0

Hi all,

This is my first time posting in this forum (disclaimer: please let me know if this is not the right place to post this). I'm turning to the Linux server discussion gurus for some sagely advice :)

I have a VPS web server running CentOS with Apache and all the other good web server jazz. The main website hosted on the server is http://jettisonquarterly.com (IP: http://184.82.106.92) Lately I've noticed (by stumbling across in a Google search when testing my SEO) that another domain (http://42639104591279053.forth.arraymultisort.info or really http://any_string.forth.arraymultisort.info/) is apparently forwarding all requests to my IP address. The reason I'm pretty certain they're forwarding and haven't stolen/cloned my site is because if I access that site from home, my home IP address shows up in my access logs.

I'm fairly certain this is a fledgling attack. Every once in a while my access logs will show something like this (just a sample):

111.164.160.222 - - [23/Mar/2011:06:06:33 -0500] "GET /currentIssue/cover.jpg HTTP/1.1" 200 17424 "http://8683227610213234105.forth.arraymultisort.info/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 672; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

111.164.160.222 - - [23/Mar/2011:06:06:42 -0500] "GET /images/logo.png HTTP/1.1" 200 5556 "http://8683227610213234105.forth.arraymultisort.info/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 672; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

where that domain seems to be referring style sheets, javascript files, images, etc.

So the real question is: Is there a way that I can block this site from forwarding itself to my site's IP address and essentially cloning my site?

I can think of a few reasons why I don't want this happening:
-The site (after doing some WHOIS searches) is clearly meant for malicious purposes
-The owner is listed as being in China (although not necessarily a red flag, I've had my fair share of problems with Chinese spiders and the like in the past)
-In some cases, they're stealing search engine hits
-Since it began, I've been getting some very strange query strings appearing in my access logs (eg. "?kw=%E4%B8%80%E5%93%81%E6%A5%BC%E8%AE%BA%E5%9D%9B%E6%9C%80%E6%96%B0%E5%9C%B0%E5%9D%80")
-I don't know who this is and what they're doing.

It's that last part that makes me the most suspicious- I can't figure any reason for this to be happening unless there's some kind of spoofing, injection attacks, or XSS attacks being in the works.

So please, DaniWeb folks, enlighten me- does this seem like a real threat I should be concerned about? If so, how do I go about stopping it?

Thanks much,
Ty

3
Contributors
5
Replies
6
Views
6 Years
Discussion Span
Last Post by manojsamtani
0

Also, just for clarification, I have done a fair amount of Googling for a related problem before I posted here. However, IMO they were fairly feeble searches, the main problem being that I'm not really sure what terms to search for (I don't know if this kind of thing has a name, rather, I don't know what to call it).

So I'd like to add that any information anyone can provide about the nature of what I've been seeing, whether it's a common type of attack on security, and/or what it's called, would also be appreciated.

0

It sounds like some probing going on. Make sure your web server and other stuff is up-to-date security-wise. CentOS is pretty secure itself. Have you implemented SELinux extensions? That will help keep out baddies. One final thing is that you might post this to the security forum of www.linuxforums.org where there are more lurkers for Linux-specific stuff like this.

0

Thanks! I'll re-post on the Linux Forums. I'm going to leave this thread open for a day or two until I can post the solution offered over there.

0

Okay, ready to close the thread as the issue has been resolved.

To anyone interested, I used PHP ($_SERVER) to check the host and display a page informing the user that they are at the wrong site (in the case that the correct host is not in the URL).

I also have a javascript function in place as a backup to do the same thing in the event that somebody figures out a way to spoof the HTTP host.

Finally, here's a link to the Linux Forum thread that I made:
http://www.linuxforums.org/forum/servers/176731-solved-possible-attack-how-stop.html

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.