/none

[computergenius]

I am getting a lot of requests for a file /none at the moment, maybe 50 at a time, from different IPs.

Each one uses a different SERVER REMOTE_PORT - for example, 2708, 2714, 2728, etc. plus a different
SERVER REDIRECT_UNIQUE_ID : Ss4t2UZUZMIAACBXtB8AAAFV, etc. The latest batch claim to come via Google using
SERVER HTTP_COOKIE : Land+for+sale+with+water+in+northern+Mallorca - where we do have an entry in the top 15.

Sometimes, I would get 5 or 6 attacks a day, but I now blacklist the IPs - 57.66.53.94, 69.159.192.24, 213.98.71.251, 217.20.249.143, 173.35.183.252, 70.134.96.138 - so it is down to one or two blocks of emails a day.

Anyone know what the reason could be for this? And would a 301, perhaps to the home page, help?

A 301 would stop the error messages, but then I wouldn't see who was poking about?

[Clint1]

Make sure what you think are G request really are G requests. There are many Gbot-scammers out there, example:
Evil bot at 216.240.151.* masquerading as Googlebot

[computergenius]

I didn't say that it was a Googlebot. Google Bots usually say who they are, this doesn't

I meant that the latest set of visits claim to have come from (REFERER) a Google search.

[Clint1]

Ahhh I see. I misunderstood that: "I am getting a lot of requests for a file /none at the moment, maybe 50 at a time, from different IPs......The latest batch claim to come via Google using......"

I see similar things to this frequently in my logs for pages and files that never existed, but, not under those ports. If they are frequent and from valid or wanted sources, I'll 301 redirect them to the closest associated page.

GRC has no info on those ports other than their names, but this site has info on all of them you mentioned.

What leads you to believe these are attacks? Does or has the page or file "/none" ever existed?

Three of those IP's you list are rather interesting and should be blocked:
69.159.192.24 | Comment Spammer | IP Address Inspector | Project Honey Pot
217.20.249.143 | Mail Server | IP Address Inspector | Project Honey Pot
Abuse Info & Abuser List Scams & SpamsAmerican Eagle Star

Also, SpamHaus has BL'd 70.134.96.138. So it's probably a good idea to block those 3.

Quote:

.....so it is down to one or two blocks of emails a day.

What do you mean by that?

[computergenius]

Quote:

Originally Posted by Clint1

What leads you to believe these are attacks? Does or has the page or file "/none" ever existed?

The file has never existed, and there are around 50 requests over a minute or two, all with different ports. Not knowing enough about this sort of thing, I wondered if they were looking for "open doors", perhaps to do something bad via an unprotected port.

Quote:

Originally Posted by Clint1

Three of those IP's you list are rather interesting and should be blocked:

I blocked all of them. And I found them mentioned on the web as well, so they will stay blocked for a few months.

Quote:

Originally Posted by Clint1

What do you mean by that?

I meant that, prior to blocking those IPs, I was getting 6, 8, 10 blocks of 50 attempts. Since blocking them, it reduced to 2 or 3 blocks of 50 attempts, and I haven't had any for a few days. I used the word "emails", I should have said, "blocks of attempts".

I was trying to phrase it correctly, I wasn't sure that they were attacks, and ended up confusing both you and myself!

[Clint1]

Quote:

Originally Posted by computergenius

The file has never existed, and there are around 50 requests over a minute or two, all with different ports. Not knowing enough about this sort of thing, I wondered if they were looking for "open doors", perhaps to do something bad via an unprotected port.

Yeah that does sound like cause for at least some concern. I get similar requests for files related to Front Page, even though I never used it nor on the server, (obviously trying to hack FP exploits). Also for what appears to be made up login pages. Those such as that I always block.

Quote:

I meant that, prior to blocking those IPs, I was getting 6, 8, 10 blocks of 50 attempts. Since blocking them, it reduced to 2 or 3 blocks of 50 attempts, and I haven't had any for a few days. I used the word "emails", I should have said, "blocks of attempts".

I gotcha, I figured that's what you may have meant.

For what you feel may be a DoS or other type of attack or hack, I wouldn't do any 301 redirects. It's best to simply block the offending IP(s) and be done with it, because you don't want them anywhere at your site anyway. Then you can check your error logs for any 403's on the offending IP's to see what they are up to.

[computergenius]

Hey, I just got another set of 4 - let's call them probes, on ports 2219, 2220, 2224, 2225, on an IP from Moldavia - just 1 minute after a spam link was automatically rejected by my software, also from Moldavia. Banned both IPs...

[weegillis]

Concerning the ports, these are dynamic. That a new port would be opened with each outgoing request should come as no surprise. It's hardly likely the same port would be available a few seconds after it was released.

Banning the IPs may have a temporary effect, but that too might be ineffective long term. The main thing to look for are the vulnerabilities that the Moldavia unsubs are seeking on yours and any others' website servers. Check your security and be sure everything is locked down sufficiently to ward off this probe. Just as in the days of PC protection, if they can't gain access for an exploit they will move on.

[computergenius]

Quote:

Originally Posted by weegillis

Concerning the ports, these are dynamic. That a new port would be opened with each outgoing request should come as no surprise. It's hardly likely the same port would be available a few seconds after it was released.

Thanks, I wasn't sure whether that was the case or not! Can you suggest somewhere that I can find more information on this area? For interest, rather than security.

Quote:

Originally Posted by weegillis

Check your security and be sure everything is locked down sufficiently to ward off this probe. Just as in the days of PC protection, if they can't gain access for an exploit they will move on.

Looks ok to me, and to the people that I have asked to check it.

[Clint1]

Quote:

Originally Posted by computergenius

Thanks, I wasn't sure whether that was the case or not! Can you suggest somewhere that I can find more information on this area? For interest, rather than security.

See the links I put in my post #4 above. Like I said, GRC* didn't have anything about those ports (and that's usually the best place to do because they can also run security checks on ports). But the other links I posted have the ports' info. *After you click "Proceed" on the page you'll see what to do. Port Search - Find Ports by Name, Number or Trojan is another one.

Those ports you mentioned aren't very common and most places have little info on them. So the best thing usually in those types of cases is to just do a web search for them and then you can usually find specific pages that have more info on them.

[Clint1]

Quote:

Originally Posted by computergenius

Looks ok to me, and to the people that I have asked to check it.

Some website security check tools:
Web Test Tools
Qualys Trials & Guides (More info: Qualys, Inc. - On Demand Vulnerability Management and Policy Compliance)
Free Security Audit Check For Your Website - Open Discussion

[wige]

Another test tool to try out would be Nessus by Teneble. Their software is the basis of almost every professional level security software out there, and you can download the utility for personal use (using a 1-week out of date vulnerability list) free of charge.