Just signed up, already have clogged logs

[vedman]

Hello -

I signed up here yesterday, and everything has been awesome. One thing caught my eye though, in my site logs, I already have several hits that look like this:

69.73.54.XX - - [27/Apr/2004:12:35:18 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02

etc.... the length of garbage chars is about 10 times that... per request.

Some of the IPs that are clogging up my logs (X's inserted to protect the guilty):

69.73.54.XX
69.73.54.XX
69.193.64.X
69.73.43.XX
69.73.49.XX
69.138.127.XXX

Traces reveal they are all coming from knology.net

I know I can block IPs through the CP, but they're all different...and I fear if I block a range, I might be blocking computers that try to visit my site that aren't spawns of satan.

Any advice?

[Ron]

Even though they are a huge PITA, I just ignore them....
They really do ruin the Latest Visitors report.

[vedman]

Originally posted by jrmcdona
unwelcome comment by jrmcdona edited

Actually, this isn't my first time here... jaguar rox! Seriously. I was at CI Host and got screwed over (and that was last summer; not even related to the worm that recently crawled up their bum).

Originally posted by Ron
Even though they are a huge PITA, I just ignore them....
They really do ruin the Latest Visitors report.

ack, so it's something you just gotta put up with, or block 100s of IPs?

[Spathiphyllum]

Originally posted by jrmcdona
unwelcome comment by jrmcdona edited

So why is it JaguarPC's fault that a worm\hacker attack has visited our sites via Jaguar servers? The web host has installed the appropriate web server and used logging to track the good, bad, and ugly that happens when computers communicate on this shared environment. It's the nature of the beast.

If you are still using JaguarPC's services, why don't you move to another web host? I moved from another host that charged significantly more money and offered much fewer resources and support to this one. I've got to tell you that, fortunately, my experience has been almost superb. Not perfect, but a terrific value. Perfect would require that I host the site myself... not a reasonable alternative considering the time and money required.

Would you be kind enough to elaborate on your dissatisfaction rather than just stating that things are "pitiful"? The forum members often come up with good suggestions if JaguarPC proper cannot help you.

[Galen]

If all the IPs are resolving to the same domain, just block the domain.

IP Deny Manager

This feature will allow you to block a range of IP addresses to prevent them from accessing your site. You can also enter an fully qualified domain name, and the Ip Deny Manager will attempt to resolve it to an ip address for you.

(emphasis mine)

Give it a shot.

[Connie]

Originally posted by jrmcdona
unwelcome comment by jrmcdona edited

I've been here about 3 years. I have 3 sites hosted with Jag.

Jag is not perfect. No host is. On the other hand for what you pay for what you get (usually suburab service) you won't find a better host for a shared server environment.

[Spathiphyllum]

Originally posted by Galen
If all the IPs are resolving to the same domain, just block the domain.

I don't think this will rid you of the logging though. You may deny access to particular domains via the IP manager (I'm guessing it's just an .htaccess file manager) but it's overall effect for this particular attack is fruitless. Apache on *nix is not vulnerable to this hack so denying access from rogue servers will not impact your website... other than filling your logs. Nevertheless, your access log will still record the hack visit. Unless there is some other upstream server component that filters rogue requests before it hits your server, the IP manager will be relatively ineffectual to this annoyance. Check out Apache 1.3 core features and note "Context: .htaccess" directives to fine tune without using the IP manager. This is where the guts are revealed.

Now, if it's the same narrow IP range day-after-day that's the culprit, then blocking them out will provide peace of mind.

[JPC-Greg]

sorry, I didnt let that post fly . Edited by myself in case anyone wants to know. Feel free to PM me if you have any objections.

As for the original poster of this problem, its not a concern to your site other than the crazy log space it may be taking up. I would agree with Galen above, just block the domain. It works the same as blocking an ip. Dont be afraid to deny ranges though, that wont keep people from being able to email from those ranges if you have some legit visitor that can no longer see your site.