[CLUE-Tech] Hacking?
David Snyder
SnyderD-Lists at snydersweb.com
Sat Jun 8 10:47:05 MDT 2002
Adam Bultman wrote:
You said most requests are coming from 24.141.100.20, but there were
more? Other ones from that IP block under cgocable.net?
host 24.141.100.20
20.100.141.24.in-addr.arpa domain name pointer
d141-100-20.home.cgocable.net.
[snyderd at Popeye snyderd]$ whois -h whois.geektools.com 24.141.100.20
[whois.geektools.com]
Query: 24.141.100.20
Registry: whois.arin.net
Results:
Cogeco Cable Systems (NETBLK-CGOC) CGOC 24.141.0.0 -
24.141.255.255
Cogeco Cable Solutions (NETBLK-CGOC-HATO1-1) CGOC-HATO1-1
24.141.96.0 -
24.141.111.255
When I telnetted to that URL, it gave me:
Trying 208.48.65.12...
Connected to www.spotlife.com.
Escape character is '^]'.
HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.0
Date: Sat, 08 Jun 2002 16:23:35 GMT
Content-type: image/jpeg
Etag: "0-0-4951-3d022c6f"
Last-modified: Sat, 08 Jun 2002 16:10:23 GMT
Content-length: 18769
Accept-ranges: bytes
Connection: close
So there definitely is a JPG but for me it doesn't resolve to your IP
block. And I don't believe this to be a hack because the URL doesn't
look like a hack attempt that I've ever seen before. But I could be
wrong, it does look odd in the fact it has a protocol version designator
at the end of the URL like that (image.jpg?%tsHTTP/1.0).
Since the requests are coming mainly from one IP and changing very
little there is the chance it could just be some guy who happens to have
your IP in his hosts file or cached somewhere. Are you running a
firewall with any logging? Do you see requests to other ports from
these IPs?
You might be able to write/call cogeco.net and talk w/them or email
their abuse desk (abuse at cogeco.net).
Odd, curious to see waht all happens...
Regards,
David
>Okay. I think I'm getting hacked, or DDOSed.
>
>Here's my symptoms:
>
>1. Lots of requests to my server. I,on my ISDN, can barely keep up with
>a tcpdump, watching hosts hitting me. I just about peg my bandwidth on my
>colo if I lave httpd up. www.glaven.org/images/hack2.jpg shows my usage
>. You can see, it's higher than normal when the attacks started.
>
>
>2. IF I
>turn on http,
>this is what I get: 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "HEAD
>http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 404 0
>24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "GET
>http://www.spotlife.com/users2/shellay/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 404 264
>
>
>Doing this via telnet, I get a "Method not implemented" error code from
>apache. (of course, I recently upgraded from 1.3.9 to 1.3.24).
>
>3. It appears to be happening to both my DNS servers, nothing else. I
>neglected to mention this earlier. These are my DNS servers. They run
>httpd because I need the big brother status pages. I *was* running BIND
>8.2.3, I believe, but now I'm running 9.1.2 or whatever the newest version
>is.
>
>4. It's happening from a select few hosts, but the hosts change from one
>time to another. I don't know what it is.
>
>
>I'm now up to snuff on the whole apache and bind thing, and I already had
>the SSH stuff done, and big brother is my only achilles heel.
>
>
>Anyway, check all your access logs, and usage, and let me know if you have
>any idea what's going on with me.
>
>Adam
>
>
>
>
More information about the clue-tech
mailing list