[Gllug] Coordinated attacks ... how?
Richard Jones
rich at annexia.org
Thu May 13 09:16:07 UTC 2004
I keep getting these coordinated script attacks on one site. Example
logs below.
In this case, the attack is a lame attempt to exploit mailback forms,
which I've stopped by adding some simple code to reject agents which
don't send any User-Agent header.
But why do these attacks come in groups from different IP addresses?
I could understand one machine, or perhaps one infected bot sitting
there at a single IP address trying to submit forms. But this attack
is 8 requests in a short space of time from 5 widely different IP
addresses. How is this? Is there some sort of coordinated botnet at
work here? [And if they go to this much trouble, why can't they write
an exploit script which isn't trivially defeated??]
Is there a blacklist of infected IP addresses that I can use?
Rich.
65.216.116.181 - - [13/May/2004:09:45:57 +0100] "POST /caml-bin/nameredirect.cmo HTTP/1.0" 500 596 "http://www.j-london.com/" "-" 65.216.116.181.267991084437956333
130.94.20.32 - - [13/May/2004:09:46:00 +0100] "POST /caml-bin/nameredirect.cmo HTTP/1.1" 500 608 "http://www.j-london.com/" "-" 130.94.20.32.270381084437959467
207.8.131.172 - - [13/May/2004:09:46:03 +0100] "POST /caml-bin/nameredirect.cmo HTTP/1.0" 500 596 "http://www.j-london.com/" "-" 207.8.131.172.269811084437962638
65.216.116.181 - - [13/May/2004:09:46:17 +0100] "POST /caml-bin/nameredirect.cmo HTTP/1.0" 500 596 "http://www.j-london.com/" "-" 65.216.116.181.267971084437977564
130.94.20.32 - - [13/May/2004:09:46:19 +0100] "POST /caml-bin/nameredirect.cmo HTTP/1.1" 500 608 "http://www.j-london.com/" "-" 130.94.20.32.267981084437979267
207.8.131.172 - - [13/May/2004:09:46:20 +0100] "POST /caml-bin/nameredirect.cmo HTTP/1.0" 500 596 "http://www.j-london.com/" "-" 207.8.131.172.26852108443798085
209.35.187.115 - - [13/May/2004:09:46:27 +0100] "POST /caml-bin/nameredirect.cmo HTTP/1.1" 500 608 "http://www.j-london.com/" "-" 209.35.187.115.270391084437986998
207.241.152.39 - - [13/May/2004:09:46:35 +0100] "POST /caml-bin/nameredirect.cmo HTTP/1.0" 500 596 "http://www.j-london.com/" "-" 207.241.152.39.268511084437995356
--
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
'There is a joke about American engineers and French engineers. The
American team brings a prototype to the French team. The French team's
response is: "Well, it works fine in practice; but how will it hold up
in theory?"'
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list