View previous topic :: View next topic |
Author |
Message |
JohnM -
Joined: 17 Apr 2006 Posts: 6
|
Posted: Mon Apr 17, 2006 5:40 pm Post subject: Progressive Download used to hack? |
|
|
Hey guys, I was just being access spammed by someone for about 30 minutes before I denied acces to the IP.
I had written a GIMP tutorial a few days ago and put all the images into a tutorial folder in my root dir. For some reason, this person was grabbing the same image for 30 minutes using a progressive download. Can anyone look at a chunk of my access log and tell me if I was being hacked or any malicious activity was taking place or even what was going on?
Code: |
203.83.92.174 - - [17/Apr/2006:10:59:17 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:22 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:27 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:31 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:36 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:40 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:45 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:50 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:54 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:10:59:59 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:03 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:11 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:16 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:24 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:29 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:33 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:38 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:42 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:47 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:52 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:00:57 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:01 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:06 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:10 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:15 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:20 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:24 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:28 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:30 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:34 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:38 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:40 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:42 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:44 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:46 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:47 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:50 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:54 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:01:58 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:02:02 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:02:06 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:02:10 -0500] "HEAD /tutorial/Final.jpg HTTP/1.1" 200 0 "" "Progressive Download"
203.83.92.174 - - [17/Apr/2006:11:02:13 -0500] "GET /tutorial/Final.jpg HTTP/1.1" 412 244 "" "Progressive Download"
|
Thx for any help. |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Mon Apr 17, 2006 5:51 pm Post subject: |
|
|
Looks like it's a very badly configured (or written!) download manager just misbehaving, not doing any harm.
It's clearly only requesting the same file over and over, not any other files on your system - 412 error code isn't very common, but I assume it's the download manager doing something wierd. Aprelium may be able to give you a better idea of why that might have happened.
In short - just ignore it for now, unless they start to become a problem, then block the IP. It's not a hack attempt. _________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
Back to top |
|
|
JohnM -
Joined: 17 Apr 2006 Posts: 6
|
Posted: Mon Apr 17, 2006 7:22 pm Post subject: |
|
|
So, that means, they were trying to download the image directly from my server? If you navigate a browser to the location of the image it just displays the image, no attempt to download it.
The IP has already been blocked. There was no reason that this person should have requested my image in this manner and continue to leave whatever download manager, they were using, spamming my server for almost 30 minutes.
Anyways, Thanks for the info, I will look more into the 412 error, this is interesting. |
|
Back to top |
|
|
AbyssUnderground -
Joined: 31 Dec 2004 Posts: 3855
|
Posted: Mon Apr 17, 2006 7:30 pm Post subject: |
|
|
JohnM wrote: | So, that means, they were trying to download the image directly from my server? If you navigate a browser to the location of the image it just displays the image, no attempt to download it.
The IP has already been blocked. There was no reason that this person should have requested my image in this manner and continue to leave whatever download manager, they were using, spamming my server for almost 30 minutes.
Anyways, Thanks for the info, I will look more into the 412 error, this is interesting. |
Even just viewing the image in the browser, it still has to download it, it just doesnt save to a place you want it to (it gets stored in the cache instead). _________________ Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
Back to top |
|
|
ozzy214 -
Joined: 31 Mar 2006 Posts: 66
|
Posted: Mon Apr 17, 2006 7:58 pm Post subject: |
|
|
And as long as you can view the photo...you can right click it and save it. Sometimes even punch the url into a download manager like flashget and d/l it that way. No way to prevent it..... |
|
Back to top |
|
|
Tom Chapman -
Joined: 09 Jul 2005 Posts: 933 Location: Australia
|
Posted: Mon Apr 17, 2006 10:02 pm Post subject: |
|
|
Aprelium will sure have an answer to your Q but so do I! I think it might be right to for once lol...
http://www2.mrwiseone.com/HTTP_Error_Codes.php#400_range
Last edited by Tom Chapman on Mon Apr 17, 2006 10:42 pm; edited 3 times in total |
|
Back to top |
|
|
AbyssUnderground -
Joined: 31 Dec 2004 Posts: 3855
|
Posted: Mon Apr 17, 2006 10:04 pm Post subject: |
|
|
There was no need to post all of those... A link would have sufficed... _________________ Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
Back to top |
|
|
Tom Chapman -
Joined: 09 Jul 2005 Posts: 933 Location: Australia
|
Posted: Mon Apr 17, 2006 10:35 pm Post subject: |
|
|
It was on my harddrive and um I ah sought of agree :D |
|
Back to top |
|
|
JohnM -
Joined: 17 Apr 2006 Posts: 6
|
Posted: Tue Apr 18, 2006 12:11 am Post subject: |
|
|
The Inquisitor wrote: |
Even just viewing the image in the browser, it still has to download it, it just doesnt save to a place you want it to (it gets stored in the cache instead). |
True but, right-click the image and saving it doesnt require another request to the host, it gets copied from the cache.
ozzy214 wrote: |
And as long as you can view the photo...you can right click it and save it. Sometimes even punch the url into a download manager like flashget and d/l it that way. No way to prevent it..... |
It was an image, this person had no good reason to download the image using a download manager, all they had to do was save the pic from the browser.
Their own ignorance resulted in an IP block.
Thanks for all the help guys, its appreciated. And thanks for the error code list, MrWiseOne, I'll use that list a lot. |
|
Back to top |
|
|
Tom Chapman -
Joined: 09 Jul 2005 Posts: 933 Location: Australia
|
Posted: Tue Apr 18, 2006 7:39 am Post subject: |
|
|
lol I didn't even remember it was on my harddrive! I saved it years ago. Evreyone has something to learn from it and I'm so happy I've actually contributed positively to this forum for once. :) |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Tue Apr 18, 2006 10:27 am Post subject: Re: Progressive Download used to hack? |
|
|
JohnM,
Actually, error 412 means that the request contained a "If-Unmodified-Since" header which was referencing a date prior to the requested file last modification date. The fact that the download manager "insisted" on resending the same sequence of requests suggests that the computer on which it is running has its clock set to a wrong date and time. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
JohnM -
Joined: 17 Apr 2006 Posts: 6
|
Posted: Wed Apr 19, 2006 4:21 am Post subject: |
|
|
Interesting, I tracked the IP and this person is from North Korea. Could this of been the broblem? |
|
Back to top |
|
|
Tom Chapman -
Joined: 09 Jul 2005 Posts: 933 Location: Australia
|
Posted: Wed Apr 19, 2006 7:20 am Post subject: |
|
|
Aprelium, Are some of your error codes different to other welly known servers? |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
|
Back to top |
|
|
|