From owner-freebsd-security Sun May 23 20: 9:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from panzer.plutotech.com (panzer.plutotech.com [206.168.67.125]) by hub.freebsd.org (Postfix) with ESMTP id E1BFE152C4 for ; Sun, 23 May 1999 20:09:17 -0700 (PDT) (envelope-from ken@panzer.plutotech.com) Received: (from ken@localhost) by panzer.plutotech.com (8.9.3/8.8.5) id VAA22141; Sun, 23 May 1999 21:08:52 -0600 (MDT) From: "Kenneth D. Merry" Message-Id: <199905240308.VAA22141@panzer.plutotech.com> Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <19990523185630.A57604@ontario.mooseriver.com> from Josef Grosch at "May 23, 1999 06:56:30 pm" To: jgrosch@MooseRiver.com Date: Sun, 23 May 1999 21:08:52 -0600 (MDT) Cc: root@Rigel.orionsys.com (David Babler), fbsd-security@ursine.com (Michael Bryan), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Josef Grosch wrote... > On Sun, May 23, 1999 at 06:11:28PM -0700, David Babler wrote: > > > > > > On Sun, 23 May 1999, Michael Bryan wrote: > > > On 5/23/99 at 1:23 PM Brett Glass wrote: > > > >I don't know whether or not this would help. But complaining to their > > > >ISP probably would. > > > > > > Or to them directly... > > > > > > Some things I noted about their scans in our log files: > > > > > > 1) They -are- requesting a robots.txt file before every scan wave. > > > Whether or not they utilize this, I cannot tell, as we don't have > > > a robots.txt file in use at this time. > > > > They get it, and ignore it. They're just sucking up all files they see, > > since, as I said, I have webpoison installed. Webpoison is intended to > > befuddle brain-dead spam address harvesters by generating an infinite > > number of "interesting" pseudo-random web pages containing what look like > > more links (more webpoison pages) and email addresses (all bogus). The > > links on the page are invisible to humans and included in the robots.txt > > file, so legitimate robots never should go there. Our imagelock.com > > friends spent a LONG time there. > > Where can one find webpoison? All the web servers I run, including my > little test server on my home machine, have been scanned by imagelock.com. I did a search on Yahoo and came up with what seems to be the home page: http://www.e-scrub.com/wpoison/ They've got some guidelines there for installing and using it. It looks quite interesting. I checked a web server I administer, and sure enough, it got hit by imagelock.com two days ago. I may just firewall them. :) Ken -- Kenneth Merry ken@plutotech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message