I think I am being attacked - Can you help? - Redhat

This is a discussion on I think I am being attacked - Can you help? - Redhat ; Sorry if this is off topic. Not sure where to post. I am running a fedora core 4 server and over the past few months I have noticed a lot of bogus traffic hitting my servers. Infact so much so ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: I think I am being attacked - Can you help?

  1. I think I am being attacked - Can you help?

    Sorry if this is off topic. Not sure where to post. I am running a fedora
    core 4 server and over the past few months I have noticed a lot of bogus
    traffic hitting my servers. Infact so much so that at any given time there
    are from 800 to 1000 connections to any one of my servers at a time with the
    stuff you see below. All of the hits come from Macintosh computers, they are
    all calling this /?32175, /?536235, /?2523754 and another that is not listed
    here is /f=* The /?xxxxx is from an affiliate program that was running on my
    server, but I know for a fact that this is bogus traffic because the
    accounts that these are related to are closed and the affiliate program is
    no longer running.

    Listed below all this is another sort of attack, coming from youtube. (Below
    this snipet).

    77.54.169.33 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; UP6; PPC Mac OS X; en-US) AppleWebKit/8I1.3
    (KHTML, like Geco, Safari) OmniWeb/vY42.H8"
    189.46.128.138 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; 841; PPC Mac OS X; en-US) AppleWebKit/5A2.1
    (KHTML, like Geco, Safari) OmniWeb/vL33.EC"
    213.203.109.223 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1"
    302 - "-" "Mozilla/5.0 (Macintosh; ZTV; PPC Mac OS X; en-US)
    AppleWebKit/2CG.0 (KHTML, like Geco, Safari) OmniWeb/vR13.Q4"
    89.186.129.247 - - [02/Apr/2008:15:49:47 -0500] "GET /?2460341 HTTP/1.0"
    200 - "-" "Mozilla/5.0 (Macintosh; COK; PPC Mac OS X; en-US)
    AppleWebKit/410.4 (KHTML, like Geco, Safari) OmniWeb/v463.21t=C:\\WINDO\x81"
    85.59.165.254 - - [02/Apr/2008:15:49:47 -0500] "GET /?536235 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; FNY; PPC Mac OS X; en-US) AppleWebKit/1EA.1
    (KHTML, like Geco, Safari) OmniWeb/vT36.BQ"
    83.77.25.99 - - [02/Apr/2008:15:49:47 -0500] "GET /?2523754 HTTP/1.0" 302 -
    "-" "Mozilla/5.0 (Macintosh; MOZ; PPC Mac OS X; en-US) AppleWebKit/160.3
    (KHTML, like Geco, Safari) OmniWeb/v872.61Java\\jre1.\x81"
    201.14.123.228 - - [02/Apr/2008:15:49:48 -0500] "GET /?536235 HTTP/1.1"
    302 - "-" "Mozilla/5.0 (Macintosh; MRN; PPC Mac OS X; en-US)
    AppleWebKit/4NZ.x (KHTML, like Geco, Safari) OmniWeb/vZ51.2S"
    121.133.157.68 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; KV6; PPC Mac OS X; en-US) AppleWebKit/172.3
    (KHTML, like Geco, Safari) OmniWeb/vJ37.7H"
    85.87.193.139 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; 5LF; PPC Mac OS X; en-US) AppleWebKit/3QJ.7
    (KHTML, like Geco, Safari) OmniWeb/v515.VB"
    70.55.144.248 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    302 - "-" "Mozilla/5.0 (Macintosh; JGI; PPC Mac OS X; en-US)
    AppleWebKit/213.5 (KHTML, like Geco, Safari) OmniWeb/v824.15"
    217.28.149.2 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0" 302 -
    "-" "Mozilla/5.0 (Macintosh; DTZ; PPC Mac OS X; en-US) AppleWebKit/301.0
    (KHTML, like Geco, Safari) OmniWeb/v807.20"
    87.217.131.213 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    302 - "-" "Mozilla/5.0 (Macintosh; PJS; PPC Mac OS X; en-US)
    AppleWebKit/146.5 (KHTML, like Geco, Safari) OmniWeb/v230.68"
    189.7.126.158 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; RMD; PPC Mac OS X; en-US) AppleWebKit/425.0
    (KHTML, like Geco, Safari) OmniWeb/vQ41.ZX"
    85.141.175.51 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; RBV; PPC Mac OS X; en-US) AppleWebKit/2F7.5
    (KHTML, like Geco, Safari) OmniWeb/vB30.I6"
    83.32.16.185 - - [02/Apr/2008:15:49:48 -0500] "GET /?2460341 HTTP/1.0" 200 -
    "-" "Mozilla/5.0 (Macintosh; ZYE; PPC Mac OS X; en-US) AppleWebKit/464.2
    (KHTML, like Geco, Safari) OmniWeb/v113.43ive=C:"
    86.70.188.210 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    302 - "-" "Mozilla/5.0 (Macintosh; APH; PPC Mac OS X; en-US)
    AppleWebKit/427.2 (KHTML, like Geco, Safari) OmniWeb/v420.87ive=C:"
    41.232.217.206 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    302 - "-" "Mozilla/5.0 (Macintosh; EPQ; PPC Mac OS X; en-US)
    AppleWebKit/358.0 (KHTML, like Geco, Safari) OmniWeb/v333.10"
    80.54.182.184 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; 89P; PPC Mac OS X; en-US) AppleWebKit/5Q4.5
    (KHTML, like Geco, Safari) OmniWeb/vV12.ZO"
    81.245.130.219 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; 5D8; PPC Mac OS X; en-US) AppleWebKit/3JX.6
    (KHTML, like Geco, Safari) OmniWeb/vZ30.9E"
    75.145.164.201 - - [02/Apr/2008:15:49:48 -0500] "GET /?2460341 HTTP/1.0"
    200 - "-" "Mozilla/5.0 (Macintosh; FEY; PPC Mac OS X; en-US)
    AppleWebKit/771.0 (KHTML, like Geco, Safari) OmniWeb/v157.64ogram File\x81"
    85.155.150.84 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; 3DK; PPC Mac OS X; en-US) AppleWebKit/11G.3
    (KHTML, like Geco, Safari) OmniWeb/vG71.QI"
    87.219.102.226 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; YFS; PPC Mac OS X; en-US) AppleWebKit/2E0.4
    (KHTML, like Geco, Safari) OmniWeb/vE66.LU"
    79.9.196.135 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; D90; PPC Mac OS X; en-US) AppleWebKit/2Q5.0
    (KHTML, like Geco, Safari) OmniWeb/vY14.GG"
    82.156.95.90 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0" 302 -
    "-" "Mozilla/5.0 (Macintosh; INN; PPC Mac OS X; en-US) AppleWebKit/656.6
    (KHTML, like Geco, Safari) OmniWeb/v500.56"
    84.228.117.107 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; 3PY; PPC Mac OS X; en-US) AppleWebKit/3FE.4
    (KHTML, like Geco, Safari) OmniWeb/vI12.OU"
    80.236.91.61 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0" 302 -
    "-" "Mozilla/5.0 (Macintosh; SFU; PPC Mac OS X; en-US) AppleWebKit/813.2
    (KHTML, like Geco, Safari) OmniWeb/v137.52:\\Program \x81"
    89.3.91.218 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0" 302 -
    "-" "Mozilla/5.0 (Macintosh; UHT; PPC Mac OS X; en-US) AppleWebKit/338.0
    (KHTML, like Geco, Safari) OmniWeb/v871.10ve=C:"
    201.18.37.162 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.0" 302 -
    "-" "Mozilla/5.0 (Macintosh; TAY; PPC Mac OS X; en-US) AppleWebKit/7W5.3
    (KHTML, like Geco, Safari) OmniWeb/vU20.KW"
    200.8.110.143 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; 4C2; PPC Mac OS X; en-US) AppleWebKit/8NC.0
    (KHTML, like Geco, Safari) OmniWeb/vP05.9V"
    80.20.99.250 - - [02/Apr/2008:15:49:49 -0500] "GET /?2460341 HTTP/1.0" 200 -
    "-" "Mozilla/5.0 (Macintosh; TQN; PPC Mac OS X; en-US) AppleWebKit/177.1
    (KHTML, like Geco, Safari) OmniWeb/v467.13"


    From Youtube

    [root@host5 httpd]# grep "youtube" access_log
    89.42.144.9 - - [02/Apr/2008:15:49:50 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/watch?v=ZlXFjyP_Cck&feature=related" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    88.253.96.206 - - [02/Apr/2008:15:50:07 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/watch?v=oYqN4o9Xvxg&feature=related" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts)"
    196.206.214.178 - - [02/Apr/2008:15:50:11 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/watch?v=PKLFfVMqe-I" "Mozilla/4.0 (compatible; MSIE
    6.0; Windows NT 5.1)"
    78.168.37.42 - - [02/Apr/2008:15:50:57 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
    SV1)"
    78.168.37.42 - - [02/Apr/2008:15:50:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
    SV1)"
    78.168.37.42 - - [02/Apr/2008:15:51:11 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&search_type="
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:51:12 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&search_type="
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:51:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=2" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:51:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=2" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:52:28 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=3" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:52:29 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=3" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:53:08 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=4" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:53:44 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=5" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:54:14 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=6" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:54:43 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=7" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:55:16 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=besyo&page=8" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    196.206.214.178 - - [02/Apr/2008:15:55:31 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=warda+3la+warda&search_type="
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    78.168.37.42 - - [02/Apr/2008:15:55:38 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=ctl&search_type=" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:55:55 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/results?search_query=kol+bast%C4%B1&search_type="
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.168.37.42 - - [02/Apr/2008:15:56:02 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/watch?v=yVt6rJlEueY" "Mozilla/4.0 (compatible; MSIE
    6.0; Windows NT 5.1; SV1)"
    196.206.214.178 - - [02/Apr/2008:15:56:03 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/watch?v=wFPCa9NgNy8" "Mozilla/4.0 (compatible; MSIE
    6.0; Windows NT 5.1)"
    67.139.245.131 - - [02/Apr/2008:15:56:04 -0500] "GET /?f=r HTTP/1.0" 302 -
    "http://www.youtube.com/watch?feature=related&v=hIE4swcmEDY" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    67.139.245.131 - - [02/Apr/2008:15:56:05 -0500] "GET
    /stormpay/user/user_auctions.php HTTP/1.0" 200 33524
    "http://www.youtube.com/watch?feature=related&v=hIE4swcmEDY" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    196.206.214.178 - - [02/Apr/2008:15:56:22 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.youtube.com/watch?v=Wzv_-AjXPDY&feature=related" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1)"
    69.250.228.122 - - [02/Apr/2008:15:56:31 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://youtube.com/watch?v=VbhsYC4gKy4" "Mozilla/4.0 (compatible; MSIE 6.0;
    Windows NT 5.1)"
    69.250.228.122 - - [02/Apr/2008:15:56:32 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://youtube.com/watch?v=VbhsYC4gKy4" "Mozilla/4.0 (compatible; MSIE 6.0;
    Windows NT 5.1)"

    Yesterdays log file shows over 13,000 youtube entries alone.

    [root@host5 httpd]# grep "youtube" access_log.1 | wc
    13787 284556 2904200

    Over 1 million hits yesterday on the expression "Macintosh"

    [root@host5 httpd]# grep "Macintosh" access_log.1 | wc
    1516665 37654811 297731520

    This is on just one server, I have 3 that are currently online.

    Now I have attempted to contact youtube, which as you know is nearly
    impossible. I have added some code to my page to try to stop these attacks
    which basically says if this expression comes in, redirect to localhost.

    $flood_queries = array(
    'f=*',
    '2523754',
    '536235',
    '32175'
    );
    if (!empty($QUERY_STRING)) {
    foreach ($flood_queries as $flood) {
    if (stripos($QUERY_STRING,$flood)!==false) {
    header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
    header('Last-Modified: '.gmdate('D, d M Y H:i:s').'
    GMT');
    header('Cache-Control: must-revalidate,
    post-check=0, pre-check=0');
    header('Location: http://127.0.0.1/');
    die();

    But this has not helped in any way. These hits seem to be increasing. It
    seems that something or someone is embedding a GET request in the youtube
    flv file that is created? Is that possible? Can I turn up the logging in
    apache to see if it shows me anything else? (Although I dont want to slow it
    down anymore than what it already is).

    If you have any idea on what this is or how to stop it I would appreciate
    it.

    Thanks
    Jim


  2. Re: I think I am being attacked - Can you help?

    Jim G wrote:
    > Sorry if this is off topic. Not sure where to post. I am running a
    > fedora core 4 server and over the past few months I have noticed a lot
    > of bogus traffic hitting my servers. Infact so much so that at any given
    > time there are from 800 to 1000 connections to any one of my servers at
    > a time with the stuff you see below. All of the hits come from Macintosh
    > computers, they are all calling this /?32175, /?536235, /?2523754 and
    > another that is not listed here is /f=* The /?xxxxx is from an affiliate
    > program that was running on my server, but I know for a fact that this
    > is bogus traffic because the accounts that these are related to are
    > closed and the affiliate program is no longer running.
    >
    > Listed below all this is another sort of attack, coming from youtube.
    > (Below this snipet).
    >
    > 77.54.169.33 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1" 302
    > - "-" "Mozilla/5.0 (Macintosh; UP6; PPC Mac OS X; en-US)
    > AppleWebKit/8I1.3 (KHTML, like Geco, Safari) OmniWeb/vY42.H8"
    > 189.46.128.138 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; 841; PPC Mac OS X; en-US)
    > AppleWebKit/5A2.1 (KHTML, like Geco, Safari) OmniWeb/vL33.EC"
    > 213.203.109.223 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; ZTV; PPC Mac OS X; en-US)
    > AppleWebKit/2CG.0 (KHTML, like Geco, Safari) OmniWeb/vR13.Q4"
    > 89.186.129.247 - - [02/Apr/2008:15:49:47 -0500] "GET /?2460341 HTTP/1.0"
    > 200 - "-" "Mozilla/5.0 (Macintosh; COK; PPC Mac OS X; en-US)
    > AppleWebKit/410.4 (KHTML, like Geco, Safari)
    > OmniWeb/v463.21t=C:\\WINDO\x81"
    > 85.59.165.254 - - [02/Apr/2008:15:49:47 -0500] "GET /?536235 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; FNY; PPC Mac OS X; en-US)
    > AppleWebKit/1EA.1 (KHTML, like Geco, Safari) OmniWeb/vT36.BQ"
    > 83.77.25.99 - - [02/Apr/2008:15:49:47 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; MOZ; PPC Mac OS X; en-US)
    > AppleWebKit/160.3 (KHTML, like Geco, Safari)
    > OmniWeb/v872.61Java\\jre1.\x81"
    > 201.14.123.228 - - [02/Apr/2008:15:49:48 -0500] "GET /?536235 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; MRN; PPC Mac OS X; en-US)
    > AppleWebKit/4NZ.x (KHTML, like Geco, Safari) OmniWeb/vZ51.2S"
    > 121.133.157.68 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; KV6; PPC Mac OS X; en-US)
    > AppleWebKit/172.3 (KHTML, like Geco, Safari) OmniWeb/vJ37.7H"
    > 85.87.193.139 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; 5LF; PPC Mac OS X; en-US)
    > AppleWebKit/3QJ.7 (KHTML, like Geco, Safari) OmniWeb/v515.VB"
    > 70.55.144.248 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; JGI; PPC Mac OS X; en-US)
    > AppleWebKit/213.5 (KHTML, like Geco, Safari) OmniWeb/v824.15"
    > 217.28.149.2 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; DTZ; PPC Mac OS X; en-US)
    > AppleWebKit/301.0 (KHTML, like Geco, Safari) OmniWeb/v807.20"
    > 87.217.131.213 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; PJS; PPC Mac OS X; en-US)
    > AppleWebKit/146.5 (KHTML, like Geco, Safari) OmniWeb/v230.68"
    > 189.7.126.158 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; RMD; PPC Mac OS X; en-US)
    > AppleWebKit/425.0 (KHTML, like Geco, Safari) OmniWeb/vQ41.ZX"
    > 85.141.175.51 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; RBV; PPC Mac OS X; en-US)
    > AppleWebKit/2F7.5 (KHTML, like Geco, Safari) OmniWeb/vB30.I6"
    > 83.32.16.185 - - [02/Apr/2008:15:49:48 -0500] "GET /?2460341 HTTP/1.0"
    > 200 - "-" "Mozilla/5.0 (Macintosh; ZYE; PPC Mac OS X; en-US)
    > AppleWebKit/464.2 (KHTML, like Geco, Safari) OmniWeb/v113.43ive=C:"
    > 86.70.188.210 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; APH; PPC Mac OS X; en-US)
    > AppleWebKit/427.2 (KHTML, like Geco, Safari) OmniWeb/v420.87ive=C:"
    > 41.232.217.206 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; EPQ; PPC Mac OS X; en-US)
    > AppleWebKit/358.0 (KHTML, like Geco, Safari) OmniWeb/v333.10"
    > 80.54.182.184 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; 89P; PPC Mac OS X; en-US)
    > AppleWebKit/5Q4.5 (KHTML, like Geco, Safari) OmniWeb/vV12.ZO"
    > 81.245.130.219 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; 5D8; PPC Mac OS X; en-US)
    > AppleWebKit/3JX.6 (KHTML, like Geco, Safari) OmniWeb/vZ30.9E"
    > 75.145.164.201 - - [02/Apr/2008:15:49:48 -0500] "GET /?2460341 HTTP/1.0"
    > 200 - "-" "Mozilla/5.0 (Macintosh; FEY; PPC Mac OS X; en-US)
    > AppleWebKit/771.0 (KHTML, like Geco, Safari) OmniWeb/v157.64ogram File\x81"
    > 85.155.150.84 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; 3DK; PPC Mac OS X; en-US)
    > AppleWebKit/11G.3 (KHTML, like Geco, Safari) OmniWeb/vG71.QI"
    > 87.219.102.226 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; YFS; PPC Mac OS X; en-US)
    > AppleWebKit/2E0.4 (KHTML, like Geco, Safari) OmniWeb/vE66.LU"
    > 79.9.196.135 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1" 302
    > - "-" "Mozilla/5.0 (Macintosh; D90; PPC Mac OS X; en-US)
    > AppleWebKit/2Q5.0 (KHTML, like Geco, Safari) OmniWeb/vY14.GG"
    > 82.156.95.90 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; INN; PPC Mac OS X; en-US)
    > AppleWebKit/656.6 (KHTML, like Geco, Safari) OmniWeb/v500.56"
    > 84.228.117.107 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; 3PY; PPC Mac OS X; en-US)
    > AppleWebKit/3FE.4 (KHTML, like Geco, Safari) OmniWeb/vI12.OU"
    > 80.236.91.61 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; SFU; PPC Mac OS X; en-US)
    > AppleWebKit/813.2 (KHTML, like Geco, Safari) OmniWeb/v137.52:\\Program
    > \x81"
    > 89.3.91.218 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; UHT; PPC Mac OS X; en-US)
    > AppleWebKit/338.0 (KHTML, like Geco, Safari) OmniWeb/v871.10ve=C:"
    > 201.18.37.162 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.0"
    > 302 - "-" "Mozilla/5.0 (Macintosh; TAY; PPC Mac OS X; en-US)
    > AppleWebKit/7W5.3 (KHTML, like Geco, Safari) OmniWeb/vU20.KW"
    > 200.8.110.143 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1"
    > 302 - "-" "Mozilla/5.0 (Macintosh; 4C2; PPC Mac OS X; en-US)
    > AppleWebKit/8NC.0 (KHTML, like Geco, Safari) OmniWeb/vP05.9V"
    > 80.20.99.250 - - [02/Apr/2008:15:49:49 -0500] "GET /?2460341 HTTP/1.0"
    > 200 - "-" "Mozilla/5.0 (Macintosh; TQN; PPC Mac OS X; en-US)
    > AppleWebKit/177.1 (KHTML, like Geco, Safari) OmniWeb/v467.13"
    >
    >
    > From Youtube
    >
    > [root@host5 httpd]# grep "youtube" access_log
    > 89.42.144.9 - - [02/Apr/2008:15:49:50 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/watch?v=ZlXFjyP_Cck&feature=related"
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 88.253.96.206 - - [02/Apr/2008:15:50:07 -0500] "GET /?f=* HTTP/1.1" 302
    > - "http://www.youtube.com/watch?v=oYqN4o9Xvxg&feature=related"
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts)"
    > 196.206.214.178 - - [02/Apr/2008:15:50:11 -0500] "GET /?f=* HTTP/1.1"
    > 302 - "http://www.youtube.com/watch?v=PKLFfVMqe-I" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1)"
    > 78.168.37.42 - - [02/Apr/2008:15:50:57 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
    > 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:50:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
    > 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:51:11 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&search_type="
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:51:12 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&search_type="
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:51:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=2" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:51:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=2" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:52:28 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=3" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:52:29 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=3" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:53:08 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=4" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:53:44 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=5" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:54:14 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=6" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:54:43 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=7" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:55:16 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=besyo&page=8" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 196.206.214.178 - - [02/Apr/2008:15:55:31 -0500] "GET /?f=* HTTP/1.1"
    > 302 -
    > "http://www.youtube.com/results?search_query=warda+3la+warda&search_type="
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    > 78.168.37.42 - - [02/Apr/2008:15:55:38 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=ctl&search_type="
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:55:55 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/results?search_query=kol+bast%C4%B1&search_type="
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 78.168.37.42 - - [02/Apr/2008:15:56:02 -0500] "GET /?f=* HTTP/1.1" 302 -
    > "http://www.youtube.com/watch?v=yVt6rJlEueY" "Mozilla/4.0 (compatible;
    > MSIE 6.0; Windows NT 5.1; SV1)"
    > 196.206.214.178 - - [02/Apr/2008:15:56:03 -0500] "GET /?f=* HTTP/1.1"
    > 302 - "http://www.youtube.com/watch?v=wFPCa9NgNy8" "Mozilla/4.0
    > (compatible; MSIE 6.0; Windows NT 5.1)"
    > 67.139.245.131 - - [02/Apr/2008:15:56:04 -0500] "GET /?f=r HTTP/1.0" 302
    > - "http://www.youtube.com/watch?feature=related&v=hIE4swcmEDY"
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 67.139.245.131 - - [02/Apr/2008:15:56:05 -0500] "GET
    > /stormpay/user/user_auctions.php HTTP/1.0" 200 33524
    > "http://www.youtube.com/watch?feature=related&v=hIE4swcmEDY"
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    > 196.206.214.178 - - [02/Apr/2008:15:56:22 -0500] "GET /?f=* HTTP/1.1"
    > 302 - "http://www.youtube.com/watch?v=Wzv_-AjXPDY&feature=related"
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    > 69.250.228.122 - - [02/Apr/2008:15:56:31 -0500] "GET /?f=* HTTP/1.1" 302
    > - "http://youtube.com/watch?v=VbhsYC4gKy4" "Mozilla/4.0 (compatible;
    > MSIE 6.0; Windows NT 5.1)"
    > 69.250.228.122 - - [02/Apr/2008:15:56:32 -0500] "GET /?f=* HTTP/1.1" 302
    > - "http://youtube.com/watch?v=VbhsYC4gKy4" "Mozilla/4.0 (compatible;
    > MSIE 6.0; Windows NT 5.1)"
    >
    > Yesterdays log file shows over 13,000 youtube entries alone.
    >
    > [root@host5 httpd]# grep "youtube" access_log.1 | wc
    > 13787 284556 2904200
    >
    > Over 1 million hits yesterday on the expression "Macintosh"
    >
    > [root@host5 httpd]# grep "Macintosh" access_log.1 | wc
    > 1516665 37654811 297731520
    >
    > This is on just one server, I have 3 that are currently online.
    >
    > Now I have attempted to contact youtube, which as you know is nearly
    > impossible. I have added some code to my page to try to stop these
    > attacks which basically says if this expression comes in, redirect to
    > localhost.
    >
    > $flood_queries = array(
    > 'f=*',
    > '2523754',
    > '536235',
    > '32175'
    > );
    > if (!empty($QUERY_STRING)) {
    > foreach ($flood_queries as $flood) {
    > if (stripos($QUERY_STRING,$flood)!==false) {
    > header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
    > header('Last-Modified: '.gmdate('D, d M Y
    > H:i:s').' GMT');
    > header('Cache-Control: must-revalidate,
    > post-check=0, pre-check=0');
    > header('Location: http://127.0.0.1/');
    > die();
    >
    > But this has not helped in any way. These hits seem to be increasing. It
    > seems that something or someone is embedding a GET request in the
    > youtube flv file that is created? Is that possible? Can I turn up the
    > logging in apache to see if it shows me anything else? (Although I dont
    > want to slow it down anymore than what it already is).
    >
    > If you have any idea on what this is or how to stop it I would
    > appreciate it.
    >
    > Thanks
    > Jim



    How does this differ from your "normal" traffic? Are you being slash
    dot'd? There are a few ways to block these sorts of things - one would
    be tcpd (if applicable - but probably/hopefully not) and the other is
    iptables. iptables is how I do it, by either a whole-encompassing rule
    to limit hits, or by specifically targeting excessive IP's/IP ranges.
    There are many scripts on the web for this kind of thing. The better
    ones basically figure out what is not normal and block that IP for a
    configured time. They then undo the entry. Search around and you
    will find.

    JR.


    --

    Bill will have to take Linux from my cold, dead flippers.

    -Tux.

  3. Re: I think I am being attacked - Can you help?


    "Johnny Rebel" wrote in message
    news:8cfff$47f4104b$d1d97aaa$6974@PRIMUS.CA...
    > Jim G wrote:
    >> Sorry if this is off topic. Not sure where to post. I am running a fedora
    >> core 4 server and over the past few months I have noticed a lot of bogus
    >> traffic hitting my servers. Infact so much so that at any given time
    >> there are from 800 to 1000 connections to any one of my servers at a time
    >> with the stuff you see below. All of the hits come from Macintosh
    >> computers, they are all calling this /?32175, /?536235, /?2523754 and
    >> another that is not listed here is /f=* The /?xxxxx is from an affiliate
    >> program that was running on my server, but I know for a fact that this is
    >> bogus traffic because the accounts that these are related to are closed
    >> and the affiliate program is no longer running.
    >>
    >> Listed below all this is another sort of attack, coming from youtube.
    >> (Below this snipet).
    >>
    >> 77.54.169.33 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; UP6; PPC Mac OS X; en-US)
    >> AppleWebKit/8I1.3 (KHTML, like Geco, Safari) OmniWeb/vY42.H8"
    >> 189.46.128.138 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; 841; PPC Mac OS X; en-US)
    >> AppleWebKit/5A2.1 (KHTML, like Geco, Safari) OmniWeb/vL33.EC"
    >> 213.203.109.223 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; ZTV; PPC Mac OS X; en-US)
    >> AppleWebKit/2CG.0 (KHTML, like Geco, Safari) OmniWeb/vR13.Q4"
    >> 89.186.129.247 - - [02/Apr/2008:15:49:47 -0500] "GET /?2460341 HTTP/1.0"
    >> 200 - "-" "Mozilla/5.0 (Macintosh; COK; PPC Mac OS X; en-US)
    >> AppleWebKit/410.4 (KHTML, like Geco, Safari)
    >> OmniWeb/v463.21t=C:\\WINDO\x81"
    >> 85.59.165.254 - - [02/Apr/2008:15:49:47 -0500] "GET /?536235 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; FNY; PPC Mac OS X; en-US)
    >> AppleWebKit/1EA.1 (KHTML, like Geco, Safari) OmniWeb/vT36.BQ"
    >> 83.77.25.99 - - [02/Apr/2008:15:49:47 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; MOZ; PPC Mac OS X; en-US)
    >> AppleWebKit/160.3 (KHTML, like Geco, Safari)
    >> OmniWeb/v872.61Java\\jre1.\x81"
    >> 201.14.123.228 - - [02/Apr/2008:15:49:48 -0500] "GET /?536235 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; MRN; PPC Mac OS X; en-US)
    >> AppleWebKit/4NZ.x (KHTML, like Geco, Safari) OmniWeb/vZ51.2S"
    >> 121.133.157.68 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; KV6; PPC Mac OS X; en-US)
    >> AppleWebKit/172.3 (KHTML, like Geco, Safari) OmniWeb/vJ37.7H"
    >> 85.87.193.139 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; 5LF; PPC Mac OS X; en-US)
    >> AppleWebKit/3QJ.7 (KHTML, like Geco, Safari) OmniWeb/v515.VB"
    >> 70.55.144.248 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; JGI; PPC Mac OS X; en-US)
    >> AppleWebKit/213.5 (KHTML, like Geco, Safari) OmniWeb/v824.15"
    >> 217.28.149.2 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; DTZ; PPC Mac OS X; en-US)
    >> AppleWebKit/301.0 (KHTML, like Geco, Safari) OmniWeb/v807.20"
    >> 87.217.131.213 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; PJS; PPC Mac OS X; en-US)
    >> AppleWebKit/146.5 (KHTML, like Geco, Safari) OmniWeb/v230.68"
    >> 189.7.126.158 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; RMD; PPC Mac OS X; en-US)
    >> AppleWebKit/425.0 (KHTML, like Geco, Safari) OmniWeb/vQ41.ZX"
    >> 85.141.175.51 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; RBV; PPC Mac OS X; en-US)
    >> AppleWebKit/2F7.5 (KHTML, like Geco, Safari) OmniWeb/vB30.I6"
    >> 83.32.16.185 - - [02/Apr/2008:15:49:48 -0500] "GET /?2460341 HTTP/1.0"
    >> 200 - "-" "Mozilla/5.0 (Macintosh; ZYE; PPC Mac OS X; en-US)
    >> AppleWebKit/464.2 (KHTML, like Geco, Safari) OmniWeb/v113.43ive=C:"
    >> 86.70.188.210 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; APH; PPC Mac OS X; en-US)
    >> AppleWebKit/427.2 (KHTML, like Geco, Safari) OmniWeb/v420.87ive=C:"
    >> 41.232.217.206 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; EPQ; PPC Mac OS X; en-US)
    >> AppleWebKit/358.0 (KHTML, like Geco, Safari) OmniWeb/v333.10"
    >> 80.54.182.184 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; 89P; PPC Mac OS X; en-US)
    >> AppleWebKit/5Q4.5 (KHTML, like Geco, Safari) OmniWeb/vV12.ZO"
    >> 81.245.130.219 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; 5D8; PPC Mac OS X; en-US)
    >> AppleWebKit/3JX.6 (KHTML, like Geco, Safari) OmniWeb/vZ30.9E"
    >> 75.145.164.201 - - [02/Apr/2008:15:49:48 -0500] "GET /?2460341 HTTP/1.0"
    >> 200 - "-" "Mozilla/5.0 (Macintosh; FEY; PPC Mac OS X; en-US)
    >> AppleWebKit/771.0 (KHTML, like Geco, Safari) OmniWeb/v157.64ogram
    >> File\x81"
    >> 85.155.150.84 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; 3DK; PPC Mac OS X; en-US)
    >> AppleWebKit/11G.3 (KHTML, like Geco, Safari) OmniWeb/vG71.QI"
    >> 87.219.102.226 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; YFS; PPC Mac OS X; en-US)
    >> AppleWebKit/2E0.4 (KHTML, like Geco, Safari) OmniWeb/vE66.LU"
    >> 79.9.196.135 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; D90; PPC Mac OS X; en-US)
    >> AppleWebKit/2Q5.0 (KHTML, like Geco, Safari) OmniWeb/vY14.GG"
    >> 82.156.95.90 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; INN; PPC Mac OS X; en-US)
    >> AppleWebKit/656.6 (KHTML, like Geco, Safari) OmniWeb/v500.56"
    >> 84.228.117.107 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; 3PY; PPC Mac OS X; en-US)
    >> AppleWebKit/3FE.4 (KHTML, like Geco, Safari) OmniWeb/vI12.OU"
    >> 80.236.91.61 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; SFU; PPC Mac OS X; en-US)
    >> AppleWebKit/813.2 (KHTML, like Geco, Safari) OmniWeb/v137.52:\\Program
    >> \x81"
    >> 89.3.91.218 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; UHT; PPC Mac OS X; en-US)
    >> AppleWebKit/338.0 (KHTML, like Geco, Safari) OmniWeb/v871.10ve=C:"
    >> 201.18.37.162 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.0"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; TAY; PPC Mac OS X; en-US)
    >> AppleWebKit/7W5.3 (KHTML, like Geco, Safari) OmniWeb/vU20.KW"
    >> 200.8.110.143 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1"
    >> 302 - "-" "Mozilla/5.0 (Macintosh; 4C2; PPC Mac OS X; en-US)
    >> AppleWebKit/8NC.0 (KHTML, like Geco, Safari) OmniWeb/vP05.9V"
    >> 80.20.99.250 - - [02/Apr/2008:15:49:49 -0500] "GET /?2460341 HTTP/1.0"
    >> 200 - "-" "Mozilla/5.0 (Macintosh; TQN; PPC Mac OS X; en-US)
    >> AppleWebKit/177.1 (KHTML, like Geco, Safari) OmniWeb/v467.13"
    >>
    >>
    >> From Youtube
    >>
    >> [root@host5 httpd]# grep "youtube" access_log
    >> 89.42.144.9 - - [02/Apr/2008:15:49:50 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/watch?v=ZlXFjyP_Cck&feature=related" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 88.253.96.206 - - [02/Apr/2008:15:50:07 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/watch?v=oYqN4o9Xvxg&feature=related" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts)"
    >> 196.206.214.178 - - [02/Apr/2008:15:50:11 -0500] "GET /?f=* HTTP/1.1"
    >> 302 - "http://www.youtube.com/watch?v=PKLFfVMqe-I" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:50:57 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
    >> 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:50:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
    >> 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:51:11 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&search_type="
    >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:51:12 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&search_type="
    >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:51:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=2" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:51:58 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=2" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:52:28 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=3" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:52:29 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=3" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:53:08 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=4" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:53:44 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=5" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:54:14 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=6" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:54:43 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=7" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:55:16 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=besyo&page=8" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 196.206.214.178 - - [02/Apr/2008:15:55:31 -0500] "GET /?f=* HTTP/1.1"
    >> 302 -
    >> "http://www.youtube.com/results?search_query=warda+3la+warda&search_type="
    >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:55:38 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=ctl&search_type="
    >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:55:55 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/results?search_query=kol+bast%C4%B1&search_type="
    >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 78.168.37.42 - - [02/Apr/2008:15:56:02 -0500] "GET /?f=* HTTP/1.1" 302 -
    >> "http://www.youtube.com/watch?v=yVt6rJlEueY" "Mozilla/4.0 (compatible;
    >> MSIE 6.0; Windows NT 5.1; SV1)"
    >> 196.206.214.178 - - [02/Apr/2008:15:56:03 -0500] "GET /?f=* HTTP/1.1"
    >> 302 - "http://www.youtube.com/watch?v=wFPCa9NgNy8" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1)"
    >> 67.139.245.131 - - [02/Apr/2008:15:56:04 -0500] "GET /?f=r HTTP/1.0"
    >> 302 - "http://www.youtube.com/watch?feature=related&v=hIE4swcmEDY"
    >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 67.139.245.131 - - [02/Apr/2008:15:56:05 -0500] "GET
    >> /stormpay/user/user_auctions.php HTTP/1.0" 200 33524
    >> "http://www.youtube.com/watch?feature=related&v=hIE4swcmEDY" "Mozilla/4.0
    >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    >> 196.206.214.178 - - [02/Apr/2008:15:56:22 -0500] "GET /?f=* HTTP/1.1"
    >> 302 - "http://www.youtube.com/watch?v=Wzv_-AjXPDY&feature=related"
    >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    >> 69.250.228.122 - - [02/Apr/2008:15:56:31 -0500] "GET /?f=* HTTP/1.1"
    >> 302 - "http://youtube.com/watch?v=VbhsYC4gKy4" "Mozilla/4.0 (compatible;
    >> MSIE 6.0; Windows NT 5.1)"
    >> 69.250.228.122 - - [02/Apr/2008:15:56:32 -0500] "GET /?f=* HTTP/1.1"
    >> 302 - "http://youtube.com/watch?v=VbhsYC4gKy4" "Mozilla/4.0 (compatible;
    >> MSIE 6.0; Windows NT 5.1)"
    >>
    >> Yesterdays log file shows over 13,000 youtube entries alone.
    >>
    >> [root@host5 httpd]# grep "youtube" access_log.1 | wc
    >> 13787 284556 2904200
    >>
    >> Over 1 million hits yesterday on the expression "Macintosh"
    >>
    >> [root@host5 httpd]# grep "Macintosh" access_log.1 | wc
    >> 1516665 37654811 297731520
    >>
    >> This is on just one server, I have 3 that are currently online.
    >>
    >> Now I have attempted to contact youtube, which as you know is nearly
    >> impossible. I have added some code to my page to try to stop these
    >> attacks which basically says if this expression comes in, redirect to
    >> localhost.
    >>
    >> $flood_queries = array(
    >> 'f=*',
    >> '2523754',
    >> '536235',
    >> '32175'
    >> );
    >> if (!empty($QUERY_STRING)) {
    >> foreach ($flood_queries as $flood) {
    >> if (stripos($QUERY_STRING,$flood)!==false) {
    >> header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
    >> header('Last-Modified: '.gmdate('D, d M Y
    >> H:i:s').' GMT');
    >> header('Cache-Control: must-revalidate,
    >> post-check=0, pre-check=0');
    >> header('Location: http://127.0.0.1/');
    >> die();
    >>
    >> But this has not helped in any way. These hits seem to be increasing. It
    >> seems that something or someone is embedding a GET request in the youtube
    >> flv file that is created? Is that possible? Can I turn up the logging in
    >> apache to see if it shows me anything else? (Although I dont want to slow
    >> it down anymore than what it already is).
    >>
    >> If you have any idea on what this is or how to stop it I would appreciate
    >> it.
    >>
    >> Thanks
    >> Jim

    >
    >
    > How does this differ from your "normal" traffic? Are you being slash
    > dot'd? There are a few ways to block these sorts of things - one would be
    > tcpd (if applicable - but probably/hopefully not) and the other is
    > iptables. iptables is how I do it, by either a whole-encompassing rule to
    > limit hits, or by specifically targeting excessive IP's/IP ranges. There
    > are many scripts on the web for this kind of thing. The better ones
    > basically figure out what is not normal and block that IP for a configured
    > time. They then undo the entry. Search around and you will find.
    >
    > JR.
    >
    >
    > --
    >
    > Bill will have to take Linux from my cold, dead flippers.
    >
    > -Tux.


    Well I did try to block all of the ip's. The first time around it grabbed
    3700 ip's. An hour later it grabbed some 500 more. I dont think that
    Iptables is the solution (Imho). Too many ip's will cause the server to slow
    and I cannot have that.

    Now I am starting to see some hits from Orkut (googles social networking
    site).

    200.101.102.50 - - [02/Apr/2008:19:34:46 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.orkut.com/AlbumZoom.aspx?uid=11082738752248165644&pid=1204392452629&aid=1199816159"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    200.101.102.50 - - [02/Apr/2008:19:34:47 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.orkut.com/AlbumZoom.aspx?uid=11082738752248165644&pid=1204392452629&aid=1199816159"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    200.6.107.166 - - [02/Apr/2008:19:34:47 -0500] "GET /?32175 HTTP/1.1" 302 -
    "-" "Mozilla/5.0 (Macintosh; HF1; PPC Mac OS X; en-US) AppleWebKit/51Z.5
    (KHTML, like Geco, Safari) OmniWeb/v852.OQ"
    200.101.102.50 - - [02/Apr/2008:19:34:47 -0500] "GET /?f=* HTTP/1.1" 302 -
    "http://www.orkut.com/AlbumZoom.aspx?uid=11082738752248165644&pid=1204392452629&aid=1199816159"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

    I am not sure if I am being slash dot'd (Infact not even sure what that
    means). I have tried using mod rewrite rules in apache to stop this (no luck
    and I commented it out).

    #
    #RewriteEngine on
    #RewriteCond %{QUERY_STRING} ^32175$
    #RewriteRule ^/$ /tmp/blank.html [L]
    #RewriteRule ^/$ /dev/null [L]
    #

    # RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5.0 (Macintosh;
    # RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L,E=nolog:1]

    Jim



+ Reply to Thread