Strange Apache logs - maybe DDOS?
From: Christian Schwede (cschwede@delphi-gmbh.de)
Date: 11/15/02
- Previous message: Security Consultant: "Spoofed RFC1918 Network Source Addresses..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Nov 2002 09:31:30 -0000 From: Christian Schwede <cschwede@delphi-gmbh.de> To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is)
Hi everybody,
I have a little problem with our apache server. This is
what my logs show me:
access_log:
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe3;" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe37" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:30 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100]
"\xe34" 501 -
error_log:
[Wed Nov 13 12:39:50 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?I
[Wed Nov 13 12:39:50 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?E
[Wed Nov 13 12:39:51 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?I
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?E
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?J
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?=
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?7
[Wed Nov 13 12:39:54 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?4
[Wed Nov 13 12:39:55 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?I
[Wed Nov 13 12:39:55 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?@
So, what the heck is trying to access my server? I
looked around at google for spyware or worm signatures,
but none of them fits. Has anybody else seen this? It
started on Monday, 21.Oct. 2002. We already had 630.000
(in words: more than sixhundredthousands!) requests of
this type. That are more than 200.000 requests a week.
I really don't know what this is, but i think it's
spyware. Can i prevent apache from responding to this
requests? Maybe with the
<FilesMatch> directive?
Please Help me, tia! Christian
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: H C: "re: Help - a possible bot"
- Previous message: Security Consultant: "Spoofed RFC1918 Network Source Addresses..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
