I have had some strange behavior occur on my site over the past 24 hours that I have watched closely.
I watch Active Users quite frequently on my site and I started to see multiple browsers with Windows XP all viewing an old topic that has several post with pictures in it. I noticed that a new 'guest' was hitting that particular thread every 1 minute. Very strange, so I watched this over the next 24 hours to see if it was just some friends that had stumbled across the site and were viewing it simultaneously. I constantly watched the netstat log on my computer and my Firewall and noticed that ALL of them were coming from two subnet ranges. 59.x.x.x, 149.135.x.x and 210.x.x.x. Most of which were coming from three particular IP's.
I then did a lookup on these IP's and all of them where from the OrgName: Asia Pacific Network Information Centre.
I then blocked these three subnets from my firewall and but I am wondering if they are looking for something in particular or if they were trying to exploit just my server or if it was a fluke incident, which I doubt. We are pretty much a localized forum and I dont think we have an international following.
As soon as I block one another appears to replace it.
I run an SQL forum on 8.04 and I have upload images enabled on my forum... any body else seeing this sorta thing? I block one IP range and a new one from the APNIC shows up looking at the same topic with multiple 'hits' to the same thread.
Edited by ToJaRo - 18 September 2006 at 2:20pm
Topic Options
Post Options
Thanks(0)
