[CLUE-Tech] Hacking?

David Snyder SnyderD-Lists at snydersweb.com
Sat Jun 8 10:47:05 MDT 2002 

Adam Bultman wrote:

You said most requests are coming from 24.141.100.20, but there were 
more?  Other ones from that IP block under cgocable.net?
host 24.141.100.20
20.100.141.24.in-addr.arpa domain name pointer 
d141-100-20.home.cgocable.net.
[snyderd at Popeye snyderd]$ whois -h whois.geektools.com 24.141.100.20
[whois.geektools.com]
Query:     24.141.100.20
Registry:  whois.arin.net
Results:
Cogeco Cable Systems (NETBLK-CGOC) CGOC            24.141.0.0 - 
24.141.255.255
Cogeco Cable Solutions (NETBLK-CGOC-HATO1-1) CGOC-HATO1-1
                                                  24.141.96.0 - 
24.141.111.255

When I telnetted to that URL, it gave me:

    Trying 208.48.65.12...
    Connected to www.spotlife.com.
    Escape character is '^]'.
    HTTP/1.1 200 OK
    Server: Netscape-Enterprise/4.0
    Date: Sat, 08 Jun 2002 16:23:35 GMT
    Content-type: image/jpeg
    Etag: "0-0-4951-3d022c6f"
    Last-modified: Sat, 08 Jun 2002 16:10:23 GMT
    Content-length: 18769
    Accept-ranges: bytes
    Connection: close

So there definitely is a JPG but for me it doesn't resolve to your IP 
block.  And I don't believe this to be a hack because the URL doesn't 
look like a hack attempt that I've ever seen before.  But I could be 
wrong, it does look odd in the fact it has a protocol version designator 
at the end of the URL like that (image.jpg?%tsHTTP/1.0).

Since the requests are coming mainly from one IP and changing very 
little there is the chance it could just be some guy who happens to have 
your IP in his hosts file or cached somewhere.  Are you running a 
firewall with any logging?  Do you see requests to other ports from 
these IPs?

You might be able to write/call cogeco.net and talk w/them or email 
their abuse desk (abuse at cogeco.net).

Odd, curious to see waht all happens...

Regards,

David

>Okay. I think I'm getting hacked, or DDOSed.
>
>Here's my symptoms:
>
>1. Lots of requests to my server.  I,on my ISDN, can barely keep up with
>a tcpdump, watching hosts hitting me.  I just about peg my bandwidth on my
>colo if I lave httpd up.   www.glaven.org/images/hack2.jpg shows my usage
>. You can see, it's higher than normal when the attacks started.
>
>
>2. IF I
>turn on http,
>this is what I get: 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "HEAD
>http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 404 0
>24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "GET
>http://www.spotlife.com/users2/shellay/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
>HTTP/1.0" 404 264
>
>
>Doing this via telnet, I get a "Method not implemented" error code from
>apache. (of course, I recently upgraded from 1.3.9 to 1.3.24).
>
>3.  It appears to be happening to both my DNS servers, nothing else.  I
>neglected to mention this earlier. These are my DNS servers.  They run
>httpd because I need the big brother status pages.  I *was* running BIND
>8.2.3, I believe, but now I'm running 9.1.2 or whatever the newest version
>is.
>
>4. It's happening from a select few hosts, but the hosts change from one
>time to another.  I don't know what it is.
>
>
>I'm now up to snuff on the whole apache and bind thing, and I already had
>the SSH stuff done, and big brother is my only achilles heel.
>
>
>Anyway, check all your access logs, and usage, and let me know if you have
>any idea what's going on with me.
>
>Adam
>
>
>  
>

More information about the clue-tech mailing list