From owner-freebsd-security Fri Jun 4 22: 2:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from bcgrizzly.com (bcgrizzly.com [207.34.136.10]) by hub.freebsd.org (Postfix) with SMTP id DC3F414F88 for ; Fri, 4 Jun 1999 22:02:57 -0700 (PDT) (envelope-from forger@bcgrizzly.com) Received: (qmail 15997 invoked from network); 5 Jun 1999 04:54:58 -0000 Received: from bcgrizzly.com (forger@207.34.136.10) by bcgrizzly.com with SMTP; 5 Jun 1999 04:54:58 -0000 Date: Fri, 4 Jun 1999 21:54:58 -0700 (PDT) From: Brook Miles To: Chris Cc: "security@FreeBSD.ORG" Subject: Re: Net abuse/DOS with Teleport Pro ? In-Reply-To: <199906041843.EAA08014@mail.aussie.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 5 Jun 1999, Chris wrote: > Upon processing my logs for the past few days, I noted an anamoly with regard > to one particular directory. I checked out the logs manually. > > During two periods over two days, a person using a agent that identified > itself as 'Teleport Pro/1.26' made over ---THIRTY THOUSAND--- hits on my web > server (at a rate of roughly one per second), repeatedly asking for the same > (or similar) rubbish URL, as such ... > > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=D > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=A > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=M > > and a number of variations of this. All came from the same IP address. > > I have not used this software and am unaware of its abilities, but I am > amazed that any responsible firm would distribute software that could be so > easily abused in this way. What it is doing seems, to me, to be either a user > doing something silly, or a bug in teleport pro (more likely the latter). > > Anyone seen this ? > > -- Chris If you view the /Docs/ directory with a web-browser you will likely be presented with the directory listing and automatically generated links labeled "Name", "Last Modified" and so on above the columns...clicking on "Name" for example links to /Docs/?N=D which will give you the same list but sorted by name in descending order. The websucker this person is using has put itself into a possibly infinite loop, recursivly following the links to the same page...only sorted differently each time. Also it appearently doesn't properly understand relative urls of the type "?N=A" as it is appending them each time instead of replacing them. This is something the vender should seriously consider fixing. Whoever is running the program should have imposed a limit on the depth of recursive retreivals or the number of pages it would download. This is deffinitely a very silly thing on the part of the user. +--- | Brook Miles | A spec of cosmic dust... with attitude. +-------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message