From owner-freebsd-isp Tue Oct 15 8:37:14 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56EFB37B401 for ; Tue, 15 Oct 2002 08:37:11 -0700 (PDT) Received: from inetworx.pcgameauthority.com (dsl081-233-167.lax1.dsl.speakeasy.net [64.81.233.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id A566643E9C for ; Tue, 15 Oct 2002 08:37:10 -0700 (PDT) (envelope-from ahall@pcgameauthority.com) Received: from inetworx.pcgameauthority.com (localhost.pcgameauthority.com [127.0.0.1]) by inetworx.pcgameauthority.com (Postfix) with ESMTP id 22EE456349; Tue, 15 Oct 2002 08:37:57 -0700 (PDT) Received: (from nobody@localhost) by inetworx.pcgameauthority.com (8.12.3/8.12.3/Submit) id g9FFbrXx043467; Tue, 15 Oct 2002 08:37:53 -0700 (PDT) Date: Tue, 15 Oct 2002 08:37:53 -0700 (PDT) Message-Id: <200210151537.g9FFbrXx043467@inetworx.pcgameauthority.com> X-Authentication-Warning: inetworx.pcgameauthority.com: nobody set sender to ahall@pcgameauthority.com using -f From: "Andre Hall" To: "Arkadi Kosmynin" , Subject: Re: An attack? Does it happen to anybody else? X-Mailer: NeoMail 1.25 X-IPAddress: 10.10.10.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What they are downloading seems to be publicly available on your sight. I search Google for Ozway-401 and I was directed to your web sight where I found this: Product Name OzWay - Binary Enhanced Web Gateway Great Introduction to the Usenet Download Files ozway-401.tar.gz File Size : 771.66Kb Version : 4.01 Release Date: 11th Oct 2002 Other Files manual.php System Requirements FreeBSD 4.6. Linux RedHat 7.3. Windows NT/2000/XP. Appears to be just a group of people who like your software. > Thanks Benjamin, > > > Sorry about neglecting to provide more complete information. It was HTTP. > The content is publicly available. All requests were like this: > > > 212.160.201.118 - - [12/Oct/2002:05:09:07 -0500] "GET > /client/ozum286.zip?Cache HTTP/1.0" 200 1757520 > > 213.17.138.154 - - [12/Oct/2002:05:09:13 -0500] "GET > /client/ozum286.zip?Cache HTTP/1.0" 200 1339080 > > 195.210.137.130 - - [14/Oct/2002:08:09:22 -0500] "GET > /download/ozway/ozway-401.tar.gz HTTP/1.0" 200 119838 > > I don't think this is an attack, really. Looks more like a virus or a broken > automatic downloader of some kind. This is why I would like to know if it > happened to anyone else. And the hosts don't seem to be closely related. Two > are from Poland and one from Russia. > > I ignored the first two incidents, but now it seems to be a tendency... > > Arkadi. > > ----- Original Message ----- > From: "Benjamin Krueger" > To: "Arkadi Kosmynin" > Cc: > Sent: Tuesday, October 15, 2002 9:02 PM > Subject: Re: An attack? Does it happen to anybody else? > > > > * Arkadi Kosmynin (ank@ozinsight.com) [021015 03:21]: > > > Hi, > > > > > > > > > There were 3 incidents of high volume downloading from our site during > the > > > past week. I can't understand what is going on and would appreciate any > info > > > on the issue. > > > > > > I checked our logs: > > > > > > Folks from 195.210.137.130 downloaded ~140MB of the same file. > > > Folks from 212.160.201.118 ~ 350MB. > > > Folks from 213.17.138.154 ~ 590MB. > > > > > > This hurts us. What can I do about it? > > > > > > > > > Thanks, > > > > > > Arkadi. > > > > You neglect to mention what service (ftp, http?) this is affecting, what > they > > were downloading, and whether the content is publicly available. > Personally, I > > never recommend that one assume every painful action on the internet is > malicious. > > Often folks end up acting hostile in return, only to find that the problem > was > > simply misconfigured software or a misguided server administrator. > > > > If it hurts, stop it. Block the hosts at the firewall, contact the > administrator > > of those machines or that network space, remove or move the files, use tcp > wrappers > > to lock them out, implement rate limiting, hide the content behind a > username and > > password, or cry. All are reasonable options, and all but one are > productive. > > > > -- > > Benjamin Krueger > > ---------------------------------------------------------------- > > Send mail w/ subject 'send public key' or query for (0x251A4B18) > > Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > -- NeoMail - Webmail that doesn't suck... as much. http://neomail.sourceforge.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message