From owner-freebsd-security Mon May 24 6:44:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from urca.domain.com.br (urca.domain.com.br [200.196.128.8]) by hub.freebsd.org (Postfix) with ESMTP id 0631714EBC for ; Mon, 24 May 1999 06:44:39 -0700 (PDT) (envelope-from jfassad@domain.com.br) X-Internal-ID: 374461ED0001709E Received: from domain.com.br (200.196.128.253) by urca.domain.com.br (NPlex 2.0.123) for freebsd-security@FreeBSD.ORG; Mon, 24 May 1999 10:37:38 -0300 Message-ID: <37492DE5.2822267@domain.com.br> Date: Mon, 24 May 1999 10:45:57 +0000 From: Joao Assad X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.2-STABLE i386) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" References: <199905231424140440.0E81E3D5@quaggy.ursine.com> <4.2.0.37.19990523191423.04639500@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > At 06:11 PM 5/23/99 -0700, David Babler wrote: > > >hey get it, and ignore it. They're just sucking up all files they see, > >since, as I said, I have webpoison installed. Webpoison is intended to > >befuddle brain-dead spam address harvesters by generating an infinite > >number of "interesting" pseudo-random web pages containing what look like > >more links (more webpoison pages) and email addresses (all bogus). The > >links on the page are invisible to humans and included in the robots.txt > >file, so legitimate robots never should go there. Our imagelock.com > >friends spent a LONG time there. > > Dave, could you write the people at noc@above.net and abuse@above.net > and tell them that? Ignoring the robots.txt file amounts to unauthorized > access -- big time. That's serious Web abuse. > > The Webmasters on this list may want to look over their logs to see > if they've been hit and not known it. grep your logs for imagelock.com; > if you find that they're abusing your server, you may want to firewall > them out and complain to ABOVE.NET. Damn they scanned all my servers, I didnt check before because I though they wouldnt be interested in a .br server.... Seems like they got here coming through our tucows mirror and once they got in our network they started scanning all our servers. In my logs I see a 10 secs interval between each request. Cheers Joao Assad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message