Find the answer to your Linux question:
Results 1 to 4 of 4
By now, my server goes down once every 1-2 days. My httpd error_log has thousands line of this error, it's not happen all day, but everyday, periodically, from different IP ...
  1. 02-06-2009 #1
    Chonanis
    Chonanis is offline
    Just Joined!
    Join Date
    Feb 2009
    Posts
    1

    Unhappy Some kind of attack? What's actually happening?

    By now, my server goes down once every 1-2 days. My httpd error_log has thousands line of this error, it's not happen all day, but everyday, periodically, from different IP addresses. I don't understand what's actually happen. Those referrers are not my domain. Is this some kind of attack? And how should I do to prevent it?

    <snip from error_log>
    [Thu Feb 05 19:25:22 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:25:23 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:25:23 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:25:25 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:25:25 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:25:26 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:33:04 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:33:04 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:33:05 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    [Thu Feb 05 19:33:05 2009] [error] [client 85.104.90.152] script '/var/www/vhosts/default/htdocs/button.php' not found or unable to stat, referer: http://www.bomba100.com/sayac.php
    </snip>


    Here is another log, the message_log, always flood with this kind of message. What's actually happening at that time?
    Why it always happen almost all the time everyday?

    <snip from message_log>
    Feb 5 19:24:30 ls1 xinetd[4323]: EXIT: smtp status=0 pid=16061 duration=4(sec)
    Feb 5 19:24:32 ls1 xinetd[4323]: START: smtp pid=16204 from=201.222.136.214
    Feb 5 19:24:32 ls1 xinetd[4323]: EXIT: smtp status=0 pid=16038 duration=8(sec)
    Feb 5 19:24:37 ls1 xinetd[4323]: EXIT: smtp status=0 pid=16204 duration=5(sec)
    Feb 5 19:24:43 ls1 xinetd[4323]: START: smtp pid=16441 from=201.2.38.185
    Feb 5 19:24:55 ls1 xinetd[4323]: EXIT: smtp status=1 pid=16441 duration=12(sec)
    Feb 5 19:25:18 ls1 xinetd[4323]: START: smtp pid=17159 from=220.181.12.15
    Feb 5 19:25:22 ls1 xinetd[4323]: EXIT: smtp status=0 pid=17159 duration=4(sec)
    Feb 5 19:25:36 ls1 xinetd[4323]: START: smtp pid=17536 from=79.101.205.226
    Feb 5 19:25:46 ls1 xinetd[4323]: START: smtp pid=17707 from=121.32.113.198
    Feb 5 19:25:48 ls1 xinetd[4323]: EXIT: smtp status=0 pid=17707 duration=2(sec)
    Feb 5 19:25:48 ls1 xinetd[4323]: START: smtp pid=17739 from=121.32.113.198
    Feb 5 19:25:49 ls1 xinetd[4323]: EXIT: smtp status=0 pid=17739 duration=1(sec)
    Feb 5 19:25:49 ls1 xinetd[4323]: START: smtp pid=17750 from=121.32.113.198
    Feb 5 19:25:50 ls1 xinetd[4323]: EXIT: smtp status=0 pid=17750 duration=1(sec)
    Feb 5 19:26:27 ls1 xinetd[4323]: START: smtp pid=18532 from=121.32.113.198
    Feb 5 19:26:28 ls1 xinetd[4323]: EXIT: smtp status=0 pid=18532 duration=1(sec)
    Feb 5 19:26:28 ls1 xinetd[4323]: START: smtp pid=18554 from=121.32.113.198
    Feb 5 19:26:29 ls1 xinetd[4323]: EXIT: smtp status=0 pid=18554 duration=1(sec)
    </snip>

    Thank you in advance for your help.
    Reply With Quote Reply With Quote
  2. 03-12-2009 #2
    vonfeldt
    vonfeldt is offline
    Just Joined!
    Join Date
    Aug 2006
    Posts
    4
    did you ever find help with this?
    Reply With Quote Reply With Quote
  3. 03-13-2009 #3
    ztas
    ztas is offline
    Just Joined!
    Join Date
    Mar 2009
    Posts
    2
    Yeah I have many of this in my logs to.

    This guy registered at my Aardvark Topsites website, and keeps cheating his hits with some kind of botnet attack.

    I logged many ip's:

    78.178.186.6 - - [13/Mar/2009:00:10:02 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"
    78.163.61.5 - - [13/Mar/2009:00:10:03 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
    88.243.36.50 - - [13/Mar/2009:00:10:05 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
    88.229.201.232 - - [13/Mar/2009:00:10:07 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    88.228.128.130 - - [13/Mar/2009:00:10:08 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"
    88.229.107.244 - - [13/Mar/2009:00:10:10 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)"
    85.98.89.8 - - [13/Mar/2009:00:10:12 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
    88.241.158.36 - - [13/Mar/2009:00:10:18 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
    78.180.203.49 - - [13/Mar/2009:00:10:18 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)"
    88.231.47.209 - - [13/Mar/2009:00:10:18 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.1.4322)"
    78.169.205.101 - - [13/Mar/2009:00:10:20 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)"
    78.169.205.101 - - [13/Mar/2009:00:10:21 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)"
    78.180.203.49 - - [13/Mar/2009:00:10:22 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)"
    88.245.103.207 - - [13/Mar/2009:00:10:22 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Opera/9.61 (Windows NT 5.1; U; tr) Presto/2.1.1"
    85.101.158.117 - - [13/Mar/2009:00:10:23 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.161.73.3 - - [13/Mar/2009:00:10:25 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)"
    78.160.173.102 - - [13/Mar/2009:00:10:26 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    85.102.70.55 - - [13/Mar/2009:00:10:27 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    88.228.15.110 - - [13/Mar/2009:00:10:29 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15"
    85.110.52.150 - - [13/Mar/2009:00:10:32 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)"
    88.244.95.144 - - [13/Mar/2009:00:10:36 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30618; .NET CLR 3.5.30729)"
    88.246.153.99 - - [13/Mar/2009:00:10:36 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
    88.254.153.152 - - [13/Mar/2009:00:10:39 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5)"
    88.228.15.110 - - [13/Mar/2009:00:10:41 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15"
    88.243.36.50 - - [13/Mar/2009:00:10:41 +0100] "GET /button.php?u=slayttvideo HTTP/1.1" 404 604 "http://www.bomba100.com/sayac.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
    As you see I already give this guy a nice 404 response but it doesn't stops, so I'm gonna ban all the ip's in the logs with my firewall.

    Maybe a nice custom php script at button.php to keep banning new ip's that use this http refferer.
    Reply With Quote Reply With Quote
  4. 03-13-2009 #4
    ztas
    ztas is offline
    Just Joined!
    Join Date
    Mar 2009
    Posts
    2
    I added some extra lines of code inside button.php:

    Code:
    //banned mod for spam-botnets
$aBannedNames=array("slayttvideo");
if((isset($_GET['u'])) && (in_array($_GET['u'],$aBannedNames))){
	if($_SERVER['HTTP_REFERER']!=""){
		die(header("Location: http://w2.hidemyass.com/index.php?q=".base64_encode($_SERVER['HTTP_REFERER']).base64_encode("/D**-LITTLE-B****-I-FEEL-SORRY-FOR-YOUR-M*****")."&hl=0"));	
	}else{
		die(header("HTTP/1.0 404 Not Found"));	
	}
}
    (I adjusted the bad-language a little bit for this post).

    Anyway since this guy gets a 302 redirect now, I hope he learns stealing bandwith is not nice.

    I still need to find out how I can ban the REMOTE_ADDR with APF.
    I'm thinking about writing the IP to a .txt with php, then with a cronjob exec the APF ban commands for all those IP's in the file.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...