[svlug] someone is hammering my webserver

Larry Colen lrc at red4est.com
Mon Jan 28 10:23:14 PST 2008


I ran into a problem today when /var was out of space. I've been
getting hammered by someone at 83.156.199.176 trying to find every
file on my webserver, even trying things that aren't there. They're
currently up to half a million hits:

red4est:/var/log/apache# grep 83.156.199.176 access.log* | wc
 521667 11475308 102207788

They seem to be running some sort of dictionary attack on my
webserver, then tracking down anything they find, even going so far as
to append dates to some of the strings:

access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET /lrc/pix/larry030813/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET /lrc/pix/larry030814/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET /lrc/pix/larry030815/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET /lrc/pix/larry030816/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"

Is this some common attack? Or am I just lucky?

Did my STFU message piss someone off?



-- 
         An intermediate dancer is someone who knows just enough 
               to not know what they don't know.
Larry Colen             lrc at red4est.com            http://www.red4est.com/lrc





More information about the svlug mailing list