Atomicorp

Posted: **Tue May 24, 2011 12:56 pm**

I found that atleast 2 domains (from china) have an A record that points to one of my server IPs, and I can see at the logs that somebody is scanning it randomly.

[Tue May 24 18:20:59 2011] [error] [client 95.108.241.250] File does not exist: /var/www/vhosts/default/htdocs/ca-long-tshirts-for-women-cheap-16_291_783.html
[Tue May 24 18:21:18 2011] [error] [client 123.125.68.117] File does not exist: /var/www/vhosts/default/htdocs/washington-nationals-cheap-3_52_486.html
[Tue May 24 18:21:36 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/jordan-fusion-12af1-men-shoes1001-p-1618.html
[Tue May 24 18:22:01 2011] [error] [client 95.108.158.242] File does not exist: /var/www/vhosts/default/htdocs/images
[Tue May 24 18:22:33 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/lacoste-men-shoes1008-p-7102.html
[Tue May 24 18:22:47 2011] [error] [client 123.125.68.118] File does not exist: /var/www/vhosts/default/htdocs/jordan-4-6-rings-cheap-8_175.html
[Tue May 24 18:23:25 2011] [error] [client 95.108.158.242] File does not exist: /var/www/vhosts/default/htdocs/bmz_cache
[Tue May 24 18:23:30 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/coach-handbags1074-p-19460.html
[Tue May 24 18:24:24 2011] [error] [client 123.125.68.121] File does not exist: /var/www/vhosts/default/htdocs/ca-tshirts-womens-cheap-16_291_773.html
[Tue May 24 18:24:26 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/adidas-sunglasses-c-998_999.html
[Tue May 24 18:24:29 2011] [error] [client 123.125.68.115] File does not exist: /var/www/vhosts/default/htdocs/nike-jordan-fusion-115-cheap-8_137.html
[Tue May 24 18:24:49 2011] [error] [client 95.108.158.242] File does not exist: /var/www/vhosts/default/htdocs/bmz_cache
[Tue May 24 18:25:23 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/christian-audigier-women-tshirts1011-p-9583.html
[Tue May 24 18:25:51 2011] [error] [client 123.125.68.115] File does not exist: /var/www/vhosts/default/htdocs/okely-sunglasses-cheap-22_362.html
[Tue May 24 18:25:52 2011] [error] [client 123.125.68.126] File does not exist: /var/www/vhosts/default/htdocs/nike-jordan-fusion-6-cheap-8_147.html
[Tue May 24 18:26:08 2011] [error] [client 95.108.158.242] File does not exist: /var/www/vhosts/default/htdocs/bmz_cache
[Tue May 24 18:26:20 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/nike-air-yeezy11-p-33819.html
[Tue May 24 18:26:47 2011] [error] [client 124.115.0.21] File does not exist: /var/www/vhosts/default/htdocs/jb-classic-lab-sneakers-cheap-5_74_620.html
[Tue May 24 18:27:16 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/armani-men-long-sleeves1013-p-9340.html
[Tue May 24 18:27:21 2011] [error] [client 123.125.68.114] File does not exist: /var/www/vhosts/default/htdocs/evisu-hoody-cheap-17_292_797.html
[Tue May 24 18:27:22 2011] [error] [client 123.125.68.123] File does not exist: /var/www/vhosts/default/htdocs/abercrombiefitch-bikini-cheap-26_437.html
[Tue May 24 18:27:33 2011] [error] [client 95.108.158.242] File does not exist: /var/www/vhosts/default/htdocs/images
[Tue May 24 18:28:03 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/images
[Tue May 24 18:28:13 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/nike-shox-r3-men-shoes1073-p-15483.html
[Tue May 24 18:28:52 2011] [error] [client 123.125.68.126] File does not exist: /var/www/vhosts/default/htdocs/armani-belts-aaa-cheap-24_409.html
[Tue May 24 18:28:53 2011] [error] [client 123.125.68.126] File does not exist: /var/www/vhosts/default/htdocs/dunk-high-kids-cheap-5_76_654.html
[Tue May 24 18:28:56 2011] [error] [client 95.108.158.242] File does not exist: /var/www/vhosts/default/htdocs/images
[Tue May 24 18:29:11 2011] [error] [client 66.249.68.237] File does not exist: /var/www/vhosts/default/htdocs/jordan-6-rings-shoes1014-p-1577.html
....

Can I prevent it with iptables, httpd.conf, named.conf or modsecurity?
I tried with httpd.conf

Code: Select all

Deny from thefakedomain.com

But still showing the default plesk page.

I'm on CentOs 5 with Plesk 10.2

Thanks in advantage

Posted: **Tue May 24, 2011 5:59 pm**

Personally, I use the geo-blocking feature in ASL to just block China completely. I'm not sure if that would solve your problem, but it's something to consider.

Posted: **Tue May 24, 2011 6:12 pm**

Well, I can't just block all the country. Have some customers traveling to China and having daily contact with people there.
Thanks for the idea spaceout

Posted: **Tue May 24, 2011 6:24 pm**

If you have the Firewall module in Plesk or use ASL you could block those IP addresses at the firewall fairly easily using the web interfaces.

Posted: **Tue May 24, 2011 8:08 pm**

In this case its client's that are probably owned by spy/malware and its doing some kind of click-jacking or something. You could always do something clever with mod_rewrite to return those 404 pages to say "Excuse me, you know you're owned right?"... like a public service announcement or something.

Posted: **Wed May 25, 2011 7:40 am**

For me all indicates that is just an A record pointing to my IP
DNS tests online:

dns23.hichina.com. ['119.145.145.59', '218.244.147.146', '218.30.103.224', '222.73.40.39'] [TTL=172800]
dns24.hichina.com. ['119.145.145.60', '218.244.147.150', '218.30.103.176', '222.73.40.40'] [TTL=172800]
MX Records: None
WWW A Record: Your scammerdomain.com A record is: [my server IP]

Imagine I get the domain: thisserversux.com, and with my own DNS I put an A record that points to your server IP.
Is not possible to block the traffic that comes from thisserversux.com?

Well, I will try with modsecurity, but ofcourse could be better if I can block before with iptables.

Posted: **Wed May 25, 2011 1:23 pm**

MrTeck wrote:For me all indicates that is just an A record pointing to my IP
DNS tests online:
dns23.hichina.com. ['119.145.145.59', '218.244.147.146', '218.30.103.224', '222.73.40.39'] [TTL=172800]
dns24.hichina.com. ['119.145.145.60', '218.244.147.150', '218.30.103.176', '222.73.40.40'] [TTL=172800]
MX Records: None
WWW A Record: Your scammerdomain.com A record is: [my server IP]
Imagine I get the domain: thisserversux.com, and with my own DNS I put an A record that points to your server IP.
Is not possible to block the traffic that comes from thisserversux.com?

Well, I will try with modsecurity, but ofcourse could be better if I can block before with iptables.

MrTeck,

Maybe a single Redirect rule at .htaccess (or vhost file) would solve your problem. Something like:

RedirectMatch 301 http://thisserversux.com/(.*) http://myserverrocks.com/owned.html

Posted: **Thu May 26, 2011 6:17 am**

Thanks eduardo.
Finally I created a domain with some adsense banners and with the redirect will get some cents

Posted: **Thu May 26, 2011 9:47 am**

Haha, thats brilliant

Atomicorp

How I can block other domains that point to my server IP?

How I can block other domains that point to my server IP?

Re: How I can block other domains that point to my server IP

Re: How I can block other domains that point to my server IP

Re: How I can block other domains that point to my server IP

Re: How I can block other domains that point to my server IP

Re: How I can block other domains that point to my server IP

Re: How I can block other domains that point to my server IP

Re: How I can block other domains that point to my server IP

Re: How I can block other domains that point to my server IP