Date: Sun, 6 Jun 2004 16:16:14 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Hasse <hasse@swedehost.com> Cc: freebsd-questions@freebsd.org Subject: Sending a message to another computer on the network Message-ID: <Pine.BSF.3.96.1040606153619.16400A-100000@gaia.nimnet.asn.au> In-Reply-To: <20040605154600.949B416A4CF@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 5 Jun 2004 freebsd-questions-request@freebsd.org wrote: > I'm on a FreeBSD 4.10-STABLE machine on 217.209.211.x , > and would like to send a message to Win-box ( on the same network, but not my > machine ) that's filling up my httpd-access.log with junk. Yes, these log-bombs are a pain, making it difficult (and slow) to scan webserver logs with, say, less .. I had to write a script run hourly to clean these out of our main apache and several vhost logs. How can you be sure that they're coming from a Windows box, though? > The only thing I know is his IP-adress. > Is this possible ? If it is, how. > Or do I have to block his IP ? Not much use if it changes, as you say yourself later .. best just send a few of these log entries, with your later list of times received, to your/his ISP asking for some action to hassle the (l)user concerned. > The junk I receive in my log looks like this : > ----------------- > httpd-error.log : > <snip> [Sat Jun 05 14:13:43 2004] [error] [client 217.209.211.183] request > failed: URI too long (longer than 8190) Yes, they're all around 8300 bytes here, obvious buffer-overflow fodder, though I don't know which webserver/s are targetted. Some days we get between 10-20 per day from a range of IPs in the north-east Asia region, where it's almost never any use trying to contact the ISPs concerned. > ----------------- > httpd-access.log : > <snip> > 217.209.211.183 - - [05/Jun/2004:14:11:28 +0200] "SEARCH /\x90\x02\xb1\ > </snip> > and the last line ending with : > \x90\x90\x90\x90" 414 391 "-" "-" > ---------------- Them's the ones. You're in a much better position than we are to stop these, being (at least apparently) from IPs of your own ISP. I'm unsure whether these are real attack attempts by some worm, or are just designed as log bombs. Either way, they got me scriptin' .. email me (anyone) if you could use my apache.logclean sh script. It's a bit heavy-duty (having to stop apache briefly to clean logs) but has made maintenance easier here, and kept log sizes down by up to 150K per day. Cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1040606153619.16400A-100000>