[CLUE-Tech] Hacking?
Dave Hahn
dhahn at techangle.com
Sat Jun 8 13:08:20 MDT 2002
Do you have evidence of traffic attempts to other ports? Some one using
nmap with -T Insane maybe?
If it's an automated 'Kill port 80' attack, could you run apache on another
port and and let something like portsentry drop traffic from anyone who hits
unauthorized ports?
I've been very happy with PortSentry - stops lots of bad traffic before it
has a chance to ramp up.
-d
-----Original Message-----
From: clue-tech-admin at clue.denver.co.us
[mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Adam Bultman
Sent: Saturday, June 08, 2002 5:49 AM
To: clue-tech at clue.denver.co.us
Subject: [CLUE-Tech] Hacking?
Okay. I think I'm getting hacked, or DDOSed.
Here's my symptoms:
1. Lots of requests to my server. I,on my ISDN, can barely keep up with
a tcpdump, watching hosts hitting me. I just about peg my bandwidth on my
colo if I lave httpd up. www.glaven.org/images/hack2.jpg shows my usage
. You can see, it's higher than normal when the attacks started.
2. IF I
turn on http,
this is what I get: 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "HEAD
http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQB
DYQCFFI/pic/image.jpg?%ts
HTTP/1.0" 404 0
24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "GET
http://www.spotlife.com/users2/shellay/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQ
CFFI/pic/image.jpg?%ts
HTTP/1.0" 404 264
Doing this via telnet, I get a "Method not implemented" error code from
apache. (of course, I recently upgraded from 1.3.9 to 1.3.24).
3. It appears to be happening to both my DNS servers, nothing else. I
neglected to mention this earlier. These are my DNS servers. They run
httpd because I need the big brother status pages. I *was* running BIND
8.2.3, I believe, but now I'm running 9.1.2 or whatever the newest version
is.
4. It's happening from a select few hosts, but the hosts change from one
time to another. I don't know what it is.
I'm now up to snuff on the whole apache and bind thing, and I already had
the SSH stuff done, and big brother is my only achilles heel.
Anyway, check all your access logs, and usage, and let me know if you have
any idea what's going on with me.
Adam
--
Adam Bultman
adam at glaven.org
[ http://www.glaven.org ]
_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list