Annoying requests from www.hipster.net

[Javier Mosqueda]

I don´t know if you've noticed but it´s been several days that such domain and other IP addresses with "under construction" sites do the same request (at least) to my domain:

63.197.168.17 - - [07/Aug/2001:05:02:17 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u819 0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1400 "-" "-"

(as extracted from the "LOGS-WEB" folder, access.today -or before- file)

And despite the 404 error, they keep requesting on and on. I tried to send a kind suggestion -to cancel their request since I don´t have such file- to those guys by e-mail to the address they give in their site, but mailer-daemon says it doesn´t work.

If you don´t care to be servicing such idle requests, I think it would be better to log more useful info than those useless XXXXXX or NNNNNN they send to be stored in our disks.

Is there a way to deal with such insistent requests?, perhaps ignoring those dudes with any of those many magic programs you have like a possibly great:

IGNORE-THE-DUDE 63.197.168.17

Hope this helps.
Thanks (funny faces you´ve added lately!!)

[Arthur]

You're seeing "Code Red II" in action. The machine that's trying to connect is running an infected IIS server.
You can block accesses from that particular IP address by adding a line "deny from <ip address>" to a .htaccess file in your www directory. But since there are some 200,000 infected machines out there, you won't be able to block all of them. Best thing probably is to ignore it.

[Javier Mosqueda]

Thanks Arthur, I went to study the Perl Modules for Deny and I learned how to stop the intruders not by the IP addresss, but by what they request, so my .htaccess file at www says:

SetEnvIf Request_URI "default\.ida" hipster
Deny from env=hipster

(remember "default.ida" was the requested file by all the IP addresses?)

But the result is the same as if I had created a fake default.ida with public access on zero.

The result now worse, since not only the access.today log is regorded with the silly request, but also the error log has the report of the forbidden -and denial of- access to the one requesting.

As you say perhaps it would be better just ignoring the dude, but again, isn´t it a waste of space -even if it WAS 1 byte per access- to admit a record in the log that is merely garbage and the visit of NOBODY?

The log is supposed to record normal activity, but now the statistics (consider HITS per day or WEEK) ARE LYING, cause that virus is seen as a normal visitor who reached our site and it´s rather a stinky virus.

Ideas are welcome

[Terra]

I thought about blocking this at the server core, but decided against it:
1) It won't exploit our servers (Linux == harmless)
2) If I block, it will only increase the logging
3) I am not willing to take the performance hit to inspect every single request, when it only amounts to <3% of all requests the server handles...
4) 200,000K+ infected machines, that's a tad bit too much to play whack-a-mole with
5) Even though it may seem unfair, the bandwidth is still consumed by your account for the request, even if it is only 1.4k avg for the 404 response... It is what it is, and is an unwelcome side effect of having an online presence...
6) FutureQuest, Inc. will not filter or restrict the accesses to your account unless it endangers the server from overloading... The worm is an annoyance, but not really a threat to our operating status...
7) FutureQuest, Inc. is not and cannot be held responsible for whatever requests are made to your account and closely binds with #5 above...

In short, simply ignore it and overlook it for the annoyance that it is...

If we were running NT servers, then you could have been afraid, very afraid...

--
Terra
--Thousand gnats swarming you won't kill you, but will annoy the daylights out of you--
FutureQuest

[Javier Mosqueda]

I love you replies, cause they are sharp and to the point (and there are no more doubts left as well)

Thanks

By the way, what is the little picture under your name?

[Aaron O'Neil]

Quote:

Originally posted by Javier Mosqueda:
By the way, what is the little picture under your name?

That's a shadow ship from Babylon 5.

Aaron

[Arthur]

Terra, can't you do something on router level to filter the traffic out? On Cisco routers you can; instructions or the official page from Cisco.
It's getting a bit annoying, over 70 requests a day from CRII and a couple from the original CR.

[Terra]

Currently, heading this off at the router is not a possibility due to technical restrictions and filtering policies dictated by our facility...

We surely hope to remedy this limitation one day...

--
Terra
--my hands are sort of tied at the border--
FutureQuest

[zmax]

Quote:

By the way, what is the little picture under your name?

Shadows!
See also: http://www.midwinter.com/lurk/

The shadows are a race of beings vast and timeless and as old as the universe itself who used to walk among the stars like giants. Of all the Old Ones, they are the oldest.

Or something like that.

My favorite is the big electric lettuce head saucer thingie.
(Another "Old Race". . . )

David

[sheila]

From the Python Tutor list article archived here: http://mail.python.org/mailman/listinfo/tutor

Quote:

> Below is a post I clipped from the Twin Cities Linux Users Group.
> > Looks like Python works very well for short hacks like that other language
> that begins with a "p" also.
> > <snip>This is up on #debian's info bot:
> http://www.stone.nu/projects/python_...red_warn.py.gz
> > The script goes through your access.log, finds the ip from any default.ida
> requests, and then sends a http request to the hacked box, forcing
> root.exe to start a browser on the users system that directs them to a
> warning page.
> > It's neat. Not legal I'm sure, but neat non the less.
> </snip>

A reply to that article observes:

Quote:

On Fri, Aug 10, 2001 at 12:35:36PM -0500, Ryan Ware wrote:
| > Below is a post I clipped from the Twin Cities Linux Users Group.
| > | > Looks like Python works very well for short hacks like that other language
| > that begins with a "p" also.

Cool. I've only seen perl examples so far. What interests me is the
possiblity of dermining the requestor's IP address from within a CGI
script. Call the CGI script /default.ida and it will be the infected
system's fault that they ran the script :-). You can claim that you
are generating the web page by "screen scraping" another web page (at
<ip>/scripts/root.exe of course).

So, in summary, one way to deal with this? Is to put up a cgi script on your site named /default.ida that opens a web browser at the IP address that is requesting that file and sends them a warning.

What do you think of that idea?

(Personally, I haven't been affected by it...I can't believe I'm admitting it...I hope it doesn't come back to bite me...so I have no interest in trying it out, but since others asked and I happened across it while reading a mailing list...I'm sharing.)