +0100] GET / HTTP/1.1 200 1860 http://hosting-siti-adulti.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 81.222.178.17 - - [16/Nov/2005:23:52:11 +0100] GET / HTTP/1.1 200 1860 http://foto-porno-amatoriale.com; Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) These are not normal requests to my apache server. But it seems to listen to them. Am I 'in danger?' -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.0 +++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange msg lines..
On 11/17/05 06:56 dick hoogendijk said the following: These are not normal requests to my apache server. But it seems to listen to them. Am I 'in danger?' apparently, the nameservers responsible for those domains are returning your IP address to a DNS query. all the sites seem to share the same DNS provider, so you could try getting in touch with them. -- Regards, /\_/\ All dogs go to heaven. [EMAIL PROTECTED](0 0)http://www.alphaque.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo The opinions here in no way reflect the opinions of my $a $b. | | done; done | +=+ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]