I think this is an attack - Can you help?

I think this is an attack - Can you help?

am 02.04.2008 23:35:42 von Jim G

Over the past few months I have noticed a lot of bogus traffic hitting my
servers. Infact so much so that at any given time there are from 800 to 1000
connections to any one of my servers at a time with the stuff you see below.
All of the hits come from Macintosh computers, they are all calling this
/?32175, /?536235, /?2523754 and another that is not listed here is /f=* The
/?xxxxx is from an affiliate program that was running on my server, but I
know for a fact that this is bogus traffic because the accounts that these
are related to are closed and the affiliate program is no longer running.

Listed below all this is another sort of attack, coming from youtube. (Below
this snipet).

77.54.169.33 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; UP6; PPC Mac OS X; en-US) AppleWebKit/8I1.3
(KHTML, like Geco, Safari) OmniWeb/vY42.H8"
189.46.128.138 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; 841; PPC Mac OS X; en-US) AppleWebKit/5A2.1
(KHTML, like Geco, Safari) OmniWeb/vL33.EC"
213.203.109.223 - - [02/Apr/2008:15:49:47 -0500] "GET /?32175 HTTP/1.1"
302 - "-" "Mozilla/5.0 (Macintosh; ZTV; PPC Mac OS X; en-US)
AppleWebKit/2CG.0 (KHTML, like Geco, Safari) OmniWeb/vR13.Q4"
89.186.129.247 - - [02/Apr/2008:15:49:47 -0500] "GET /?2460341 HTTP/1.0"
200 - "-" "Mozilla/5.0 (Macintosh; COK; PPC Mac OS X; en-US)
AppleWebKit/410.4 (KHTML, like Geco, Safari) OmniWeb/v463.21t=C:\\WINDO\x81"
85.59.165.254 - - [02/Apr/2008:15:49:47 -0500] "GET /?536235 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; FNY; PPC Mac OS X; en-US) AppleWebKit/1EA.1
(KHTML, like Geco, Safari) OmniWeb/vT36.BQ"
83.77.25.99 - - [02/Apr/2008:15:49:47 -0500] "GET /?2523754 HTTP/1.0" 302 -
"-" "Mozilla/5.0 (Macintosh; MOZ; PPC Mac OS X; en-US) AppleWebKit/160.3
(KHTML, like Geco, Safari) OmniWeb/v872.61Java\\jre1.\x81"
201.14.123.228 - - [02/Apr/2008:15:49:48 -0500] "GET /?536235 HTTP/1.1"
302 - "-" "Mozilla/5.0 (Macintosh; MRN; PPC Mac OS X; en-US)
AppleWebKit/4NZ.x (KHTML, like Geco, Safari) OmniWeb/vZ51.2S"
121.133.157.68 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; KV6; PPC Mac OS X; en-US) AppleWebKit/172.3
(KHTML, like Geco, Safari) OmniWeb/vJ37.7H"
85.87.193.139 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; 5LF; PPC Mac OS X; en-US) AppleWebKit/3QJ.7
(KHTML, like Geco, Safari) OmniWeb/v515.VB"
70.55.144.248 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
302 - "-" "Mozilla/5.0 (Macintosh; JGI; PPC Mac OS X; en-US)
AppleWebKit/213.5 (KHTML, like Geco, Safari) OmniWeb/v824.15"
217.28.149.2 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0" 302 -
"-" "Mozilla/5.0 (Macintosh; DTZ; PPC Mac OS X; en-US) AppleWebKit/301.0
(KHTML, like Geco, Safari) OmniWeb/v807.20"
87.217.131.213 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
302 - "-" "Mozilla/5.0 (Macintosh; PJS; PPC Mac OS X; en-US)
AppleWebKit/146.5 (KHTML, like Geco, Safari) OmniWeb/v230.68"
189.7.126.158 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; RMD; PPC Mac OS X; en-US) AppleWebKit/425.0
(KHTML, like Geco, Safari) OmniWeb/vQ41.ZX"
85.141.175.51 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; RBV; PPC Mac OS X; en-US) AppleWebKit/2F7.5
(KHTML, like Geco, Safari) OmniWeb/vB30.I6"
83.32.16.185 - - [02/Apr/2008:15:49:48 -0500] "GET /?2460341 HTTP/1.0" 200 -
"-" "Mozilla/5.0 (Macintosh; ZYE; PPC Mac OS X; en-US) AppleWebKit/464.2
(KHTML, like Geco, Safari) OmniWeb/v113.43ive=C:"
86.70.188.210 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
302 - "-" "Mozilla/5.0 (Macintosh; APH; PPC Mac OS X; en-US)
AppleWebKit/427.2 (KHTML, like Geco, Safari) OmniWeb/v420.87ive=C:"
41.232.217.206 - - [02/Apr/2008:15:49:48 -0500] "GET /?2523754 HTTP/1.0"
302 - "-" "Mozilla/5.0 (Macintosh; EPQ; PPC Mac OS X; en-US)
AppleWebKit/358.0 (KHTML, like Geco, Safari) OmniWeb/v333.10"
80.54.182.184 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; 89P; PPC Mac OS X; en-US) AppleWebKit/5Q4.5
(KHTML, like Geco, Safari) OmniWeb/vV12.ZO"
81.245.130.219 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; 5D8; PPC Mac OS X; en-US) AppleWebKit/3JX.6
(KHTML, like Geco, Safari) OmniWeb/vZ30.9E"
75.145.164.201 - - [02/Apr/2008:15:49:48 -0500] "GET /?2460341 HTTP/1.0"
200 - "-" "Mozilla/5.0 (Macintosh; FEY; PPC Mac OS X; en-US)
AppleWebKit/771.0 (KHTML, like Geco, Safari) OmniWeb/v157.64ogram File\x81"
85.155.150.84 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; 3DK; PPC Mac OS X; en-US) AppleWebKit/11G.3
(KHTML, like Geco, Safari) OmniWeb/vG71.QI"
87.219.102.226 - - [02/Apr/2008:15:49:48 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; YFS; PPC Mac OS X; en-US) AppleWebKit/2E0.4
(KHTML, like Geco, Safari) OmniWeb/vE66.LU"
79.9.196.135 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; D90; PPC Mac OS X; en-US) AppleWebKit/2Q5.0
(KHTML, like Geco, Safari) OmniWeb/vY14.GG"
82.156.95.90 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0" 302 -
"-" "Mozilla/5.0 (Macintosh; INN; PPC Mac OS X; en-US) AppleWebKit/656.6
(KHTML, like Geco, Safari) OmniWeb/v500.56"
84.228.117.107 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; 3PY; PPC Mac OS X; en-US) AppleWebKit/3FE.4
(KHTML, like Geco, Safari) OmniWeb/vI12.OU"
80.236.91.61 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0" 302 -
"-" "Mozilla/5.0 (Macintosh; SFU; PPC Mac OS X; en-US) AppleWebKit/813.2
(KHTML, like Geco, Safari) OmniWeb/v137.52:\\Program \x81"
89.3.91.218 - - [02/Apr/2008:15:49:49 -0500] "GET /?2523754 HTTP/1.0" 302 -
"-" "Mozilla/5.0 (Macintosh; UHT; PPC Mac OS X; en-US) AppleWebKit/338.0
(KHTML, like Geco, Safari) OmniWeb/v871.10ve=C:"
201.18.37.162 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.0" 302 -
"-" "Mozilla/5.0 (Macintosh; TAY; PPC Mac OS X; en-US) AppleWebKit/7W5.3
(KHTML, like Geco, Safari) OmniWeb/vU20.KW"
200.8.110.143 - - [02/Apr/2008:15:49:49 -0500] "GET /?32175 HTTP/1.1" 302 -
"-" "Mozilla/5.0 (Macintosh; 4C2; PPC Mac OS X; en-US) AppleWebKit/8NC.0
(KHTML, like Geco, Safari) OmniWeb/vP05.9V"
80.20.99.250 - - [02/Apr/2008:15:49:49 -0500] "GET /?2460341 HTTP/1.0" 200 -
"-" "Mozilla/5.0 (Macintosh; TQN; PPC Mac OS X; en-US) AppleWebKit/177.1
(KHTML, like Geco, Safari) OmniWeb/v467.13"


From Youtube

[root@host5 httpd]# grep "youtube" access_log
89.42.144.9 - - [02/Apr/2008:15:49:50 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/watch?v=ZlXFjyP_Cck&feature=related" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
88.253.96.206 - - [02/Apr/2008:15:50:07 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/watch?v=oYqN4o9Xvxg&feature=related" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts)"
196.206.214.178 - - [02/Apr/2008:15:50:11 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/watch?v=PKLFfVMqe-I" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
78.168.37.42 - - [02/Apr/2008:15:50:57 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)"
78.168.37.42 - - [02/Apr/2008:15:50:58 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)"
78.168.37.42 - - [02/Apr/2008:15:51:11 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&search_ty pe="
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:51:12 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&search_ty pe="
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:51:58 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=2" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:51:58 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=2" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:52:28 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=3" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:52:29 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=3" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:53:08 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=4" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:53:44 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=5" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:54:14 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=6" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:54:43 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=7" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:55:16 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=besyo&page=8" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.206.214.178 - - [02/Apr/2008:15:55:31 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=warda+3la+warda &search_type="
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
78.168.37.42 - - [02/Apr/2008:15:55:38 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=ctl&search_type =" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:55:55 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/results?search_query=kol+bast%C4%B1& search_type="
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.168.37.42 - - [02/Apr/2008:15:56:02 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/watch?v=yVt6rJlEueY" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1)"
196.206.214.178 - - [02/Apr/2008:15:56:03 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/watch?v=wFPCa9NgNy8" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
67.139.245.131 - - [02/Apr/2008:15:56:04 -0500] "GET /?f=r HTTP/1.0" 302 -
"http://www.youtube.com/watch?feature=related&v=hIE4swcmEDY" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
67.139.245.131 - - [02/Apr/2008:15:56:05 -0500] "GET
/stormpay/user/user_auctions.php HTTP/1.0" 200 33524
"http://www.youtube.com/watch?feature=related&v=hIE4swcmEDY" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.206.214.178 - - [02/Apr/2008:15:56:22 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://www.youtube.com/watch?v=Wzv_-AjXPDY&feature=related" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
69.250.228.122 - - [02/Apr/2008:15:56:31 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://youtube.com/watch?v=VbhsYC4gKy4" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1)"
69.250.228.122 - - [02/Apr/2008:15:56:32 -0500] "GET /?f=* HTTP/1.1" 302 -
"http://youtube.com/watch?v=VbhsYC4gKy4" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1)"

Yesterdays log file shows over 13,000 youtube entries alone.

[root@host5 httpd]# grep "youtube" access_log.1 | wc
13787 284556 2904200

Over 1 million hits yesterday on the expression "Macintosh"

[root@host5 httpd]# grep "Macintosh" access_log.1 | wc
1516665 37654811 297731520

This is on just one server, I have 3 that are currently online.

Now I have attempted to contact youtube, which as you know is nearly
impossible. I have added some code to my page to try to stop these attacks
which basically says if this expression comes in, redirect to localhost.

$flood_queries = array(
'f=*',
'2523754',
'536235',
'32175'
);
if (!empty($QUERY_STRING)) {
foreach ($flood_queries as $flood) {
if (stripos($QUERY_STRING,$flood)!==false) {
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Last-Modified: '.gmdate('D, d M Y H:i:s').'
GMT');
header('Cache-Control: must-revalidate,
post-check=0, pre-check=0');
header('Location: http://127.0.0.1/');
die();

But this has not helped in any way. These hits seem to be increasing. It
seems that something or someone is embedding a GET request in the youtube
flv file that is created? Is that possible? Can I turn up the logging in
apache to see if it shows me anything else? (Although I dont want to slow it
down anymore than what it already is).

If you have any idea on what this is or how to stop it I would appreciate
it.

Thanks
Jim