[Dshield] Tens of thousands of http gets for the same .gif/.jpg

Patrick Andry pandry at wolverinefreight.ca
Thu Nov 7 19:48:14 GMT 2002


This sounds like an animated gif file.  If a browser is left open you
will see multiple downloads of this. Visit the parent sites and see if
there are large amounts of banner ads, etc.  

The weather page probably uses a script to show an animated weather map,
loading multiple jpegs in the same window. 

On Thu, 2002-11-07 at 05:16, J. Foobar wrote:
> I'm hoping that someone can steer me in a useful
> direction on this.
> 
> We recently starting doing some serious audits of
> internal web use, based largely on bandwidth usage and
> connection count information parsed from our firewall
> logs.  I work for an organization with about 100,000
> internal network-connected workstations.
> 
> What I have been periodically seeing is a workstation
> that racks up huge amounts of http connections in a
> 24-hour period.  A close look at the traffic dump for
> the user shows that the workstation performed tens of
> thousands of http gets on a web-based .jpg or .gif in
> a short about of time.  Today I found one that racked
> up 50,000 plus, all for the same .gif, in under an
> hour.
> 
> I have found four of these in the past couple of
> weeks, all different internal systems with no rhyme or
> reason to the "targets."  One was a doppler weather
> map on a local news web site, another was a background
> texture .gif on an obscure IT portal site.  In at
> least one case, the user surfed to the target site
> during business hours and probably left his/her
> browser open.  Then, several hours later after he/she
> almost certainly had gone home, 100000+ http gets for
> the same .jpg starting at 9pm and lasting a few hours.
>  Then, it stopped.
> 
> Browser configuration problem, flaky behavior inherent
> to IE (mostly 5.0 and 5.5), malware of some sort? 
> What does this smell like?
> 
> I am really not much a client systems guy, especially
> when it comes to MS-schtuff, so I'm really not sure
> what to look for when I discover these.
> 
> Thanks in advance,
> Justin
> 
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list