Blocking requests
Since a couple of weeks I am receiving thousands of requests for non-existing files on my webserver:
aaa.bbb.ccc.ddd - - [04/May/2008:06:45:31 +0200]
“GET /ratty/.wine/drive_c/Program%20Files/uTorrent/PSP%20MEGAPACK…/lfc-vt3e.006 HTTP/1.1″ 302 337
“http://88.191.27.73/ratty/.wine/drive_c/Program Files/uTorrent/PSP MEGAPACK…”
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”
and all hits come from Chinese sources. I don’t exclude the possibility that the server was cracked and used to distribute copyrighted content. Anyway two facts tell me the contrary:
- All the requests hit my web-server and are logged as 404 errors. This should not happen if the server were cracked and the users could actually download the files.
- The number of requests that I have in my logs should have generated a huge network activity on the server. Once again this is not the case (the network activity monitored by my hosting provider is normal).
Hence I think that I am the victim of an IP number error (like a dialing error for phones) and someone distributed (probably on TorrentLeech, though I don’t have access to their forums) a list of addresse that users retrieve using web spiders (the clients that generate the hits in my logs does not have javascript enabled, otherwise I would be millionaire through my AdSense program 
).
To stop polluting my logs and straining my web-server I devised a simple solution: block requests. From now on everyone that tries to download one of the incriminated URLs will end up on a page like this and his IP will be blocked for an hour (the link does nothing, but has the same output as the real script).
In time I intend to extend this behaviour to all Internet Parasites like referer and comment spammers, those who scan my server for non-installed and vulnerable PHP application (no, I don’t have mysqladmin, whoever hits the /mysqladmin URL most probably wants to do something nasty), etc.
