[Dshield] Tens of thousands of http gets for the same .gif/.jpg

Stoney Jiang SJiang at adbsys.com
Fri Nov 8 13:38:29 GMT 2002


It seems like Torjan horse. If this happened on same workstation, then
99% for sure. Somebody is using that workstation to generate traffic to
hit somebody else or for profit.

Stoney Jiang



-----Original Message-----
From: J. Foobar [mailto:jfoobar1 at yahoo.com]
Sent: Thursday, November 07, 2002 11:30 PM
To: list at dshield.org
Subject: RE: [Dshield] Tens of thousands of http gets for the same
.gif/.jpg


First off, thanks for the replies so far.

I don't think this has anything to do with ephemeral
content.

The first incident like this I noticed involved over
300,000 http gets for this file:

http://www.peterindia.com/swecre61.jpg

In about a 30-40 minute period.  This is a background
texture .jpg.

I am pretty sure that the internal user was not even
at his/her desk when this happened, but he/she had
surfed to this site several hours before and then
there was no traffic from this machine at all for
several hours.  

Another one I found from 10/31. 

http://209.249.249.170/cc-production/images/playing.gif

Again, small and static content.  It is an IP owned by
a public radio station of memory serves.  The requests
did not come at quite the fevered pitch as the one
above, 30000+ requests in a little over 3 hours.

A week later (yesterday), the same IP again made
28000+ requests to the exact same .gif, this time over
a 5-hour period.

Weird.

Thanks,
Justin

--- Tony Nichols <tony at mail.applog.com> wrote:
> Could it be one of those websites that update the
> images every few
> seconds like a weather map? Or maybe a webcam ?
> 
> T o n y
> 
> 
> -----Original Message-----
> From: list-admin at dshield.org
> [mailto:list-admin at dshield.org] On Behalf
> Of J. Foobar
> Sent: Thursday, November 07, 2002 5:17 AM
> To: list at dshield.org
> Subject: [Dshield] Tens of thousands of http gets
> for the same .gif/.jpg
> 
> 
> I'm hoping that someone can steer me in a useful
> direction on this.
> 
> We recently starting doing some serious audits of
> internal web use, based largely on bandwidth usage
> and connection count
> information parsed from our firewall logs.  I work
> for an organization
> with about 100,000 internal network-connected
> workstations.
> 
> What I have been periodically seeing is a
> workstation
> that racks up huge amounts of http connections in a
> 24-hour period.  A close look at the traffic dump
> for
> the user shows that the workstation performed tens
> of
> thousands of http gets on a web-based .jpg or .gif
> in
> a short about of time.  Today I found one that
> racked
> up 50,000 plus, all for the same .gif, in under an
> hour.
> 
> I have found four of these in the past couple of
> weeks, all different internal systems with no rhyme
> or
> reason to the "targets."  One was a doppler weather
> map on a local news web site, another was a
> background
> texture .gif on an obscure IT portal site.  In at
> least one case, the user surfed to the target site
> during business hours and probably left his/her
> browser open.  Then, several hours later after
> he/she
> almost certainly had gone home, 100000+ http gets
> for
> the same .jpg starting at 9pm and lasting a few
> hours.
>  Then, it stopped.
> 
> Browser configuration problem, flaky behavior
> inherent
> to IE (mostly 5.0 and 5.5), malware of some sort? 
> What does this smell like?
> 
> I am really not much a client systems guy,
> especially
> when it comes to MS-schtuff, so I'm really not sure
> what to look for when I discover these.
> 
> Thanks in advance,
> Justin
> 
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or
> unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> Tracking #: E20736E1B502DB4CB3BD39746C7FEEB21C8FDE5F
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or
> unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list