GET Requests

[jmoschetti45]

Now I'm starting to see strange GET requests. This another thing I've noticed when reading my 2873 page log file.

127.0.0.1 - - [03/Oct/2003:16:40:21 +0200] "GET /?87 HTTP/1.0" 200 2048 "" ""
127.0.0.1 - - [03/Oct/2003:16:40:21 +0200] "GET /?88 HTTP/1.0" 200 2602 "" ""
127.0.0.1 - - [03/Oct/2003:16:40:21 +0200] "GET /?89 HTTP/1.0" 200 2602 "" ""
127.0.0.1 - - [03/Oct/2003:16:40:21 +0200] "GET /?90 HTTP/1.0" 200 2602 "" ""
127.0.0.1 - - [03/Oct/2003:16:40:21 +0200] "GET /?91 HTTP/1.0" 200 2602 "" ""
127.0.0.1 - - [03/Oct/2003:16:40:21 +0200] "GET /?92 HTTP/1.0" 200 2602 "" ""
127.0.0.1 - - [03/Oct/2003:16:40:21 +0200] "GET /?93 HTTP/1.0" 200 2048 "" ""

This another kind of exploit for IIS?

Update: Theres at least 14,000 lines of that so far! What could do that???

[iNaNimAtE]

First of all, if there are many of them, then it is definitely automated. It looks like some sort of script exploit; but "127.0.0.1" is you... isn't it?

"Get" is nothing to worry about; it is just the standard way to request files,
_________________
Bienvenidos!

[jmoschetti45]

Yes 127.0.0.1 is me. Why i'm confused about this. I've looked and theres no virus/spyware/trojan on my machine so I have no idea what can be doing that. I checked again this morning and it was there again from ?0 to ?8000.

Update: Just noticed that everytime before that mess happenes this is in the log: 210.205.52.142 - - [22/Mar/2004:03:47:38 -0500] "GET /scripts/nsiislog.dll" 404 239. Then I get the huge amount of ? lines. I'm starting to think its some IIS explot again.

[iNaNimAtE]

"210.205.52.142 - - [22/Mar/2004:03:47:38 -0500] "GET /scripts/nsiislog.dll" 404 239"

Well it shows a 404, so nothing happened. That still seems a bit wierd. I suggest banning his IP using some firewall software.
_________________
Bienvenidos!

[Anonymoose]

As I asked in the other thread, do you have an adblocker installed ? A lot of these redirect traffic from known ad hosts to 127.0.0.1 so they would show up in the log - unless you're a very heavy internet user I doubt there'd be 14,000 though!

Couple of other questions -
Have you recently installed any new software which may be trying to phone home and failing ?
Do these hits relate to times when you're at the PC or totally random times all around the clock ?

[jmoschetti45]

The only ad blocking I use is manually adding the IPs of ad servers in the Hosts file. It's set up to redirect them to 127.0.0.2 and that works because I see the results in the Abyss log.

No I haven't installed anything in a while. The last thing was the upgrade to 1.2.2.2. The hits are completely at random although they tend to happen more at night then during the day.

About blocking his IP 2 posts up. Hard to do. Its completely different everytime. Last time it was 82.44.127.241 and before that 128.71.7.250. I am adding them to my firewall's block list though.

[iNaNimAtE]

That seems very wierd. If one time they are coming from the domain "82.*.*.*" and then "128.*.*.*" he is using completely different ISPs. Since they're on the Abyss logs, they are incoming connections. This would mean that it isn't some program reporting something, or "phoning home." I would keep banning the IPs and see what happens.
_________________
Bienvenidos!

[Anonymoose]

[jmoschetti45]

I intend to keep blocking all those IP's when they show up. The referer is not blocked by my firewall in the first place. No I didn't miss the point about the ad blocking causing requests from 127.0.0.1. The only ad blocking is my manual entries on the hosts file. The file does not redirect them to 127.0.0.1. It redirects them to 127.0.0.2. That causes 127.0.0.2 - - [03/Oct/2003:08:50:11 +0200] "GET /....." to show up in my Abyss log. The only times 127.0.0.1 requests normally show up in the log is when I enter http://127.0.0.1/ in my browser.
_________________
http://jmoschetti45.com

[Anonymoose]

I didn't mean you were missing the point, should have separated my post more clearly... Sorry! Didn't realise Abyss discriminated between 127.0.0.1 and .2 in the logs either - that's a handy tip :D

[jmoschetti45]

Not a problem. Im a step closer to fixing this. Everytime it happens a file in C:\ called a863a33c.dat (Well if I delete it it comes back with a different name, its always an 8 digit hex code). The file is empty though. So im lost once again. This must be some kind of worm or somthing.
_________________
http://jmoschetti45.com

[iNaNimAtE]

I think there was a file like that which had to do with ASP. Do you have ActiveHTML installed?
_________________
Bienvenidos!

[jmoschetti45]

No, I'm running 98 so I can't use ASP :( I did try installing it though. But it never worked.
_________________
http://jmoschetti45.com

[iNaNimAtE]

Well have you recently ran a virus scan and a spyware scan? (I'm just stating the obvious here; can't think of much else).
_________________
Bienvenidos!

[jmoschetti45]

Yup. Ran Norton and the online TrendMicro one. Both negative. Also ran SpyBot S&D and AdAware. Also both negative besides the usual problems.
_________________
http://jmoschetti45.com

[iNaNimAtE]

Well... I'm basically out of ideas... I'll definitely tell you if I think of something else. Good luck; hope it works out.

(There's always "format c:" but I suggest not trying that).
_________________
Bienvenidos!

[jmoschetti45]

Problems fixed. In the other thread we both said block port 137. Haven't had it happen since. 8)
_________________
http://jmoschetti45.com

[iNaNimAtE]

So you blocked port 137 and the problem fixed itslef?
_________________
Bienvenidos!

[jmoschetti45]

Yup. So simple I never would have thought of it. I still can't find anything on port 137 but since its blocked its not a problem. I'll continue to look.
_________________
http://jmoschetti45.com