Weird requests ins-1.dat, ins-2.dat, ins-3.dat, etc.

This is a discussion on Weird requests ins-1.dat, ins-2.dat, ins-3.dat, etc. within the Apache Web Server forums, part of the Web Server and Related Forums category; Hi, The default access log on my apache server is being filled up with requests for files: ins-1.dat, ...


Go Back   Usenet Forums > Web Server and Related Forums > Apache Web Server

Reload this Page Weird requests ins-1.dat, ins-2.dat, ins-3.dat, etc.

FAQ Members List Calendar Search Today's Posts Mark Forums Read

 

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-01-2007
Stou Sandalski
 
Posts: n/a
Default Weird requests ins-1.dat, ins-2.dat, ins-3.dat, etc.
Hi,

The default access log on my apache server is being filled up with
requests for files: ins-1.dat, ins-2.dat, ins-3.dat, ins-4.dat,
ins-5.dat, bkna.dat. There's about 2-5 requests a second, from many
many different IP address from all over the world. It's been going on
for months... the log files were gigabyte in size.

I am not sure if this some sort of DoS attack or what (each IP does
the same request many times), but I can't find any information on
these files anywhere on the internet. It's pretty obvious that it's
some kind of a bot-net... I tried configuring fail2ban to parse the
log file and ban the IPs but I guess I never got the regex right =/

Any ideas on what the point in this is? What's the best course of
action?

Stou
  #2 (permalink)  
Old 05-02-2007
Stou Sandalski
 
Posts: n/a
Default Re: Weird requests ins-1.dat, ins-2.dat, ins-3.dat, etc.
Well, I installed mod_security and fail2ban and using the stuff here:
http://www.oscarm.org/news/detail/18...pammer_bouncer

I finally (after about 4 hours of trying to install python and other
stuff on SL4) got it working. It's so nice to see the ban msgs being
scrolled through the screen. Now if I can just find a Dshield script
to report this to abuse e-mails.

Oh and the FileMatch trick caused the server to eventually run out of
connections (I think due to the keep alive) and sit there waiting to
time-out.

Stou

On May 1, 6:57 am, Davide Bianchi <davideyeahs...@onlyforfun.net>
wrote:
> On 2007-05-01, Stou Sandalski <stou.sandal...@gmail.com> wrote:
>
> > The default access log on my apache server is being filled up with
> > requests for files: ins-1.dat, ins-2.dat, ins-3.dat, ins-4.dat,
>
> The only reference I could find was on a Taiwanes system, so I guess is
> some kind of worm/virus...
>
> > Any ideas on what the point in this is? What's the best course of
> > action?
>
> First of all deny those kind of requests using the <FileMatch>
> directive, then use conditional loggin to do not log those entries.
> If you can, notify the administrators of the networks involved that some
> machines in their network is contaminated by viruses.
>
> Davide
>
> --
> 404 is hexadecimal for "fuck off".
> -- Alan Rosenthal
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:01 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0