Web Design Forum: dmpinder - Viewing Profile - Web Design Forum

Hi everyone,

This is the second time by server has been hit by a DoS attack, both coming from the same locations in the US. I've gotten in touch with the organisations (I believe their servers are part of a botnet), but I need some help understanding what my access logs are saying here.

The only thing I don't get is what I believe is the request involved. It looks like a long URL string, but it has paramters I don't recognise. The site is a WordPress site, with a bit of custom PHP, but nothing that looks familiar in the below:

(Please note I've removed the IP addresses from the logs as they're not relevant to my question)

XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=v4ndSrPrIob0sgOKspHcDw&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNEseq3LMyLHcqAGdHEJj27eZ-OP-A HTTP/1.1" 404 377 "-" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux; en)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=vL_USv-DCJCEswOw3eHaCg&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNGDCOJWhdFrzVfbpDzFcekOUk-E9w HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /page2.html?pageId=17 HTTP/1.1" 404 377 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=tvHlSrb5K4aIsgO8ksCwBA&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNF4SnE4vKvVpg4rutPN2ZqNCTVbKg HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=GjPnStbRFonqtgPs_ZyYBQ&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNHUXLVe3iSdnL78VDZaRuJX4C2sHw HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /page3.html HTTP/1.1" 301 238 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=_-vMSpafB4OOswPGjbnGDg&sa=X&oi=spellmeleon_result&resnum=2&ct=result&usg=AFQjCNEZPRANaNnFU59z93MeSoPFic7Q5w HTTP/1.1" 404 377 "-" "Mozilla/4.7 [en] (Win95; U)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=rN7YSsOMDaLOtAOu-dGLBg&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNHPFmtwYP5YrN9RggAayXUNztZ_sg HTTP/1.1" 404 377 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040218 Galeon/1.3.12"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=v4ndSrbdKImSsgOf1-zSDw&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNGVqX3HrVg4o5HLE5iQ6G0_8NKODQ HTTP/1.1" 404 377 "-" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux; en)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=plLTSsHtLJC2sgP43J3wCw&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNEtn31AWiiZyGJ3fSqin-kQAlbSFw HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=yXfPSs--LpCasgPszcS1Dg&sa=X&oi=spellmeleon_result&resnum=2&ct=result&usg=AFQjCNGFvwEbMrdoUm2uH-c-wU66QUqZNw HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /page5.html HTTP/1.1" 404 377 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=vfHlStjVO4WMswOMiuSwBA&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAsQhgIwAQ&usg=AFQjCNFhw2bBMDZtvZQnigw466Tlv7vVEQ HTTP/1.1" 404 377 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.0; DigExt; .NET CLR 1.1.4322)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /&ei=f4LkSoaHJIn8sQPe3ey6Aw&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNHTs4ptTUtxQiL8t36kIkCj-DsT6A HTTP/1.1" 404 377 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.0; DigExt; .NET CLR 1.1.4322)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:47 +0100] "HEAD /page6.html HTTP/1.1" 404 377 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /page2.html?pageId=7&size=standard HTTP/1.1" 404 377 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; DigExt)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /&ei=rVLTSpXNLI-4swOokISuCQ&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAsQhgIwAQ&usg=AFQjCNHoqmYrAqlOUGgIDO84Yqx9GJO2Ow HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /&ei=u1LTSoWlEZH8sgPJq9nwCw&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNFt3t1NbSSVaW4ME4cLLy6BJDTEWQ HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /&ei=_-vMSqXrMZTQtAOpwfXFDg&sa=X&oi=spellmeleon_result&resnum=2&ct=result&usg=AFQjCNEG7bGO2Od-3DpOBX1iVmDkNFCrGQ HTTP/1.1" 404 377 "-" "Mozilla/4.7 [en] (Win95; U)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /&ei=VbvrSq2lNYzosQPNzP3hBw&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNG95bNP4PeQ_Pk-X7kp4Owp0BVmsg HTTP/1.1" 404 377 "-" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux; en)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /&ei=qFLTSon6NoOMtAPVmq3wCw&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNE43bvwrx9-GnXG4_DrXbCtcqsm1w HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /&ei=rGzgSv7MJIHYtgP71MHeCA&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNGXjbLXryeoixAywsgY3r2D3Qkwgw HTTP/1.1" 404 377 "-" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux; en)"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /&ei=9uvMSp2iPIvYtgOY0P3IDg&sa=X&oi=spellmeleon_result&resnum=2&ct=result&usg=AFQjCNGoWlvyd_CyXYw3NEzK46sJScaGwA HTTP/1.1" 404 377 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]"
XXX.XX.XXX.XX - - [06/Aug/2011:13:35:48 +0100] "HEAD /&ei=IzPnSrzvIYHUsQPiyrmfBQ&sa=X&oi=spellmeleon_result&resnum=2&ct=result&ved=0CAkQhgIwAQ&usg=AFQjCNHa80YdhQnLt06CfJxnoBtu3ILMew HTTP/1.1" 404 377 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"

This is just a few lines of the 2000 requests which killed my server today, but they're all pretty much the same as these.

Many thanks,

Darren

Hi everyone,

A client of mine let one of their domains expire (before I came along, don't blame me!) and now their site has been registered by the company that uses the Domain Parked girl image (you know who I'm talking about).

Does anyone know how to get it back under their control? Do they even have a legal right to get it back, since they let it expire after all? If not, can domains be purchased back from this seemingly-faceless company?

Thanks in advance,

Darren