|
-
July 23rd, 2004, 04:33 AM
#1
 Possible DDoS
Earlier today the gaming clan I am part of starting receiving "tons" of request for a single image. The Log file on IIS looks like this:
Code:
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 163.28.33.228 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1814 325 203
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 202.28.27.2 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 403 6 0 1733 372 421
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 200.110.16.18 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1814 238 843
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 163.28.33.228 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1814 325 203
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 80.58.8.235 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1795 365 140
2004-07-22 18:45:57 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 200.163.234.2 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1819 352 234
2004-07-22 18:45:57 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 80.58.3.239 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1795 369 125
2004-07-22 18:45:57 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 198.26.118.37 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1814 277 62
2004-07-22 18:45:57 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 203.124.132.125 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 403 6 0 1733 353 2718
basically every request was from a machine that appears to have been configured the "exact" same way (i.e. Windows XP, IE 6.0, with the .net framework). This is just an example of the log (a snippet of it anyway, I'm sure no one wants to see the 3 meg log file since this started). So far to resolve the issue we have just renamed that file, however, I'm curious if anyone knows how the request would be getting sent to the "zombie" machines (in one case the IP address that is attacking us appears to be a cisco router, most likely a cisco DSL modem with a machine that is doing the attacking natted behind it). I'm guessing it is getting request via an IRC channel. Anyone got any good ideas on tracking this down?
Thanks in advance
Cheeseball
-
July 23rd, 2004, 04:38 AM
#2
Are they requests? Or, are you SURE that the image is being transfered?
It might just be coming from one machine with the source IP spoofed?
That would explain the same config on all the boxes.
They are just changing the source IP...
Did you deny membership lately that would make someone pissed?
I could be completely off... but thats what comes to mind in my somewhat drunken state.
As far as tracking it down... I'm not quite sure... I'm thinking 'web bug'... but since it seems to be spoofed... there isn't going to be much you can do.
Hmmm... Interesting situation you have here.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 23rd, 2004, 04:44 AM
#3
It appears that the image is actually being sent out.
There is a possiblity that this 15 year old kid we kicked out a month or so ago could be doing this. Not 100% sure on that one.
-
July 23rd, 2004, 06:59 AM
#4
To track this... hack one of the machines and inspect its logs 
Or if you have the kids IP hack his computer and see what's happening, that would give more info whether he's the one or not. But honestly it would make more sense that it's a spoofed IP at which point there's not a lot you could do. If that's the case you would be receiving fake packets and the image should not be transferred... the machine that actually holds the IP would RST the connection because the 3-way hand-shake wouldn't be properly constructed.
P.S. the part about hacking is a joke, if I need to reinforce that. If it doesn't stop try and see if his IP is anywhere in the logs, and if so, alert him [hey maybe he's an innocent zombie-carrier] or his ISP. I'm guessing he was smarter than to use his own IP but who knows?
Also see if the domains for the requesting IPs are largely from AoL or .edu domains. Or whatever would be most popular in your/the kids region. If so there's a large chance they are actual zombies... the last time I checked these domains were the most exploited ones by skiddies and hackers alike.
/  \\
-
July 23rd, 2004, 10:25 AM
#5
Yes, it is an attacker - but it is a single machine that is spoofing it's IP address to random values to hide it's identity. It seems to be the best this "lamer" could come up with to mess with you - fill your logs with crap and scare you..... I guess it worked somewhat  .
As for tracking it down.... Forget it. Put up URLScan and block the request for the image and that should stop it reaching your web logs. Your URLScan logs will get huge but you can delete them whenever you want without losing the other info you might want.
Then go get a beer and cigarette and wait for the little turd to get bored.....
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 23rd, 2004, 11:27 AM
#6
Again, if it's spoofed URL the image should actually leave the sever because the original IP would not acknowledge the connection. Are you sure the pics left your domain?
/ \\
-
July 26th, 2004, 04:09 AM
#7
Yes, the picture actually left the domain, we checked the bandwidth usage (and number of request made to the image) and it all matched up, so yes, the image did in fact leave our domain.
Another note, the majority of these machines were in Asia. Mainly company webservers believe it or not. They also all seem to have port 4444 filtered (maybe a trojan? which would mean someone went on IRC somewhere to tell it what to do)....
but anyway, we are just going to use the URLScan option to fix the issue and let the guy get tired of playing around (yes it's still doing it after a few days).
-
July 26th, 2004, 04:29 AM
#8
Perhaps this person is using a whole lot of proxies. Maybe dumped a list to a proxychains config file. Only way to tell would be to scan those ip's, looking for common proxy ports.
The command completed successfully.
\"They drew first blood not me.\"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
