Date: Sun, 6 Jun 2004 14:07:43 +0200 From: Hasse <hasse@swedehost.com> To: freebsd-questions@freebsd.org Cc: Ian Smith <smithi@nimnet.asn.au> Subject: Re: Sending a message to another computer on the network Message-ID: <200406061407.43428.hasse@swedehost.com> In-Reply-To: <Pine.BSF.3.96.1040606153619.16400A-100000@gaia.nimnet.asn.au> References: <Pine.BSF.3.96.1040606153619.16400A-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 06 June 2004 08.16, Ian Smith wrote: > On Sat, 5 Jun 2004 freebsd-questions-request@freebsd.org wrote: > > I'm on a FreeBSD 4.10-STABLE machine on 217.209.211.x , > > and would like to send a message to Win-box ( on the same network, but > > not my machine ) that's filling up my httpd-access.log with junk. > > Yes, these log-bombs are a pain, making it difficult (and slow) to scan > webserver logs with, say, less .. I had to write a script run hourly to > clean these out of our main apache and several vhost logs. > > How can you be sure that they're coming from a Windows box, though? > > > The only thing I know is his IP-adress. > > Is this possible ? If it is, how. > > Or do I have to block his IP ? > > Not much use if it changes, as you say yourself later .. best just send > a few of these log entries, with your later list of times received, to > your/his ISP asking for some action to hassle the (l)user concerned. > > > The junk I receive in my log looks like this : > > ----------------- > > httpd-error.log : > > <snip> [Sat Jun 05 14:13:43 2004] [error] [client 217.209.211.183] > > request failed: URI too long (longer than 8190) > > Yes, they're all around 8300 bytes here, obvious buffer-overflow fodder, > though I don't know which webserver/s are targetted. Some days we get > between 10-20 per day from a range of IPs in the north-east Asia region, > where it's almost never any use trying to contact the ISPs concerned. > > > ----------------- > > httpd-access.log : > > <snip> > > 217.209.211.183 - - [05/Jun/2004:14:11:28 +0200] "SEARCH /\x90\x02\xb1\ > > </snip> > > and the last line ending with : > > \x90\x90\x90\x90" 414 391 "-" "-" > > ---------------- > > Them's the ones. You're in a much better position than we are to stop > these, being (at least apparently) from IPs of your own ISP. > > I'm unsure whether these are real attack attempts by some worm, or are > just designed as log bombs. Either way, they got me scriptin' .. email > me (anyone) if you could use my apache.logclean sh script. It's a bit > heavy-duty (having to stop apache briefly to clean logs) but has made > maintenance easier here, and kept log sizes down by up to 150K per day. > > Cheers, Ian > > _______________________________________________ Well, cause he was such a pain in the .. , I took the liberty to let nmap scan his IP-address and it reported the OS as Windows I've started to receive more logentries from other IP-addresses in the same range now, so it looks like it's escalating. It's now reported to the ISP. Then we will see :-) / Hasse.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406061407.43428.hasse>