[svlug] someone is hammering my webserver
Larry Colen
lrc at red4est.com
Mon Jan 28 10:23:14 PST 2008
I ran into a problem today when /var was out of space. I've been
getting hammered by someone at 83.156.199.176 trying to find every
file on my webserver, even trying things that aren't there. They're
currently up to half a million hits:
red4est:/var/log/apache# grep 83.156.199.176 access.log* | wc
521667 11475308 102207788
They seem to be running some sort of dictionary attack on my
webserver, then tracking down anything they find, even going so far as
to append dates to some of the strings:
access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET /lrc/pix/larry030813/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET /lrc/pix/larry030814/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET /lrc/pix/larry030815/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET /lrc/pix/larry030816/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7" "-"
Is this some common attack? Or am I just lucky?
Did my STFU message piss someone off?
--
An intermediate dancer is someone who knows just enough
to not know what they don't know.
Larry Colen lrc at red4est.com http://www.red4est.com/lrc
More information about the svlug
mailing list