PDA

View Full Version : Getting Ddos'd


Baxter
10-15-2005, 08:52 PM
I have a problem with someone dos'ing my box... it makes apache and mysql unavailable and timeout... heres the logs



216.194.26.101 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
80.58.4.42 - hp6lbu0orcha63 [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; Compaq )"
194.109.22.148 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
80.58.51.235 - ye5ht4oazueddg [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; win9x/NT 4.90 )"
80.58.11.42 - ivlwbux8bd6czf [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
65.78.105.153 - xghwch1scq2915 [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
65.78.105.153 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; athome020 )"
148.244.150.52 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
196.203.63.246 - 254tmtr6mn5z5y [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; NetCaptor )"
216.199.217.156 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
212.117.209.116 - ewspo6b0fry1pb [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; TWRAITH )"
212.0.128.2 - 89qqbhbm8eki7n [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; athome0107 )"
65.78.105.153 - fgzalrg4ri1lda [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; NetCaptor )"
216.194.26.101 - 6orvxbilff73fw [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
66.187.104.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; NetCaptor )"
80.58.4.107 - mpe647yhywbn72 [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; ezn IE )"
212.117.209.116 - 4xtblugb47kuse [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; win9x/NT 4.90 )"
70.81.255.172 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
200.67.239.225 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
200.67.239.225 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; FREEI v2.53 )"
212.122.76.212 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; MSNIA )"
216.194.26.101 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; Compaq )"
12.47.252.130 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
82.227.132.35 - w7celpu3nhljlj [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; Compaq )"
68.167.33.18 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:50 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; DigiExt )"
216.199.217.156 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:50 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; DigiExt )"
64.89.16.7 - hblvlryi1wce4h [15/Oct/2005:23:44:50 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:50 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
64.49.50.4 - 8xvbechiqe7vec [15/Oct/2005:23:44:51 -0400] "HEAD http://www.*************.com/index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; NetCaptor )"
216.199.217.156 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:51 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; NetCaptor )"
80.58.9.237 - xhat470yi3jgv2 [15/Oct/2005:23:44:51 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
80.58.4.107 - zo4gz91pxcd6nh [15/Oct/2005:23:44:51 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; DigiExt )"
61.144.230.42 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:51 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; Compaq )"
212.5.203.224 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; NetCaptor )"
217.19.87.67 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
216.168.230.197 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )"
202.78.224.17 - jlrrk8m26m1ux8 [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; TWRAITH )"
80.58.15.170 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
68.213.5.30 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
212.122.76.212 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
216.199.217.156 - qttxli2clv2v9h [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; DigiExt )"
61.11.120.213 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
128.107.253.44 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; DigiExt )"
216.194.26.101 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
82.227.132.35 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
218.189.222.222 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; win9x/NT 4.90 )"
61.95.224.127 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; NetCaptor )"
203.160.244.229 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; MSNIA )"
203.160.244.229 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
203.160.244.229 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
216.168.230.197 - jlrrk8m26m1ux8 [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
66.187.104.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; MSNIA )"
211.76.97.247 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; Compaq )"
211.76.97.246 - nxs2jgnonk6rlq [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; athome0107 )"
211.76.97.246 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
212.60.64.245 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; win9x/NT 4.90 )"
222.35.11.126 - y7iyobnjyoirsz [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
221.212.177.97 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
221.10.124.34 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
221.212.177.97 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; TWRAITH )"
81.50.135.12 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; ezn IE )"
212.60.64.245 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; ezn IE )"
212.60.64.245 - etlr9miobaodk7 [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; ezn IE )"
68.213.5.30 - naciswiws9uphn [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
61.95.224.127 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
66.30.8.92 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; ezn IE )"
61.155.100.58 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; NetCaptor )"
63.74.149.243 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
63.74.149.243 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; MSNIA )"
61.49.3.254 - 68m8lid9tjychi [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; MSNIA )"
221.10.55.202 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; Compaq )"
64.89.16.7 - 11355agt1ndqz5 [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; win9x/NT 4.90 )"
64.89.16.7 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; TWRAITH )"
64.89.16.7 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
64.89.16.7 - c1g4b3jhf8vgt9 [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; athome020 )"
212.147.19.128 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; TWRAITH )"
61.145.126.114 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; NetCaptor )"
65.78.105.153 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
64.49.50.4 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD http://www.*************.com/index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; win9x/NT 4.90 )"
61.3.218.132 - 6hjn4yc0ekjtqf [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; win9x/NT 4.90 )"
61.95.224.127 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; TWRAITH )"
62.248.110.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; ezn IE )"
64.89.16.7 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; win9x/NT 4.90 )"
61.155.100.58 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; ezn IE )"
64.89.16.7 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; ezn IE )"
65.78.105.153 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; ezn IE )"
61.144.230.42 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; MSNIA )"
61.144.230.42 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
202.28.27.3 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; MSNIA )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; NetCaptor )"
221.226.95.80 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
211.76.97.250 - nxs2jgnonk6rlq [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )"
200.162.68.133 - 11355agt1ndqz5 [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
200.162.68.133 - oufzxla1v22goe [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; athome0107 )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
211.76.97.246 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; TWRAITH )"
64.89.16.7 - vrcl4zbmjzc3xi [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
61.222.129.20 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; MSNIA )"

Any ideas?
hostpc.com
10-15-2005, 09:02 PM
APF firewall has a nice Anti-DOS routine built in - what are you using for a firewall?
Baxter
10-15-2005, 09:17 PM
I'm using apf with antidos enabled... I'm not sure if the settings I have are sufficent. or if it would even catch this type of attack

heres the config.antidos



#
# antidos beta 0.6 [antidos@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Main Configuration]
##

# Installation base path of apf
APF_BASE="/etc/apf"

# Config file path for apf
APF_CNF="$APF_BASE/conf.apf"

# Installation path
INSTALL_PATH="$APF_BASE/ad"

# Log file for antidos
ANTILOG="/var/log/apfados_log"

# Max load; do not allow antidos to run passed this load level
MLOAD="30"

##
# [Attack Triggers & Routines]
##

# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="1"

# Parse snort portscan log for attacks [0=off,1=on]
LP_SNORT="0"

# Try to detect syn-flood attacks [0=off,1=on]
DET_SF="1"

# Kernel log file
KLOG="/var/log/messages"

# Snort portscan log file [experimental]
SLOG="/var/log/snort/portscan.log"

LN="200"

# Trigger value before we drop an event SRC
TRIG="24"

# Trigger value before we drop syn-floods for SRC
SF_TRIG="20"
#
# Trigger ports for syn-flood; null for all
SF_TRIG_PORTS="80,443"
#
# Trigger connection types for syn-flood
SF_TY="SYN_RECV,TIME_WAIT"

##
# [Attack Filtering]
##

# Reject attackers in route table [0=off,1=on]
ROUTE_REJ="0"

# Drop destination interface [0=off,1=on]
DROP_IF="0"
#
# Do not drop interface for events matching these ports;
# line seperated strings.
NCRIT_PORTS="$INSTALL_PATH/noncrit.ports"

# Block attacks with iptables [0=off,1=on]
IPT_BL="1"
#
# Were to write iptable rules too
BLOCKR="$INSTALL_PATH/ad.rules"

# Parse logs and match accesses from attackers same IP block and ban them
# [0=off,1=on]
NETBLOCK=0
#
# Match based on a /16 or /24 mask
NETBLOCK_MASK=24

##
# [E-Mail Alerts]
##

# Topic for warning emails
ARTOPIC="Urgent: Administrative issue enclosed, please read."

# Max number of emails to send
MAX_MNUM="10"

# Organization name to display on outgoing alert emails
CONAME="Idolhosting Servers"

# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="1"
#
# User for alerts to be mailed to
USR="*************"

# Send out ip-whois abuse alerts upon attack [0=off,1=on]
ARIN_ALERT="0"
#
# Whois server for default queries
IPW_SRV="whois.arin.net"
#
# Return path for email alerts (reply address)
RETUSR="$USR"

##
# [Misc]
##

# Arin attack warning file
WARIN="$INSTALL_PATH/arin.msg"

# User attack warning file
WUSR="$INSTALL_PATH/usr.msg"

# Ignore file, for ignoring hosts/specific patterns
IGNORE="$INSTALL_PATH/ignore"
IGNORE_HOSTS="$INSTALL_PATH/ignore.hosts"

# Data file to track amount of emails sent
MNUM_F="$INSTALL_PATH/.mnum"

# Firewall chains keyword file
FWCHAINS="$INSTALL_PATH/chains"

# Just a temp file we can write to
TMPF="$INSTALL_PATH/.ad.swp"

# Grab the systems numeric timezone (e.g: -0500)
TMZ=`date +"%z"`

# unix time for lock tracking
UTIME=`date +"%s"`

# lock file path
LOCK="$INSTALL_PATH/lock.utime"

# lock file timeout in seconds
LOCK_TIMEOUT="300"


any suggestions?
Megalan-Robert
10-17-2005, 04:09 AM
Well I don't know how to stop apache attacks, but if you're following this realtime, how much bots can he have?

I'd say write a script that checks the apache log and autoplaces the IP adresses with I-HAVE-A-KNIFE in the ban list.

That should put a stop to it I guess...
squirrelhost
10-17-2005, 06:26 AM
fair to say that most of these run on
win 9x boxes - why not block all requests from
such OS as standard ?
Chrysalis
10-17-2005, 01:43 PM
if these are just get requests dos_evasive mod might help you, as well as rate limiting syn.

there are more complex methods which are more effective but out of the scope on this post, if you end up not been able to stop it and it is a domain you can have down for a while reroute them to localhost.