[svlug] someone is hammering my webserver

Jeff Shippen spiffycomputers at gmail.com
Mon Jan 28 10:28:20 PST 2008


looks like it is all from the same IP, which you can block, or even better,
redirect their request to 127.0.0.1.

I haven't seen anything like this in my logs (yet)

On Jan 28, 2008 10:23 AM, Larry Colen <lrc at red4est.com> wrote:

> I ran into a problem today when /var was out of space. I've been
> getting hammered by someone at 83.156.199.176 trying to find every
> file on my webserver, even trying things that aren't there. They're
> currently up to half a million hits:
>
> red4est:/var/log/apache# grep 83.156.199.176 access.log* | wc
>  521667 11475308 102207788
>
> They seem to be running some sort of dictionary attack on my
> webserver, then tracking down anything they find, even going so far as
> to append dates to some of the strings:
>
> access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET
> /lrc/pix/larry030813/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U;
> Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
> access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET
> /lrc/pix/larry030814/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U;
> Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
> access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET
> /lrc/pix/larry030815/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U;
> Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
> access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET
> /lrc/pix/larry030816/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U;
> Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
>
> Is this some common attack? Or am I just lucky?
>
> Did my STFU message piss someone off?
>
>
>
> --
>         An intermediate dancer is someone who knows just enough
>               to not know what they don't know.
> Larry Colen             lrc at red4est.com
> http://www.red4est.com/lrc
>
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.svlug.org/archives/svlug/attachments/20080128/82b367d7/attachment.htm


More information about the svlug mailing list