This morning I got an email telling me that I was getting close to exceeding my bandwidth for the month. Interesting, that’s never happened before. So I checked my stats and sure enough I’ve served up 8.6 Gigs out of my 10 alloted.
Things were running about normal until the 23rd of the month and then usage quadrupled. Normally I was using between 150-200MB a day when all of a sudden it jumped to over 900MB. Visits and hits stayed pretty much the same, but pages went way up. The biggest page served was “/archives/ miatatude/” which is automatically generated when requested.
Further delving into the stats, a lot of external links had web addresses with names like: http://phentermine.us.tt — http://phentermine.dnc.pl — http://phentermine.rocken.de — http://phentermine.220v.org — http://party-poker.dnc.pl — http://www.cialis.wczasy.com — http://hgh.dnc.pl — http://hydrocodone.dnc.pl– http://www.rape.wczasy.com
Next I looked in the raw access logs and found a bunch of entries that looked like this: 184.108.40.206 — - [26/Aug/2005:00:00:08 –0500] “GET /archives/miatatude/ HTTP/1.0″ 200 26131 “http://phentermine.us.tt” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7″ and 220.127.116.11 — - [26/Aug/2005:00:02:00 –0500] “GET /archives/miatatude/ HTTP/1.0″ 200 1723287 “http://phentermine.rocken.de” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7″
I did some reading up on deciphering that mumbo-jumbo and what is really strange is that both those requests are for the same web page, but for one a lot more info is returned, but the big question is what is going on here? I found like the top ten IP addresses doing this requesting and denied them access so they will get a 403 instead content. What really worries me is this looks a lot like comment spam roaches, you squash one and several more crawl out from the base boards. Am I going to have to check my logs daily and ban IPs until I close every one?