Hello, I would like to share a recent experience that I believe may help other proxy owners in the future. I have a proxy network that is currently hosted on a VPS. Recently this network chomped through about 600 GB bandwidth within a few days. The strange thing about this was that I have my max file size set low so that people cannot download large files through the proxies. I got slapped with over usage fees of over $100. The extremely weird thing about this was that google analytics was recording my unique hits were stable at the average 2000 unique per day. However server stats like webalizer were recording in excess of 20000 unique per day. This was also strange because I have hot linking enabled so direct access to proxified links was not the cause. I spent an hour or two pouring over my apache logs trying to figure out how this happened and then I noticed hundreds and hundreds of logs like this all coming from the IP 222.216.28.135. 222.216.28.135 - - [01/Oct/2007:00:23:36 -0500] "GET http://mail2.663.com.cn/include/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=DC6DB5C1520437F54B7E6AB00050546$ 222.216.28.135 - - [01/Oct/2007:00:23:36 -0500] "GET http://mail2.663.com.cn/include/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0B9830C4BE5DFB0C4B7E6AA50050B0A$ 222.216.28.135 - - [01/Oct/2007:00:23:38 -0500] "GET http://mail2.663.com.cn/include/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=DE6A2CE5151E53094B7E72980050485$ Code (markup): This chinese mail service was using my proxy for their services. Also notice the url prx.php (must stand for proxy) has a p parameter - this is undoubtedly an encoded string relating to the certain proxy the service will use. It makes me wonder how many other people are getting shafted. Emails are only small text files so this flew under the radar for several days and cost me dearly. I have since banned the IP 222.216.28.135 and 202.103.30.9 from my VPS and everything has returned to normal. I would highly suggest that other proxy owners check their access logs and make sure this isn't happening to them. Some people think that their proxy is getting popular and so they upgrade to a dedicated server when in fact some people could just be ripping you off. Take care!
Wow, This happened to one of my customers. We didn't know what was going on, but eventually we found out someone was using it for mailing. Watch out for those buggers! Thanks for telling everyone imagize, I am sure this happens to a lot of people and they don't even realize it!
For those with linux based servers, checking your access log is as easy as logging in via SSH and typing something similar to nano /usr/local/apache/logs/access_log Code (markup): It will vary from server to server. Some control panels like cpanel also allow you to download this information quickly and easily. Under cpanel go to Logs > Raw Access Logs.
I would also recommend http://www.blockacountry.com which generates a .htaccess file for you for blocking all the countries you want.
Also when reading logs it is hard to monitor which sites are being viewed since phproxy encodes the url of the target site. /index.php?q=aHR0cDovL3RvdWNoOTkuY29tL2luY2x1ZGUvY292ZS5qcw%3D%3D Code (markup): I wrote a simple php5 script that reads the apache access log script and decodes the url the user visited so it is much easier to read and quickly skim over logs. (It helped me catch these annoying individuals) i.e the above url is an image on http://touch99.com (yeah more chinese people ) I am planning to customize it so that it runs on the command line and you can specify the date range you want to see proxy logs for. If anyone is interested I will probably release it when I finish it.
I did a little more research of my logs and it turns out the same guy hit my proxies in jun/july a few hundred times using http://www.loanscandyloans.com/php/test.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0B9830C4BE5DFB0C4B7E6AA5005$ Code (markup): The bandwidth usage wasn't nearly on the scale as the recent attack. The funny thing is that the domain loanscandyloans.com is registered by a chinese man in the same area the IP resolves too so I am assuming it is him. Looks like a MFA site with adsense all over it.
I have found another domain umsky.com and found numerous threads about it on google. Seems like this isn't a new thing. http://www.linuxquestions.org/quest...che-exploit-404-not-found-398184/#post2027911 http://lists.pdxlinux.org/pipermail/plug/2005-November/043805.html
Not sure, but could it have been caused by maybe a hole in your email contact forms or something where another company was then using your server to send out their millions of spam emails. If you have badly written contact forms with poor validation then you will get hit by the email spammers using your server for spamming and the end result is that you will be the one that has their server penalised for spamming.
yea i got attacked by china to i think used a terabyte of bw in less than 2weeks so i switched to new cpanel hosting and was using 1gig a hr all my analytics's were looking fine but most of my traffic was from china and most of the viewing the same page! tho my revenue was looking good to do you think the display my whole webpage??(index?) my adsense was showing about the same amount of hits as my analytics's! i have sinced switched to another proxy script and my bw usage is very low! tho i parked the domain for about a week and deleted the files after the bandwidth issues! so lost some traffic (lost about 800 visitors per day adv) tho had a link to another one of my proxys on the parked page and its traffic has picked up so it worked tho i dont have adsense on there so no revenue but no bandwidth issues!! how can i block the attackers from using my site if it happens again??
Here is the list of hosts and user ip addresses that I have now banned using iptables. Requests 222.216.28.135 222.216.28.147 218.59.127.2 222.185.108.12 Hosts 663.com.cn loanscandyloans.com umsky.com filesdatabase.com 207.150.184.73