Further conversations:
My response:
If you want to have a look at the log, I have uploaded it (in 7zip format) to the server: http://atheistforums.org/dos-log.7z
Ken's response:
My response:
Ken Smith Wrote:I do apologize, I am not used to getting international time. That would be in the afternoon. Though the students still do not have access at that time.
Yes, I would appreciate any information that you have,
Ken Smith
My response:
Adrian Hayter Wrote:Hey Ken,
Attached is the access log (filtered to just the requests sent by the IP in question). As you can see, the first request was sent at around 9:55pm, and the last (just before I blocked the IP) was sent at 10:05pm. There are 6,911 requests in total, the last 2,000 or so all go to the same location (search.php) so it appears that this was the main DOS attack, however previously the requests contained "strange" parameters, which look like they are from a script trying to gain access to privileged files on the server.
For example, on lines 950, 1046, 1132, and many others, the script tries to use directory traversal to get access to password files. Most other requests are for pages that don't exist, which makes me think that this particular script is just a generic one which tries a long list of vulnerable URLs and hopes for a hit.
Kind regards,
Adrian Hayter
If you want to have a look at the log, I have uploaded it (in 7zip format) to the server: http://atheistforums.org/dos-log.7z
Ken's response:
Ken Smith Wrote:Thanks for the documentation, and sorry about my confusion on time and identity.
Looking at your data I am wondering if the IP was spoofed from another location. The only thing that points me in that direction is all of the entries I looked at (I just browsed the list but looked at most of them) the user agent is listed as Windows NT 6.0. That refers to Windows Vista or Server 2008. We are not using either of those operating systems (who would still be using Vista). All of our computers are Windows XP with just a couple of Windows 7 laptops used only by teachers. I have not found anything yet, but I will be asking if there were people in the building last night. The IP that is on the list is used only by the school and not the church or parish operation. They have a separate system form the school.
Looking at the data, it does look like the person either used multiple computers, or a separate scripting system. He user agent is different in 25 of the entries, these are probably the ones where the person manually accessed your system, and they are reporting a different browser.
If you see any other suspicious activity coming from us , please let me know as soon as possible. I have set the system up to email me the logs daily so I can monitor them.
Ken Smith
My response:
Adrian Hayter Wrote:Hey Ken,
Thanks for keeping me updated. It could be that your IP was spoofed, but I'd be wary of using the User-Agent data as an accurate measure; User-Agents are quite easy to change, since they are optional headers and are usually set by the browser (or a script) when making an HTTP request. Given the relative difficulty of spoofing IP addresses, it is far more likely that the User-Agent was changed by the script, making it appear as if multiple computers were involved. The user who entered our chatroom did say they could take down our site using only one computer, which makes me think they were simply using a script to generate HTTP requests.
Most internet routers have some form of protection against IP spoofing as well, and the attack was using direct HTTP requests rather than other techniques such as ICMP flooding (where IP spoofing is much easier to do). Hopefully we'll get to the bottom of this!
I've set up a log to catch any further activity from the IP, but the ban is still in place so any further attacks shouldn't be able to affect the server again.
Kind regards,
Adrian Hayter
