httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anders Widman <ande...@tnonline.net>
Subject Re: [users@httpd] Help: Getting HUGE number of hits from wrong sites
Date Wed, 28 Aug 2002 22:31:52 GMT
> Hi there,

> I've been monitoring my access logs for the last several days and have
> noticed that I get a HUGE number (20k+/day) of page requests for domains
> that have nothing to do with me.

> Most of the sites are pr0n related.  I've gone through the DNS records with
> dig and I can't figure out why the requests are being sent to me.

> Here's a sample line:
> stopthesanity.org 24.90.155.12 - - \
>     [28/Aug/2002:17:55:14 -0400] \
>    "GET http://www.southern-charms.com/accalia/private/members.htm HTTP/1.0"
> \
>     404 221 "http://anonymous:nobody@nowhere.com@www.southern-\
>     charms.com/accalia/private/members.htm" \
>     "Mozilla/4.72 ( compatible; MSIE 4.0; Windows NT5.0; DigiExt )"

This looks like they are trying to use as a proxy server...


> The requesting IP isn't related to anything on my or my ISPs network
> (64.83.*) and dig gives the following southern-charms.com report:

> ; <<>> DiG 8.3 <<>> southern-charms.com
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> ;; QUERY SECTION:
> ;;      southern-charms.com, type = A, class = IN

> ;; ANSWER SECTION:
> southern-charms.com.    6d15h30m39s IN A  64.159.87.117

> ;; AUTHORITY SECTION:
> southern-charms.com.    5h33m43s IN NS  NS1.CANDIDHOSTING.com.
> southern-charms.com.    5h33m43s IN NS  NS2.CANDIDHOSTING.com.

> ;; ADDITIONAL SECTION:
> NS1.CANDIDHOSTING.com.  11h45m58s IN A  64.159.90.4
> NS2.CANDIDHOSTING.com.  11h45m58s IN A  64.159.90.10

> ;; Total query time: 30 msec
> ;; FROM: discord.stopthesanity.org to SERVER: default -- 127.0.0.1
> ;; WHEN: Wed Aug 28 18:19:20 2002
> ;; MSG SIZE  sent: 37  rcvd: 135

> I've done dozen's of digs on various domains.  It's not just coming from a
> single hosting company.

> If it helps, I've also run an error log report from ScanErr.  It reports
> many thousands (100k+) of proxy errors over the last month.  Could this be
> caused by a misconfigured proxy server?  Does anyone know of a way I might
> backtrack to where this is comming from?

Are  you  sure  you  are not wide open to use as a proxy from the net.
Double check your configuration files.

- Anders


> TIA.  This is really cutting into my bandwidth and since I only have a 384k
> DSL line I'd like to resolve this issue.  As a last resort I'm considering
> requesting new IPs from my ISP, but that would be *very* disruptive.  (I not
> only host my own stuff, but I do DNS and mail backup for a few other
> companies.)

> Chris
> --
> Chris <chris@stopthesanity.org>
>   Junior Birdman(TM) in training
>   http://stopthesanity.org



> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message