[CLUE-Tech] Hacking?
Adam Bultman
adamb at glaven.org
Sat Jun 8 05:48:38 MDT 2002
Okay. I think I'm getting hacked, or DDOSed.
Here's my symptoms:
1. Lots of requests to my server. I,on my ISDN, can barely keep up with
a tcpdump, watching hosts hitting me. I just about peg my bandwidth on my
colo if I lave httpd up. www.glaven.org/images/hack2.jpg shows my usage
. You can see, it's higher than normal when the attacks started.
2. IF I
turn on http,
this is what I get: 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "HEAD
http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
HTTP/1.0" 404 0
24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "GET
http://www.spotlife.com/users2/shellay/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
HTTP/1.0" 404 264
Doing this via telnet, I get a "Method not implemented" error code from
apache. (of course, I recently upgraded from 1.3.9 to 1.3.24).
3. It appears to be happening to both my DNS servers, nothing else. I
neglected to mention this earlier. These are my DNS servers. They run
httpd because I need the big brother status pages. I *was* running BIND
8.2.3, I believe, but now I'm running 9.1.2 or whatever the newest version
is.
4. It's happening from a select few hosts, but the hosts change from one
time to another. I don't know what it is.
I'm now up to snuff on the whole apache and bind thing, and I already had
the SSH stuff done, and big brother is my only achilles heel.
Anyway, check all your access logs, and usage, and let me know if you have
any idea what's going on with me.
Adam
--
Adam Bultman
adam at glaven.org
[ http://www.glaven.org ]
More information about the clue-tech
mailing list