Edit: I (Károly Négyesi) closed this topic. As you can read below, this is an apache issue and has nothing to do with Drupal. There is no Drupal security issue in here.

My Drupal v4.5.2 (Fantastico installed) site is getting slammed by a bunch of odd requests from ChinaNet that I have been firewalling. They are using our Drupal site to do thousands of ad-related redirects... I can't figure out how they are even making these requests, which are 404'd by our site, but they must be doing something, because they have continued doing them tens of thousands of times. When I block their requests with my firewall, they switch IP addresses in order to continue... Here's a sample:

221.234.193.110 - - [07/May/2005:09:47:50 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98856&ip=64.126.42.31&query=Dermalogica h ttp/1.1" 404 5625 "h ttp://www.gotomai.com" "Mozilla/4.75 (compatible; Windows 95; MSIE 5.5"
221.234.193.110 - - [07/May/2005:09:49:26 -0700] "GET h ttp://ads.chitika.net/showads?client=soebay&w=468&h=60&url=h ttp://www.soebay.com/&scheme=classic&cb=865 h ttp/1.1" 404 5622 "h ttp://www.soebay.com" "Mozilla/5.0 (compatible; Windows NT 5.0; MSIE 5.5"
221.234.193.110 - - [07/May/2005:09:50:24 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98902&ip=77.61.160.136&query=Massachusetts+Real+Estate h ttp/1.1" 404 5625 "h ttp://www.ebuyposters.com" "Mozilla/4.0 (compatible; windows NT; MSIE 5.0"
221.234.193.110 - - [07/May/2005:09:50:25 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98851&ip=64.121.49.51&query=Intranet+kit h ttp/1.1" 404 5625 "h ttp://www.buycoolproducts.com" "Mozilla/5.0 (compatible; windows NT; MSIE 5.02"
221.234.193.110 - - [07/May/2005:09:51:37 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98902&ip=160.240.201.253&query=politics h ttp/1.1" 404 5625 "h ttp://www.ebuyposters.com" "Mozilla/6.0 (compatible; Windows NT 5.0; MSIE 5.0"
221.234.193.110 - - [07/May/2005:09:52:45 -0700] "GET h ttp://partner.lookquick.com/xml.look?query=currency+trading&affiliate=gotomai&ip=64.18.149.191 h ttp/1.1" 404 5623 "h ttp://www.gotomai.com" "Mozilla/6.0 (compatible; Windows 98; MSIE 5.5"[/code]Less frequently, I am also getting some sort of calls to a proxy judge, followed by another request...
[code]221.234.201.249 - - [06/May/2005:04:50:14 -0700] "GET h ttp://hpcgi1.nifty.com/mute/c/prxjdg.cgi h ttp/1.0" 404 5619 "-" "MSIE"
221.234.201.249 - - [06/May/2005:04:50:18 -0700] "GET h ttp://txsearch.epilot.com/getresults.aspx?aff=getmybuy&ip=1.2.3.4&keyword=Socks&source=s&r=getmybuy.com h ttp/1.1" 404 5630 "h ttp://www.getmybuy.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
221.234.201.249 - - [06/May/2005:04:50:35 -0700] "GET h ttp://hpcgi1.nifty.com/mute/c/prxjdg.cgi h ttp/1.0" 404 5619 "-" "MSIE"
221.234.201.249 - - [06/May/2005:04:50:46 -0700] "GET h ttp://txsearch.epilot.com/getresults.aspx?aff=y03035&ip=1.2.3.4&keyword=cb&source=s&r=carehealthstore.com h ttp/1.1" 404 5630 "h ttp://carehealthstore.com/" "Mozilla/4.76 (Macintosh; U; PPC)"
221.234.201.249 - - [06/May/2005:04:59:37 -0700] "GET h ttp://www.clickingagent.com/proxycheck.php?ip=1.2.3.4&port=80&loc=United%20States%20of%20America h ttp/1.0" 404 5616 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
221.234.201.249 - - [06/May/2005:04:59:38 -0700] "GET h ttp://ulinkjs.tom.com/ulink_02.js h ttp/1.0" 404 5613 "h ttp://55200.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
221.234.201.249 - - [06/May/2005:05:06:32 -0700] "GET h ttp://www.clickingagent.com/proxycheck.php?ip=1.2.3.4&port=80&loc=United%20States%20of%20America h ttp/1.0" 404 5616 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
221.234.201.249 - - [06/May/2005:05:06:34 -0700] "GET h ttp://ulinkjs.tom.com/ulink_12.js h ttp/1.0" 404 5613 "h ttp://www.musiccc.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

They are really whacking me with these 404's, here are some totals:

Required but not found URLs (h ttp code 404)    
URL (83)    Error Hits    Referers
h ttp://partners.mygeek.com/search.jsp    24063    h ttp://www.getmybuy.com
h ttp://txsearch.epilot.com/getresults.aspx    16291    h ttp://www.getmybuy.com
h ttp://www.clickingagent.com/proxycheck.php    3010    -
h ttp://adsence.sogou.com/index.html    2420    h ttp://bbs.zwma.com/
h ttp://union.sogou.com/cpc/partner.php    1679    h ttp://www.ooone.com/
h ttp://partner.lookquick.com/xml.look    1486    h ttp://www.soebay.com
h ttp://tag.contextweb.com/TagPublish/getntag.aspx    1361    h ttp://www.soebay.com
h ttp://www.zbb.jp/unknown/cgi-bin/prxjdg.cgi    1183    -
h ttp://ads.chitika.net/showads    1062    h ttp://www.healthcarebeta.com
h ttp://hpcgi1.nifty.com/mute/c/prxjdg.cgi    832    -
h ttp://search.epilot.com/getresults.aspx    823    h ttp://www.ebupposters.com/
h ttp://feed.genieknows.com/search/search_html.jsp    678    h ttp://www.gotomai.com
h ttp://search.epilot.com/getresults.asp    565    h ttp://buycoolproduc
h ttp://www.xmlrevenue.com/xmlfeed.php    409    h ttp://www.buycoolproducts.com

All I can figure is they must be using a bug in Drupal/Fantastico's standard .htaccess file to use mod rewrite to redirect their request... I just can't figure out how... Here's the .htaccess:

# Apache/PHP/site settings:
#
# Protect files and directories from prying eyes:
<Files ~ "(\.(conf|inc|module|pl|sh|sql|theme|engine|xtmpl)|Entries|Repositories|Root|scripts|updates)$">
order deny,allow
deny from all
</Files>
# Set some options
Options -Indexes
Options +FollowSymLinks
# Customized server error messages:
ErrorDocument 404 /index.php
# Set the default handler to index.php:
DirectoryIndex index.php
# Overload PHP variables:
<IfModule mod_php4.c>
# If you are using Apache 2, you have to use <IfModule sapi_apache2.c>
# instead of <IfModule mod_php4.c>.
</IfModule>
# Various rewrite rules
<IfModule mod_rewrite.c>
RewriteEngine on
# Modify the RewriteBase if you are using Drupal in a subdirectory and the
# rewrite rules are not working properly:
#RewriteBase /drupal
# Rewrite old-style URLS of the form 'node.php?id=x':
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{QUERY_STRING} ^id=([^&]+)$
#RewriteRule node.php index.php?q=node/view/%1 [L]
# Rewrite old-style URLs of the form 'module.php?mod=x':
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{QUERY_STRING} ^mod=([^&]+)$
#RewriteRule module.php index.php?q=%1 [L]
# Rewrite URLs of the form 'index.php?q=x':
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
</IfModule>
# $Id: .htaccess,v 1.58 2004/10/09 20:41:49 dries Exp $

As much as I've looked at this, I can't figure out how they are requesting it... I've tried duplicating their request using several different delimiters and I always see the trailing '/' and my delimiter in the log:

66.245.229.182 - - [07/May/2005:18:48:01 -0700] "GET /h ttp://partners.mygeek.com/search.jsp?partnerid=98823&ip=6.236.97.34&query=Programmable+hearing+aids h ttp/1.1" 404 5270 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 StumbleUpon/1.9995"
66.245.229.182 - - [07/May/2005:18:48:15 -0700] "GET /|h ttp://partners.mygeek.com/search.jsp?partnerid=98823&ip=6.236.97.34&query=Programmable+hearing+aids h ttp/1.1" 404 5271 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 StumbleUpon/1.9995"
66.245.229.182 - - [07/May/2005:18:48:58 -0700] "GET /?h ttp://partners.mygeek.com/search.jsp?partnerid=98823&ip=6.236.97.34&query=Programmable+hearing+aids h ttp/1.1" 200 15794 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 StumbleUpon/1.9995"
66.245.229.182 - - [07/May/2005:18:49:13 -0700] "GET /&h ttp://partners.mygeek.com/search.jsp?partnerid=98823&ip=6.236.97.34&query=Programmable+hearing+aids h ttp/1.1" 200 15794 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 StumbleUpon/1.9995"

But their requests always start with the h ttp address and no delimiter:

221.232.128.3 - - [07/May/2005:17:41:38 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98938&ip=64.126.24.8&query=Smoking+cessation+ h ttp/1.1" 404 5625 "h ttp://www.tojie.com" "Mozilla/4.0 (compatible; Windows NT 5.0; MSIE 5.5;)"
221.232.128.3 - - [07/May/2005:17:45:09 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98823&ip=6.236.97.34&query=Programmable+hearing+aids h ttp/1.1" 404 5625 "h ttp://www.cosole.com" "Mozilla/4.0 (compatible; Windows NT 5.0; MSIE 5.02;)"

My Modules Directory: (nodewords and path are enabled)
album/
_docs/
event/
fckeditor/
folksonomy/
htmlarea/
htmlcorrector/
htmltidy/
image/
nodewords/
_packager/
remindme/
_samples/
_testcases/

Any thoughts/suggestions/assistance would be appreciated!

Thanks,

Paul

(The IP of my server was changed to 1.2.3.4, all others are unchanged)

EDIT: I changed the post above from "http" to "h ttp" so they are not hyperlinks, and we are not linking to those spammers -- kbahey

Comments

chx’s picture

This has absolutely nothing to do with Drupal, and as they are getting 404s all is well you shall not worry. One Drupal developer got 25K spam comments in a very short period of time on his personal blog. Sad things happen.

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

eMtnMan’s picture

That was my first take, but I grew more concerned when I couldn't replicate the request myself. Since the Mod Rewrite happens AFTER the 404, there is no way (that I know of) that I can determine if they are successfully using Drupal/rewrite as a relay. If they are successful, this could be a serious exploit and well worth reviewing.

Spam comments are one thing, but these are clearly meant to simulate click-through advertising traffic and seem carefully crafted. Why would they send tens of thousands of requests and switch from server to server if they were just sending bad requests that end up in a log that nobody might ever see? If they were malicious, they could make a much bigger impact by spamming the forums.

I certainly hope you are right, but it just doesn't make any sense to me.

Thanks,

Paul

Zen’s picture

Is this a recent installation? if so, were you running some other CMS on your site before this?

-K
--------
Quillem.com

eMtnMan’s picture

> Is this a recent installation?

Less than 60 days... a new domain at a new (dedicated) IP. Very little content, closed membership, two registered users. I have several other Drupal sites as virtual domains on my primary IP and have never seen this problem in my logs before.

> if so, were you running some other CMS on your site before this?

Nope... Due to security concerns, I only allow Drupal and Mambo on my server, no nukes, no other shell users, on a reasonably secure server: RHEL3, Advanced Policy Firewall with Brute Force Detection and AntiDOS, JailShell, Mod Security, secure /tmp, rkhunter, etc...

I'd feel more comfortable about these 404's if I could replicate them... My concern is when I use a rewrite like this:
RewriteEngine On
RewriteCond %{HTTP_HOST} =www.mydomain.com [NC,OR]
RewriteCond %{HTTP_HOST} =mydomain.com [NC]
RewriteRule ^ http://www.google.com%{REQUEST_URI} [R,L]

I never see the redirect to google in my logs... I'm just trying to ensure that my Drupal sites aren't being used as a relay...

Thanks for your help.

Paul [eMtnMan]

Steven’s picture

I've seen this before, also on my own site. I think the goal is to try and appear in people's website statistics. Often these statistics are automatically regenerated and publically available, which means they get spidered by search engines.

In any case, they are certainly not doing any sort of redirect through your site.

--
If you have a problem, please search before posting a question.

--
If you have a problem, please search before posting a question.

eMtnMan’s picture

> I think the goal is to try and appear in people's website statistics.

Now that's an interesting idea! A backdoor way to create links back to your website? That makes some sense... as it would increase your Google page rank. But bouncing around to numerous anon proxies in order to keep spamming me seems like a lot of trouble to spam a log file. Especially on a site that doesn't post any logs. Still "smells" like a hack to me...

> In any case, they are certainly not doing any sort of redirect through your site.

I hope not. I sent a letter to the top three click-thru targets last night: (mygeek.com, epilot.com, and sogou.com), including a copy of the logs. They have a vested interest to prevent click-thru fraud. If these links are being forwarded, hopefully they can verify that and spoil the spammers day. Note that all these links include some form of "Partner ID" or PID, so they should be traceable.

Thanks,

Paul [eMtnMan]

Zen’s picture

I just had a look in my logs, and I get them too :/ Would it be worth it to redirect all requests for .asp/.aspx/.jsp/.cgi pages (which is what a majority of these seem to be) to a blank page or somesuch? This might increase performance and also reduce the amount of junk in the logs.

-K
--------
Quillem.com

eMtnMan’s picture

> Would it be worth it to redirect all requests for .asp/.aspx/.jsp/.cgi

I considered that, but that might also trap posts with legit referral info from search engines, so you'd have to be careful... The problem is, unless we can figure out HOW they are submitting the request, it will be difficult to combat.

Thanks,

Paul [eMtnMan]

kbahey’s picture

Spammers are the scum of the net.

Read more about referer spam on Wikipedia.
--
Consulting: 2bits.com
Personal: Baheyeldin.com

--
Drupal performance tuning and optimization, hosting, development, and consulting: 2bits.com, Inc. and Twitter at: @2bits
Personal blog: Ba

eMtnMan’s picture

These rewrite rules could be a great deal of help...

Thanks,

Paul [eMtnMan]

tonyce’s picture

A Fantastico install does not do anything other than automatically install drupal. The drupal install is the same as if you installed it manually. It just has a system to keep track of versions and allows for automagic updates when new versions become available.

By the way if you tweak you site's files or themes or install 3rd party modules, Fantastico is useless for upgrades. You then have to do a lot of additional things by hand and hope Fantastico does not mess things up.

So after the first install you are on your own with upgrades if you make manual changes to drupal (how many use drupal without any changes to themes and additional modules?).

One other thing, Fantastico has changed it's license. You now have to renew every year or the software stops functioning (even if bought under the original license). In effect you are renting the software.

All it is good for is quick and easy first time installs (especially for demo installs) and sites where no changes are made from stock installs. After that it's limitations get in the way for serious work.

eMtnMan’s picture

> A Fantastico install does not do anything other than automatically install drupal.

I wasn't sure, I mentioned this in case they mucked with the .htaccess file...

> Fantastico is useless for upgrades.

So true, I recently upgraded a very busy site from 4.3 to 4.5.2 and the "upgrade" wiped all my directories, including non-Drupal image and html files. I was very glad that I was properly backed-up... Of course, any modules are manual as well. They include nothing but the most basic distro. Now I'm looking at 4.6... agrh!

> Fantastico has changed it's license. You now have to renew every year

I get it for free from my ISP... I doubt that I'd pay for it, but it is handy for initial installs. I find that I still need to make a lot of tweaks though, primarily to directory permissions and binary locations. If you don't renew, Fantastico may stop working, but Drupal should continue to function as a stand-alone product...

> After that it's limitations get in the way for serious work.

Agreed... the upgrade process was a major disappointment. But it DOES save a ton of time if you just want to eval a bunch of different packages or get a customer started. Wart's and all, it's still a whole lot faster (and easier) than a standard install. After that, you face the same challenges as a manual install.

Have fun,

Paul [eMtnMan]

eMtnMan’s picture

Hi Again,

After beating on my log files and experimenting with .htaccess, I discovered that these were NOT all 404's; there are, in fact, thousands of successful redirects listed in my logs...

The error is mine. I first identified these redirects while I was scanning my server for another problem: trying to catch formmail.pl script kiddies. Until I tried my own .htaccess tests, I didn't realize that a redirect WOULD generate a 200 log entry. So I went back to my logs, and there they were!

Here's how this exploit seems to work... The spammer submits several requests to the adserver (i.e. mygeeks.com) and then it looks like they check the results with servers at sohu.com and/or sogou.com. Periodically they also visit a proxy judge at antz-pc-school.com, presumably to test their anon proxy. Success seems to be based on something other than IP (Partner ID?), since back to back requests from the same IP can result in a failure followed by a success.

My best guess is they are trying to work around click-thru anti-fraud systems. The success rate seems very low... after 13,491 total requests they made in the last week, of the nearly 6,000 mygeek requests, I could only count 9 mygeek successes, and a total of 2,580 successful requests to all servers.

In the following log, requests ending with "HTTP/1.1 200" are successes, here's a typical variety of 404/200 transactions from my logs:

221.234.192.172 - - [06/May/2005:16:40:18 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98793&ip=56.70.207.25&query=Broadband h ttp/1.1" 404 5625 "h ttp://www.weiming.org" "Mozilla/4.0 (compatible; Windows NT 5.0; MSIE 5.5;)"
221.232.128.3 - - [06/May/2005:16:41:18 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98967&ip=64.126.118.229&query=XBox h ttp/1.1" 404 5625 "h ttp://www.topbestshopping.com" "Mozilla/5.0 (compatible; windows NT; MSIE 5.02;)"
221.234.192.172 - - [06/May/2005:16:41:37 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98855&ip=64.70.148.127&query=Ftp+uploading h ttp/1.1" 404 5625 "h ttp://www.soebay.com" "Mozilla/5.0 (compatible; Windows 98; MSIE 6.0;)"
221.234.192.172 - - [06/May/2005:16:42:41 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98851&ip=208.193.75.124&query=graphic h ttp/1.1" 200 294 "h ttp://www.buycoolproducts.com" "Mozilla/4.75 (compatible; Windows 95; MSIE 5.5;)"
221.232.128.3 - - [06/May/2005:16:43:38 -0700] "GET h ttp://partners.mygeek.com/search.jsp?partnerid=98938&ip=64.16.33.9&query=Gay+dating h ttp/1.1" 200 294 "h ttp://www.tojie.com" "Mozilla/6.0 (compatible; Windows 98; MSIE 5.02;)"
222.208.183.2 - - [06/May/2005:16:44:23 -0700] "GET h ttp://adsence.sogou.com/index.html?pid=sxq_zh&ww=120&dc=3&dir=0&num=6&color=1&charset=gb h ttp/1.0" 200 282 "h ttp://www.xaiu.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
222.208.183.2 - - [06/May/2005:16:44:24 -0700] "GET h ttp://log.cpc.sohu.com:90/?pv.png h ttp/1.0" 200 282 "h ttp://adsence.sogou.com/index.html?pid=sxq_zh&ww=120&dc=3&dir=0&num=6&color=1&charset=gb" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
221.232.128.3 - - [06/May/2005:16:46:28 -0700] "GET h ttp://www.antz-pc-school.com/cgi-bin/test/prxjdg.cgi h ttp/1.0" 200 282 "-" "MSIE"
222.208.183.2 - - [06/May/2005:16:46:45 -0700] "GET h ttp://adsence.sogou.com/index.html?pid=eecom&ww=120&dc=3&dir=0&num=6&color=1&charset=gb h ttp/1.0" 200 282 "h ttp://www.eekn.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"
222.208.183.2 - - [06/May/2005:16:46:46 -0700] "GET h ttp://log.cpc.sohu.com:90/?pv.png h ttp/1.0" 200 282 "h ttp://adsence.sogou.com/index.html?pid=eecom&ww=120&dc=3&dir=0&num=6&color=1&charset=gb" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"
221.232.128.3 - - [06/May/2005:16:46:57 -0700] "GET h ttp://search.epilot.com/getresults.aspx?aff=soebay&ip=64%2E1%2E2%3E4&keyword=shredders&source=s&r=soebay.com h ttp/1.1" 200 294 "h ttp://www.soebay.com/" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
222.208.183.2 - - [06/May/2005:16:46:59 -0700] "GET h ttp://adsence.sogou.com/index.html?pid=s345&ww=120&dc=3&dir=0&num=6&color=1&charset=gb h ttp/1.0" 200 282 "h ttp://www.search345.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
222.208.183.2 - - [06/May/2005:16:47:02 -0700] "GET h ttp://log.cpc.sohu.com:90/?pv.png h ttp/1.0" 200 282 "h ttp://adsence.sogou.com/index.html?pid=s345&ww=120&dc=3&dir=0&num=6&color=1&charset=gb" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Houston, WE HAVE A PROBLEM!

Any suggestions/ideas would be appreciated!

Have fun,

Paul [eMtnMan]

EDIT: Please do not post the links as they are, change the http to "h ttp" or something so that they do not get treated as URLs by the filters, then you are linking to the spammers/exploiters unintentionally.

Tc27’s picture

Is mod_proxy enabled on your Apache? I've had similar problems with people trying to use my webserver in this manner, only it seems to be for something targeting IRC networks instead.

I'm no expert, and this is probably a silly idea produced by sleep deprivation, but if they're checking the validity of what they're doing based on making your server hit an address they're monitoring, you could tell your firewall to reject *outgoing* requests to the sites they're trying to hit, just as a temporary fix. They might give up when they see things dry up...

eMtnMan’s picture

Nope, mod_proxy isn't loaded, but it was a good idea... Thanks!

Considering the amount of effort it takes to put something like this up, I hope that everyone checks their logs today for these intrusions, as I'm sure I'm not alone. This command will seach all your domain log files, you may need to change the target directory to the location of your logs:
grep "mygeek\|sogou\|sohu\|epilot\|antz" /usr/local/apache/domlogs/*

For now, my firewall has slammed this door shut... but all they need is a new proxy.

Thanks again,

Paul [eMtnMan]

eMtnMan’s picture

This just in... from the domain contact for sohu-inc.com, using mailserver at 202.106.180.6...

Thank you for your information.  Sogou.com is a product of our search Engine. I think it was rebuiling automatically its acknowledgy base then. hope it did not borther your site two much. I've forward your letter to our search engine R&D Dept., and they will give notice of this.

Meanwhile, I'm getting proxy probes from two new addresses:

202.106.180.62 - - [08/May/2005:03:14:44 -0700] "GET / HTTP/1.1" 200 16305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
202.106.180.62 - - [08/May/2005:03:16:42 -0700] "GET /httx:/adsence.sogou.com/index.html?pid=guqinghong HTTP/1.1" 404 5267 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
202.104.28.167 - - [08/May/2005:10:01:34 -0700] "GET httx://www.antz-pc-school.com/cgi-bin/test/prxjdg.cgi HTTP/1.1" 404 5638 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
202.104.28.167 - - [08/May/2005:10:01:41 -0700] "GET httx://www.antz-pc-school.com/cgi-bin/test/prxjdg.cgi HTTP/1.1" 404 5256 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
202.104.28.167 - - [08/May/2005:10:01:43 -0700] "GET httx://www.antz-pc-school.com/cgi-bin/test/prxjdg.cgi HTTP/1.1" 404 5638 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
202.104.28.167 - - [08/May/2005:10:01:45 -0700] "GET httx://www.antz-pc-school.com/cgi-bin/test/prxjdg.cgi HTTP/1.1" 404 5256 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

whois 202.106.180.62
inetnum: 202.106.180.0 - 202.106.180.63
netname: SOHU-NEWERA-CO
descr: Beijing Sohu New Era Technology Information Co, Ltd

whois 202.104.28.167
inetnum: 202.104.28.160 - 202.104.28.175
netname: SHUNDE-YHS-STOCK
descr: SHUNDE YINHE STOCK CO.

CURRENT FIREWALL NETBLOCKS:
202.104.0.0/16
211.220.0.0/16
221.232.0.0/16
221.234.0.0/16
221.235.0.0/16
222.208.0.0/16

HERE'S INFO ON THE COMPANY:

Reuters: China's Sohu.com unleashes "search dog"
China's pre-announced new search engine by Sohu.com (Chinese for "search fox") launched, complete with a complete Chinese language portal at the address wwww.sogou.com ("search dog"). The homegrown effort hopes to compete with foreign firms Google, which partnered with domestic firm Baidu.com, and Yahoo, which runs the Yisou search site.  Sohu sells both paid listings and cost per click media. It made $2.4 million in search revenues in the second quarter of 2004.

Odd way for a major search engine to rebuild its "acknowledgy base" ... using anon proxy servers? No previous probe has been made from their netblock, most were generic ChinaNet addresses. I think I smell a dog...

Have fun,

Paul [eMtnMan]

eMtnMan’s picture

Just in case I wasn't clear:

Regardless of what the folks at sogou.com / sohu-inc.com are saying... they were NOT rebuilding anything... Just look at the logs... they are able to successfully redirect requests, apparently anywhere they wish. No matter if they are doing it as search engine spam or to build click income, the implications are very serious, as it is fraudulent use of my server and could easily be used for a DDOS attack that points back to my IP.

I strongly suspect they have found an exploit... either in apache, mod_rewrite or Drupal itself, making them able to use my website as an http relay... and my website is more secure than most. No other users are online, it passes the latest rkhunter tests, etc. Were it not for my firewall, they'd still be doing it... I "dropped my shields" for a few minutes today and they were back immediately, so they have not removed my IP from their scanning database...

I'm surprised nobody else seems concerned about the implications of this attack! Your website may be next...

Any help/suggestions would be appreciated.

Thanks,

Paul [eMtnMan]

capmex’s picture

The IP addresses are from China (202.101.213.125 and 202.101.213.8), probably public proxy servers. They are trying to hack sites. A few days ago I received some requests to a known AWSTATS security exploit. In the past some request attempts to common mail script programs have been logged on my site.

A few recent log entries:

May 8 2005 - 19:29 404 error: Upfile_SoftPic.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: img_upfile.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: dxxobbs/upload.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: mybbs/saveup.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: upload/upload.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: diy.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: UploadSoft/diy.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: bbs/diy.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: UploadFace.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: Saveannounce_upload.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: upload_flash.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: user_upfile.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: admin_upfile.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: news/admin/upfile.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: down_picupload.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: bbs/down_picupfile.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: bbs/down_addsoft.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: upfile.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: upload.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: upfile_soft.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: dvbbs/upfile.asp not found. Anonymous  details
May 8 2005 - 19:29 404 error: bbs/upfile.asp not found. Anonymous  details
May 8 2005 - 06:06 404 error: Upfile_SoftPic.asp not found. Anonymous  details
May 8 2005 - 06:05 404 error: img_upfile.asp not found. Anonymous  details
May 8 2005 - 06:05 404 error: dxxobbs/upload.asp not found. Anonymous  details
May 8 2005 - 06:05 404 error: mybbs/saveup.asp not found. Anonymous  details
May 8 2005 - 06:05 404 error: upload/upload.asp not found. Anonymous  details
May 8 2005 - 06:05 404 error: diy.asp not found. Anonymous  details
May 8 2005 - 06:05 404 error: UploadSoft/diy.asp not found. Anonymous  details
May 8 2005 - 06:05 404 error: bbs/diy.asp not found. Anonymous  details
May 8 2005 - 06:05 404 error: UploadFace.asp not found. Anonymous  details

This people have crawlers finding vulnerable sites. In your case what looks bad on your log are the 200 code responses.
--
capmex.biz Webmaster Resources Site

eMtnMan’s picture

You're right... I've been packet sniffing and was able to replicate these requests by telling Firefox (with the "Switch Proxy" extension) that my server was an anon proxy (it's not and it won't). I didn't get relayed... but I was finally able to generate the same log entries... You can easily see if someone is doing this on your server by using this grep command:
grep -iR 'get http' /usr/local/apache/domlogs/*
(change the directory to your log location)

More to follow... as I'm still working out the 200 message details. But it does not appear that anything actually gets past the illegal proxy.

This is clearly an Apache issue, not Drupal's... so that's good news... How to get rid of them is another issue...

Have fun,

Paul [eMtnMan]

eMtnMan’s picture

What I found is, if file x.html exists on YOUR server, and they try to proxy through you to somewhere-else.com/x.html, your page will be displayed and you'll get a '200'...

In Drupal's case, rewrite rules also seem to pass inquires that are good up to the question mark.. For instance, this will always bring up my home page when proxied...
httx://log.cpc.sohu.com:90/?pv.png

For some reason, this one won't, even though I have a 200 for it in my logs:
httx://partners.mygeek.com/search.jsp?partnerid=98851&ip=208.193.75.124&query=graphic

But I understand the issue well enough, no need to debug further...

The real question is... the most efficient way to block these jerks...

Any ideas?

Have fun,

Paul [eMtnMan]

Zen’s picture

I changed the .htaccess file to 403 asp, jsp, look and cgi files and this seems to have had a significant effect in terms of Drupal's logs. I did so by modifying the following line in the htaccess file that comes with Drupal.

<Files ~ "(\.(inc|module|pl|sh|sql|theme|engine|xtmpl|aspx|jsp|look|cgi)|Entries|Repositories|Root|scripts|updates)$">

This hasn't affected search strings etc. I realise this is a very basic and temporary fix, but it's doing a decent job at the moment :)

-K
--------
Quillem.com

eMtnMan’s picture

I Added:
SecFilterSelective THE_REQUEST "get http"
and dropped the APF IP blocks... the result:

========================================
Request: 222.208.183.2 - - [09/May/2005:22:40:12 -0700] "GET httx://adsence.sogou.com/index.html?pid=anxu&ww=120&dc=3&dir=0&num=6&color=1&charset=gb HTTP/1.0" 406 257
Handler: (null)
----------------------------------------
GET httx://adsence.sogou.com/index.html?pid=anxu&ww=120&dc=3&dir=0&num=6&color=1&charset=gb HTTP/1.0
Accept: */*
Accept-Language: zh-cn
Connection: Keep-Alive
Host: adsence.sogou.com
Referer: httx://www.gi007.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
mod_security-message: Access denied with code 406. Pattern match "get http" at THE_REQUEST.
mod_security-action: 406

HTTP/1.0 406 Not Acceptable
Connection: close
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 222.208.183.2 - - [09/May/2005:22:40:13 -0700] "GET httx://log.cpc.sohu.com:90/?pv.png HTTP/1.0" 406 247
Handler: (null)
----------------------------------------
GET httx://log.cpc.sohu.com:90/?pv.png HTTP/1.0
Accept: */*
Accept-Language: zh-cn
Connection: Keep-Alive
Host: log.cpc.sohu.com:90
Referer: httx://adsence.sogou.com/index.html?pid=anxu&ww=120&dc=3&dir=0&num=6&color=1&charset=gb
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
mod_security-message: Access denied with code 406. Pattern match "get http" at THE_REQUEST.
mod_security-action: 406

HTTP/1.0 406 Not Acceptable
Connection: close
Content-Type: text/html; charset=iso-8859-1

Many Thanks to John [eth00] for this suggestion! John has some excellent security HowTo's, including one on mod_security, posted here:
http://www.eth0.us/

Note that there will now be "406" error log entries spamming your logs, but the 200's are gone and the hacker will get error pages. The custom log option mentioned in the Wiki post (above) only works for Apache 1.8 or newer... I'm hoping I can get a mod to BFD to allow APF to block these 406's automatically. That'll clean up those logs!

Hope this helps!

Paul [eMtnMan]