Clan x86

Member Forums => iago's forum => Topic started by: iago on October 22, 2004, 12:01:12 pm

Title: Page hit statistics
Post by: iago on October 22, 2004, 12:01:12 pm

Note that this is for every file/image/etc. that has been downloaded from my site (javaop.clan-e1.net) with a GET request on browsers that actually send a proper user-agent:

Code: [Select]

iago@darkside:/usr/local/apache2/logs$ cat access_log | grep GET | wc -l
47220
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep Windows | wc -l
21892
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep Linux | wc -l
2366
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep Mac | wc -l
840
This is the number of times that somebody tried to exploit a WebDAV vulnerability (more on this at the bottom):

Code: [Select]

iago@darkside:/usr/local/apache2/logs$ cat access_log | grep SEARCH | wc -l
233
This is the number of hits from googlebot:

Code: [Select]

iago@darkside:/usr/local/apache2/logs$ cat access_log | grep -i googlebot | wc -l
45
This is the number of hits from msnbot:

Code: [Select]

iago@darkside:/usr/local/apache2/logs$ cat access_log | grep -i msnbot | wc -l
657
And finally, this was some very stupid person trying to get Yahoo's site from my server with a very invalid request (you would never put http:// in a GET..):

Code: [Select]

iago@darkside:/usr/local/apache2/logs$ cat access_log | grep -i yahoo         
220.170.88.36 - - [25/Aug/2004:19:50:04 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 3429 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
220.170.88.36 - - [02/Sep/2004:18:29:56 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 5146 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
220.170.88.36 - - [01/Oct/2004:15:27:52 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 7580 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
220.170.88.36 - - [09/Oct/2004:08:45:43 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 7580 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"


The entire inspiration for doing this is that SEARCH requests, though, which were the WebDAV exploit.  For anybody who cares, this is the full request (very long):
http://javaop.clan-e1.net/tmp/shellcode

Title: Re: Page hit statistics
Post by: Newby on October 22, 2004, 02:42:59 pm

Lmao at that shell coding newbie. :O

Title: Re: Page hit statistics
Post by: c0Ld on October 22, 2004, 04:01:17 pm

Quote

that actually send a proper user-agent

Quote

Lmao at that shell coding newbie. :O

Eh stop crying :P

Notice how the idiot trying to get yahoo is useing IE on windows 98...lmao, some connection there ;)

Title: Re: Page hit statistics
Post by: iago on October 22, 2004, 06:29:19 pm

The thing is, you should never be sending a GET for "http://...", the GET is only the page, not the full site.  So that would be like, http://javaop.clan-e1.net/http://www.yahoo.com or something stupid.

<edit> that gives me:
192.168.1.1 - - [22/Oct/2004:17:35:46 -0500] "GET /http://www.yahoo.com HTTP/1.1" 404 302 "http://ix86.cold-chaos.net/forum/index.php?topic=59.0" "Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10"

Which is close..

Title: Re: Page hit statistics
Post by: iago on October 22, 2004, 06:41:13 pm

Quote from: Newby on October 22, 2004, 02:42:59 pm

Lmao at that shell coding newbie. :O

I'm pretty sure it was a worm, actually, there were too many of the same request sent by different hosts.

Title: Re: Page hit statistics
Post by: iago on October 22, 2004, 06:59:01 pm

Here's something else:

Code: [Select]

iago@darkside:/usr/local/apache2/logs$ cat access_log | grep MSIE | wc -l
11785
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep Firefox | wc -l
11930

Makes me happy :D