Volkswagen Passat Forum banner

1 - 7 of 7 Posts

·
Registered
Joined
·
4,100 Posts
Discussion Starter #1
A review of my webserver logs last week revealed that I am getting barraged with erroneous requests from a machine based in China. Repeated attempts to contact the upstream have yeilded zip. I am going to have the IP blocked at the firewall, but I just want to know, what IS this? Does this look familiar to any of you? My guess is somebody mistakenly put my IP address or domain as a service provider of some sort...

61.145.211.194 - - [27/Mar/2004:05:59:48 -0800] "GET /tcpip/p.0?ui=3782850928&o=NT-5.0%20Bld-2195%20SP-0.0 HTTP/1.0" 404 275
61.145.211.194 - - [27/Mar/2004:05:59:49 -0800] "GET /tcpip/p.0?ui=3782850928&o=NT-5.0%20Bld-2195%20SP-0.0 HTTP/1.0" 404 275
61.145.211.194 - - [27/Mar/2004:05:59:49 -0800] "GET /tcpip/p.0?ui=3782850928&o=NT-5.0%20Bld-2195%20SP-0.0 HTTP/1.0" 404 275
61.145.211.194 - - [27/Mar/2004:05:59:50 -0800] "GET /tcpip/p.0?ui=3782850928&o=NT-5.0%20Bld-2195%20SP-0.0 HTTP/1.0" 404 275
61.145.211.194 - - [27/Mar/2004:05:59:51 -0800] "GET /tcpip/p.0?ui=3782850928&o=NT-5.0%20Bld-2195%20SP-0.0 HTTP/1.0" 404 275
WTF?
 

·
Registered
Joined
·
4,095 Posts
it looks like they're trying to hack your local ip stack!

they assume (or try) that you run nt5 (ie, win2k or xp).

I block ALL of asia to my email server and if I keep seeing shit like this in my logs, I'll block those asia IP netblocks too.

I get lots of attacks on my webserver. but I run apache2 and freebsd - so there's pretty much a zero chance they'll get in and do any damage. there's not a single .EXE or .DLL on my system (heh).

run a windows webserver? I feel sorry for ya...
 

·
Registered
Joined
·
4,095 Posts
Code:
$ traceroute  61.145.211.194
traceroute to 61.145.211.194 (61.145.211.194), 64 hops max, 44 byte packets
 1 ...
 2 ...
 3  bb1-g1-3-0.snfc21.pbi.net (209.232.130.28)  6.471 ms bb1-g1-1-0.snfc21.pbi.net (64.161.124.225)  6.614 ms bb1-g8-1.snfc21.pbi.net (216.102.176.193)  6.197 ms
 4  bb2-p4-0.snfcca.sbcglobal.net (151.164.190.190)  8.430 ms  208.275 ms  215.161 ms
 5  ex1-p12-0.pxpaca.sbcglobal.net (151.164.191.74)  8.111 ms  7.963 ms  7.867 ms
 6  ex2-p11-0.pxpaca.sbcglobal.net (151.164.191.82)  8.120 ms  8.098 ms  7.557 ms
 7  asn4134-chinatelecom.pxpaca.sbcglobal.net (151.164.89.126)  7.970 ms  8.036 ms  7.701 ms
 8  p-1-2-R3-I-GDGZ-1.cn.net (202.97.51.173)  177.477 ms  167.584 ms  175.333 ms
 9  p-15-0-r2-c-gdgz-1.cn.net (202.97.33.149)  159.347 ms  177.490 ms  306.990 ms
yup. .cn is china alright.
 

·
Registered
Joined
·
4,095 Posts
I also see LOTS of hits like this, on my server:

/web/grateful.net/cgi-bin/formmail.pl
/web/grateful.net/cgi-bin/formmail.cgi
/web/grateful.net/cgi-bin/FormMail.pl
/web/grateful.net/cgi-bin/FormMail.cgi

you can see they're PROBING.

folks, don't EVER run a script called 'formmail' on your box. its almost the same as an open relay.
 

·
Registered
Joined
·
4,100 Posts
Discussion Starter #5
No, I was running Mandrake, but am now running SuSE 9.0 since my little "phishing expedition" last week.

I have been using apache, but I may switch everything over to Tomcat, since alot of the stuff I do is java-based. I think I am goign to block all .cn based traffic, since I don't do any business over there.
 

·
Registered
Joined
·
4,095 Posts
I can give you a list of netblocks that the NANAE folks think are rogue. I have a list of them on my /etc/bozos file ;) mail me if you want that listing.
 
1 - 7 of 7 Posts
Top