The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Extrange http query attack

Discussion in 'General Discussion' started by dannet, Apr 7, 2009.

  1. dannet

    dannet Member

    Joined:
    May 7, 2006
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Strange http query attack

    Hello Im Daniel,

    I have a problem since yesterday in one of my servers, Im receiving between 200 and 300 hits by second from different IPs to a non existent path in a site, the hits are going to different cracks, films and download query's, but this site is a directory and its not a warez or p2p site.

    The site is onemilliondirectory.com, and I have suspended it because it was using a lot of recourses of the first server, now its being redirected to other location, I have placed some traffic trackers to determine the referer or any other usefull info about the visitors, but the referer is always empty and I think that they are fake users because the statcounter tracker do not recognize the visits.

    For example, some of the hits are:
    Code:
    GET /suspended.page/?v=ABC%204%20KIDS%20Workshop%201.0.zip HTTP
    GET /suspended.page/?v=DecryptSQL%202.8.zip HTTP/1.1
    GET /suspended.page/?v=[0]%20Msn%20Live%20Messenger%20Mobile.zip
    GET /inactive.html?v=Able%20Photo%20Slide%20Show%202.2.5.5.zip
    GET /suspended.page/?v=English%20Grammar%20Worksheet%201.4.zip
    GET /inactive.html?v=Karaoke%205%2030.zip HTTP/1.1
    GET /suspended.page/?v=Nero%208%208.3.2.1.zip HTTP/1.1
    Detail of one of the visits from the cpanel latest visitors tool:
    Code:
    Host: 82.246.88.241
    /inactive.html?a=Knowing.2009.TS.FRENCH.XVID-PaGlop.****.[emule-island.com].avi
    	Http Code: 200 	Date: Apr 07 16:39:54 	Http Version: HTTP/1.1 	Size in Bytes: 262
    	Referer: -
    	Agent: Internet Explorer
    Someone knows what could be happening and how to stop it? Someone had a similar experience?

    PD:I was checking the stats of the site and I have seen as a referer of one of the visits this url: blackhatbootcamp.com /affiliates.html, Im not sure if it has any relation with the problem.

    Thanks in advance
    Daniel
     
    #1 dannet, Apr 7, 2009
    Last edited: Apr 9, 2009
  2. big_bull

    big_bull Well-Known Member

    Joined:
    Nov 19, 2006
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    #2 big_bull, Apr 12, 2009
    Last edited: Apr 12, 2009
  3. dannet

    dannet Member

    Joined:
    May 7, 2006
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Hi big_bull, thanks for your reply, I have tryied with the script but the problem is that all the requests are from different IPs.
     
  4. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    make sure your running the APF firewall if not set it to APF_BAN=0 in the config file else it will do nothing
     
Loading...

Share This Page