Strange web requests

Is anybody else out there with their own website seeing a lot of strange web requests? In the last 10 days I have received 2400 requests from unique IP address all with the same browser string ("Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"), requesting the same page ("/"), none of which have a referrer. For comparison in a normal week I would get maybe 5 or 10 legitimate requests for that URL.

I am wondering if this is just the latest and greatest windows virus looking for new victims or if there is something else going on.

-Mike

conspiracy

I know some of the server-based "anonymizers" (using that term generically) pull out the referrer; they may mask the browser string as well, I don't know. Could it be their servers have been victimized?

Nope. Nothing that I know of.
I've had trouble before when somebody for some odd reason decided to recursively suck my entire website in one go. But didn't configure it properly so it kept getting confused. It kept going for days and in the end I just blocked that IP in the firewall and left it.

I've had trouble before when somebody for some odd reason decided to recursively suck my entire website in one go.

Yeah, I thought it was something like that or a badly written spider until I realized that all the source IP addresses were different. This has to be either the worlds least impressive DDOS attack or some virus. I think that shoots down the annonymizer theory as well (all the source IPs would point to the annonymizer proxy IP). Whatever it is it is still happening

-Mike

Would it be wrong of me to go find a nice juicy windows virus and put it at that URL and let all these people download it?

-Mike

You could try logging the referer to see if that gives you anything. Probably going to end up with nothing but it's worth a try.
It sounds automated so the referer might not even be filled in.

try logging the referer

The referers are all blank. Every request looks like this (IPs obscured to protect the theoretically innocent)...

x.x.x.x - - [26/Aug/2003:18:22:54 -0700] "GET / HTTP/1.1" 200 306 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

y.y.y.y - - [26/Aug/2003:18:23:05 -0700] "GET / HTTP/1.1" 200 306 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

z.z.z.z - - [26/Aug/2003:18:23:32 -0700] "GET / HTTP/1.1" 200 306 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

-Mike

My brother owns home.org (which is a massive spam magnet as people think it's cute to enter [email protected] etc...) and every so often I'll find a misconfigured ticoga (something like that) client trying to request it's configuration files. It's apparently some sort of remote configuration tool that home.com used. I've always wondered how many machines I could take over I wouldn't have been actively attacking them as they were the ones requesting the file from me...

Nothing here, either. I *DO* have "/" as a valid URL, and that has about only 900 hits this MONTH. (People usually go straight to the forums.) Do have a few hits that match your crieteria (same browser, blank referrer) but nothing near what you have..

Now here's a dumb question - Running Apache, anyone give me a quick overview on how to pop-up the password box? I did notice, while checking this, that my stat folder's been hit a few times; and not by me or my employer. The only password checking I've done has been thru PHP. I just want something to pop up without running a script. I know there's a way to do it in Apache (using .htaccess or something?), but can't find anything on it..

Me.

Google

http://httpd.apache.org/docs/howto/htaccess.html

Since the thread's already been hijacked...any ideas on how to get it to authenticate against the system passwd file instead of a .htpasswd (or similar file)? Or is that a bad idea security-wise?

Bad idea unless you want your local passwords passed in (essentially) clear text across the internet.

Nachi WebDav scanner?

Or is that a bad idea security-wise?

Exceptionally bad idea.

Firstly, it opens an avenue of attack to get /etc/passwd, so an attacker would be more easily able to get a list of users.
Secondly, unlike login or sshd, there is no login throttling with apache, and failed logins are not generally logged to the syslog. So once the attacker has a valid user name (from /etc/passwd) they could write a bot to sit there brute-forcing an attack against your web server. Once the password has been found they could then use telnet or ssh to login for real, and then potentially launch a root attack from there.

Very cool guys, thanks. I swear I couldn't get it last time I tried messing with it. Got it now.

Me.