Dave on Facebook Follow StationaryDave on Twitter
Dave's profile on LinkedIn
My Skype Status
Main: Welcome to Main
A Worldwide Coordinated Attack on DavesWeb.com?

I have found some pretty strange things in my server logs lately.  Below, I'll describe a series of requests that looked like something/someone was probing and looking for vulnerabilities on my site.  Not that there's anything here worth stealing.  More likely, they were looking for a machine they could hijack for whatever nefarious purpose.  I'm posting this in case someone knows what these folks are up to and how webmasters can guard against whatever it is.

First, a little background.  I have been paying closer attention to my web server logs the last couple of months. After re-building the back-end of DavesWeb.com (and removing some older content in the process), I was particularly curious if there were still requests for some of these older items. If people were still interested, I'd want to make sure that document is still online at the same Url. Currently, have have some 75 old Urls mapped to their new location so surfers can follow old links and still find what they're looking for.

But if you request an Url that is broken on this site, and it's not on my list of relocated content, your request is logged and once in a few days I'll look to see if I can restore what you're looking for.  In these logs I found several very freaky things.

I found pages where not only does the requested page not exist, but the page that supposedly referred or linked them to the requested page is a page on DavesWeb.com that no longer exists.  When it was online, the voting ballot was on vote.asp, and the form was posted to vote.asp (the same page which served up the voting form if it was a GET request and processed that vote if it was a POST request).  Here is the first entry: 

REQUESTED: /vote/submit.asp, REFERER: http://www.davesweb.com/Vote/Submit.asp, REMOTE_HOST: 117.241.202.208, HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1

The web site visitor was requesting the file /vote/submit.asp, which no longer exists.  But the REFERER IS THE SAME PAGE (and hasn't existed, either for several years!)  How can a page that no longer exists be a hyperlink to anything?   

It seems like the only this could happen is if the web surver is using software that is faking info about itself and its request.  Someone is up to no good!

So I looked further into the logs and was even more surprised to find three more requests all within a few seconds of each other and also referred by this non-existent page!  And get this:  each request appears to have come from not only different computers, but different computers in vastly different corners of the world!  (Or possibly these requests were made to LOOK like they came from different parts of the world.)

Remote HostOwnerLocationUser Agent
117.241.202.208Asia Pacific Network Information CentreMilton, AUMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1
59.171.62.91@Home Network JapanTokyo,JapanMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1
68.188.169.31Charter Communications St. Louis, MOMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1
94.199.180.172RIPE Network Coordination CentreAmsterdam, NEMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1
Table 1: Four identical requests from four corners of the world.  

Note the User Agent for each of the requests:  they are identical!  The User Agent is the web browser software.  What are the chances that four people from four different corners of the earth all hit the same web page at nearly the same time using the exact same versions of their web browser software?  I think it's virtually nil!

I think the identical user agents prove that this was a coordinated attack on my web server.  I think they were faking the header information that identifies the Remote Host.  One possibility was that they were trying to trigger a buffer overrun which could cause a state allowing them to gain control over the computer.  Or something else.  I doubt they were trying to steal the election!

Webmasters:  if you see something like this in your logs, let me know!

10,802 views.