From owner-freebsd-questions@FreeBSD.ORG Sun Jun 6 05:07:57 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54F1F16A4CE for ; Sun, 6 Jun 2004 05:07:57 -0700 (PDT) Received: from av1-2-sn3.vrr.skanova.net (av1-2-sn3.vrr.skanova.net [81.228.9.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD08143D31 for ; Sun, 6 Jun 2004 05:07:56 -0700 (PDT) (envelope-from hasse@swedehost.com) Received: by av1-2-sn3.vrr.skanova.net (Postfix, from userid 502) id 507B837E43; Sun, 6 Jun 2004 14:07:45 +0200 (CEST) Received: from smtp1-1-sn3.vrr.skanova.net (smtp1-1-sn3.vrr.skanova.net [81.228.9.177]) by av1-2-sn3.vrr.skanova.net (Postfix) with ESMTP id 3FDB537E43; Sun, 6 Jun 2004 14:07:45 +0200 (CEST) Received: from odin.swedehost.com (h171n2fls33o804.telia.com [217.209.211.171]) by smtp1-1-sn3.vrr.skanova.net (Postfix) with ESMTP id 2A3CA3800C; Sun, 6 Jun 2004 14:07:43 +0200 (CEST) Received: from thor.swedehost.com (thor.swedehost.com [192.168.0.10]) by odin.swedehost.com (8.12.11/8.12.11) with ESMTP id i56C7lb7001651; Sun, 6 Jun 2004 14:07:47 +0200 (CEST) (envelope-from hasse@swedehost.com) From: Hasse Organization: The Valhalla Project To: freebsd-questions@freebsd.org Date: Sun, 6 Jun 2004 14:07:43 +0200 User-Agent: KMail/1.6.2 References: In-Reply-To: MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200406061407.43428.hasse@swedehost.com> X-Scanned-By: MIMEDefang 2.43 cc: Ian Smith Subject: Re: Sending a message to another computer on the network X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2004 12:07:57 -0000 On Sunday 06 June 2004 08.16, Ian Smith wrote: > On Sat, 5 Jun 2004 freebsd-questions-request@freebsd.org wrote: > > I'm on a FreeBSD 4.10-STABLE machine on 217.209.211.x , > > and would like to send a message to Win-box ( on the same network, but > > not my machine ) that's filling up my httpd-access.log with junk. > > Yes, these log-bombs are a pain, making it difficult (and slow) to scan > webserver logs with, say, less .. I had to write a script run hourly to > clean these out of our main apache and several vhost logs. > > How can you be sure that they're coming from a Windows box, though? > > > The only thing I know is his IP-adress. > > Is this possible ? If it is, how. > > Or do I have to block his IP ? > > Not much use if it changes, as you say yourself later .. best just send > a few of these log entries, with your later list of times received, to > your/his ISP asking for some action to hassle the (l)user concerned. > > > The junk I receive in my log looks like this : > > ----------------- > > httpd-error.log : > > [Sat Jun 05 14:13:43 2004] [error] [client 217.209.211.183] > > request failed: URI too long (longer than 8190) > > Yes, they're all around 8300 bytes here, obvious buffer-overflow fodder, > though I don't know which webserver/s are targetted. Some days we get > between 10-20 per day from a range of IPs in the north-east Asia region, > where it's almost never any use trying to contact the ISPs concerned. > > > ----------------- > > httpd-access.log : > > > > 217.209.211.183 - - [05/Jun/2004:14:11:28 +0200] "SEARCH /\x90\x02\xb1\ > > > > and the last line ending with : > > \x90\x90\x90\x90" 414 391 "-" "-" > > ---------------- > > Them's the ones. You're in a much better position than we are to stop > these, being (at least apparently) from IPs of your own ISP. > > I'm unsure whether these are real attack attempts by some worm, or are > just designed as log bombs. Either way, they got me scriptin' .. email > me (anyone) if you could use my apache.logclean sh script. It's a bit > heavy-duty (having to stop apache briefly to clean logs) but has made > maintenance easier here, and kept log sizes down by up to 150K per day. > > Cheers, Ian > > _______________________________________________ Well, cause he was such a pain in the .. , I took the liberty to let nmap scan his IP-address and it reported the OS as Windows I've started to receive more logentries from other IP-addresses in the same range now, so it looks like it's escalating. It's now reported to the ISP. Then we will see :-) / Hasse.