[Project_owners] Bugzilla Attacks

Pete Collins pete at mozdev.org
Tue Dec 9 09:17:03 EST 2003


mysql barfed last night due to too many connections.

I'm looking through the cgi logs:

mozdev.org 217.78.142.123 - - [09/Dec/2003:00:06:13 -0500] "GET 
/bugs/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=&emailtype1=substring&emailassigned_to1=1&email2=&emailtype2=substring&emailreporter2=1&changedin=&chfieldfrom=&chfieldto=Now&chfieldvalue=&product=BannerBlind&short_desc=&short_desc_type=substring&long_desc=&long_desc_type=substring&bug_file_loc=&bug_file_loc_type=substring&newqueryname=&form_name=query&order=bugs.rep_platform&order=bugs.bug_id&order=bugs.bug_id&order=bugs.bug_status&order=bugs.bug_id 
HTTP/1.1" 200 752659 "http://www.sexrabbit.de" "Mozilla/4.0 (compatible; 
MSIE 5.0; Windows NT; DigExt)" 52

This looks like a DOS attack.

Try clicking on this link (actually please don't)
http://www.mozdev.org/bugs/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=&emailtype1=substring&emailassigned_to1=1&email2=&emailtype2=substring&emailreporter2=1&changedin=&chfieldfrom=&chfieldto=Now&chfieldvalue=&product=BannerBlind&short_desc=&short_desc_type=substring&long_desc=&long_desc_type=substring&bug_file_loc=&bug_file_loc_type=substring&newqueryname=&form_name=query&order=bugs.rep_platform&order=bugs.bug_id&order=bugs.bug_status&order=bugs.rep_platform&order=bugs.bug_

id

"This list is too long for Bugzilla's little mind; the 
Next/Prev/First/Last buttons won't appear on individual bugs."

This link was accessed 448 times since 12:00AM last night continually 
form the same IP. It looks like an attack or an attempt to crack the box.

If the Referrer is coming from http://www.sexrabbit.de then it could be 
a php or perl script.

HTTP/1.1 302 Found
Date: Tue, 09 Dec 2003 14:04:16 GMT
Server: Apache/1.3.27 (Linux/SuSE) PHP/4.3.1 mod_perl/1.27
X-Powered-By: PHP/4.3.1
Location: ./user/allgemein_start.php
Connection: close
Content-Type: text/html

We blocked the IP. Any thoughts on how best to deal w/ this kind of crap?

--pete
-- 
Pete Collins
www.mozdev.org
www.mozdevgroup.com



More information about the Project_owners mailing list