Date: Wed, 16 Oct 2002 07:45:53 -0700 (PDT) From: "Andre Hall" <ahall@pcgameauthority.com> To: "Arkadi Kosmynin" <ank@ozinsight.com>, "Andre Hall" <ahall@pcgameauthority.com>, <freebsd-isp@FreeBSD.ORG> Subject: Re: An attack? Does it happen to anybody else? Message-ID: <200210161445.g9GEjrlE047080@inetworx.pcgameauthority.com>
next in thread | raw e-mail | index | archive | help
http://www.ozinsight.com/download/index.php I don't know what the motive of these individuals are but they are downloading a file publicly available. Another issue may be that they are using your site as a link from another site. Not highly likely but possible. If you want to stop the downloads just block those IPs access. > I wish it were so. Ozway is software for ISPs only, not for home use. Even > though it is freeware, it is hard to imagine that suddenly almost 200 copies > were downloaded by 200 ISPs via the same IP address. > > > ----- Original Message ----- > From: "Andre Hall" <ahall@pcgameauthority.com> > To: "Arkadi Kosmynin" <ank@ozinsight.com>; <freebsd-isp@FreeBSD.ORG> > Sent: Wednesday, October 16, 2002 1:37 AM > Subject: Re: An attack? Does it happen to anybody else? > > > > What they are downloading seems to be publicly available on your > > sight. I search Google for Ozway-401 and I was directed to your web > > sight where I found this: > > > > > > Product Name OzWay - Binary Enhanced Web Gateway > > Great Introduction to the Usenet > > > > Download Files ozway-401.tar.gz > > File Size : 771.66Kb > > Version : 4.01 > > Release Date: 11th Oct 2002 > > > > Other Files manual.php > > > > System Requirements > > FreeBSD 4.6. > > Linux RedHat 7.3. > > Windows NT/2000/XP. > > > > Appears to be just a group of people who like your software. > > > > > > > > > > > > > > > Thanks Benjamin, > > > > > > > > > Sorry about neglecting to provide more complete information. It was > > HTTP. > > > The content is publicly available. All requests were like this: > > > > > > > > > 212.160.201.118 - - [12/Oct/2002:05:09:07 -0500] "GET > > > /client/ozum286.zip?Cache HTTP/1.0" 200 1757520 > > > > > > 213.17.138.154 - - [12/Oct/2002:05:09:13 -0500] "GET > > > /client/ozum286.zip?Cache HTTP/1.0" 200 1339080 > > > > > > 195.210.137.130 - - [14/Oct/2002:08:09:22 -0500] "GET > > > /download/ozway/ozway-401.tar.gz HTTP/1.0" 200 119838 > > > > > > I don't think this is an attack, really. Looks more like a virus or > > a broken > > > automatic downloader of some kind. This is why I would like to know > > if it > > > happened to anyone else. And the hosts don't seem to be closely > > related. Two > > > are from Poland and one from Russia. > > > > > > I ignored the first two incidents, but now it seems to be a > > tendency... > > > > > > Arkadi. > > > > > > ----- Original Message ----- > > > From: "Benjamin Krueger" <benjamin@seattlefenix.net> > > > To: "Arkadi Kosmynin" <ank@ozinsight.com> > > > Cc: <freebsd-isp@FreeBSD.ORG> > > > Sent: Tuesday, October 15, 2002 9:02 PM > > > Subject: Re: An attack? Does it happen to anybody else? > > > > > > > > > > * Arkadi Kosmynin (ank@ozinsight.com) [021015 03:21]: > > > > > Hi, > > > > > > > > > > > > > > > There were 3 incidents of high volume downloading from our site > > during > > > the > > > > > past week. I can't understand what is going on and would > > appreciate any > > > info > > > > > on the issue. > > > > > > > > > > I checked our logs: > > > > > > > > > > Folks from 195.210.137.130 downloaded ~140MB of the same file. > > > > > Folks from 212.160.201.118 ~ 350MB. > > > > > Folks from 213.17.138.154 ~ 590MB. > > > > > > > > > > This hurts us. What can I do about it? > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Arkadi. > > > > > > > > You neglect to mention what service (ftp, http?) this is > > affecting, what > > > they > > > > were downloading, and whether the content is publicly available. > > > Personally, I > > > > never recommend that one assume every painful action on the > > internet is > > > malicious. > > > > Often folks end up acting hostile in return, only to find that the > > problem > > > was > > > > simply misconfigured software or a misguided server administrator. > > > > > > > > If it hurts, stop it. Block the hosts at the firewall, contact > > the > > > administrator > > > > of those machines or that network space, remove or move the files, > > use tcp > > > wrappers > > > > to lock them out, implement rate limiting, hide the content behind > > a > > > username and > > > > password, or cry. All are reasonable options, and all but one are > > > productive. > > > > > > > > -- > > > > Benjamin Krueger > > > > --------------------------------------------------------------- - > > > > Send mail w/ subject 'send public key' or query for (0x251A4B18) > > > > Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > > > > > -- > > NeoMail - Webmail that doesn't suck... as much. > > http://neomail.sourceforge.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > -- NeoMail - Webmail that doesn't suck... as much. http://neomail.sourceforge.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210161445.g9GEjrlE047080>