I've been puzzeled with this for a day now, a ton of unusual packets hitting the server, all coming from public proxies (I googled a few ips), and TOR.
All carrying this message which I found by logging all POST data - access logs near end of post:
are%3Dyou%26prepared%3Dfor%26z3r0_d32tr0y3r%3Dv1%26imustdestroy%3D1
Which is (without URL encoding):
are=you&prepared=for&z3r0_d32tr0y3r=v1&imustdestroy=1
Which I can translate easily to:
Are you prepared for z3r0_d32tr0y3r v1 imustdestroy 1
And that's sent over POST. The attack isn't making the server become offline, but it's causing the occasional drop.
Suspect Traffic:
5.79.68.161 - - [28/Mar/2015:08:25:00 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+" 5.79.68.161 - - [28/Mar/2015:08:25:03 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" 85.214.98.239 - - [28/Mar/2015:08:25:05 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" 85.214.98.239 - - [28/Mar/2015:08:25:07 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 3.55)" 85.214.98.239 - - [28/Mar/2015:08:25:09 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" 85.214.98.239 - - [28/Mar/2015:08:25:10 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" 85.214.98.239 - - [28/Mar/2015:08:25:12 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" 85.214.98.239 - - [28/Mar/2015:08:25:14 -0400] "POST / HTTP/1.1" 200 14658 "-" "Opera/12.02 (Android 4.1; Linux; Opera Mobi/ADR-1111101157; U; en-US) Presto/2.9.201 Version/12.02"
91.213.8.236 - - [28/Mar/2015:08:24:34 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" 188.226.139.158 - - [28/Mar/2015:08:24:34 -0400] "GET / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/98 Safari/537.4 (StatusCake)" 194.150.168.79 - - [28/Mar/2015:08:24:37 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" 194.150.168.79 - - [28/Mar/2015:08:24:40 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" 194.150.168.79 - - [28/Mar/2015:08:24:44 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" 176.126.252.12 - - [28/Mar/2015:08:24:46 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+" 176.126.252.12 - - [28/Mar/2015:08:24:48 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" 176.126.252.12 - - [28/Mar/2015:08:24:50 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" 176.126.252.12 - - [28/Mar/2015:08:24:52 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 3.55)" 176.126.252.12 - - [28/Mar/2015:08:24:54 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 1.00)"
One IP lookup:
IP: 176.126.252.12 Decimal: 2961112076 Hostname: aurora.enn.lu ISP: Alistar Security Srl Organization: Alistar Security Srl Services: Confirmed proxy server
Any idea what's going on and how to drop the requests without dropping actual users? Never seen this before. It's causing downtime on my server.
http://ift.tt/1dvHQ0Z
0 comments:
Post a Comment