From my server log file:



195.195.20.199 - - [08/Nov/2002:11:41:39 +0000] "GET /search.cgi?query= HTTP/1.0" 200 - "http://www.mysite.tld/user.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)"
195.195.20.199 - - [08/Nov/2002:11:41:39 +0000] "GET /search.cgi?query= HTTP/1.0" 200 - "http://www.mysite.tld/user.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)"
195.195.20.199 - - [08/Nov/2002:11:41:44 +0000] "GET /search.cgi?query= HTTP/1.0" 200 10712 "http://www.mysite.tld/user.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)"
195.195.20.199 - - [08/Nov/2002:11:41:43 +0000] "GET /search.cgi?query= HTTP/1.0" 200 - "http://www.mysite.tld/user.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)"
9ÿ1ÿIÿ?ÿ7ÿNÿDÿZÿnÿ`ÿsÿƒÿ’ÿ€ÿPÿ%ÿÿ:ÿ2ÿ*ÿDÿ:ÿ2ÿ*ÿ%ÿÿþÞþàþÿ
ÿÿþýþÿÿÿðþðþðþÑþÖþºþ¡þŠþWþJþ>þSþFþ;þPþEþ9þ/þþþàýÁýÄý¨ý�ý›ýÂýÇýÊýíýíýþ'þ þ9þNþCþWþJþ>þSþFþ\þnþ]þNþCþþþþþãýåýþ þ9þ/þ'þ@þ4þKþ_þPþdþ•þÀþÇþ«þ”þŸþŠþ—þ¡þÊþÏþÔþ×þüþúþúþÙþÜþ¿þ¦þ®þ—þ£þ­þ”þŸþ©þ³þšþ¤þ®þ—þ¡þŒþxþ‡þ”þŸþÉþïþïþïþÿ,ÿeÿ—ÿÃÿÊÿÑÿ÷ÿøÿÙÿ¾ÿÇÿ®ÿ—ÿ…ÿ”ÿÀÿèÿëÿÍÿÔÿÙÿ¾ÿÅÿÍÿÒÿºÿÂÿÈÿÏÿ¶ÿ¾ÿÇÿ®ÿ¸ÿÀÿ§ÿ³ÿœÿˆÿ—ÿ¤ÿ�ÿ|ÿ‹ÿšÿ¦ÿ’ÿŸÿŠÿyÿˆÿxÿˆÿ•ÿƒÿ’ÿŸÿ‹ÿ™ÿ…ÿtÿ…ÿtÿeÿXÿ,ÿ%ÿ ÿÿõþõþõþõþÖþÙþÜþŸþŠþvþ…þsþbþSþfþ7þíý­ý³ýÙýúýùýõýôýòýÑýÓýÖýØýºý¿ýÄýÇý«ýqý@ý3ý)ýÿüÚüÚüùüýý'ý>ýRýCýWýHý;ýOý@ý4ýHý\ýKý>ýRýCýWýgývý£ýÊýïýíýþ)þ þþþþ þåýÆýÉýÌýïýþ þ%þþþ1þgþ™þ£þ�þ™þ¤þ�þ™þ…þqþ‚þ�þšþ…þ’þžþ¨þ±þÙþÜþàþ
ÿÿþÿþýþÿÿÿÿ,ÿFÿ{ÿ‹ÿºÿáÿäÿ



Binary continues for a few minutes. This is the second server on which this has happened.

Somebody seems to have been sending over ten requests per second to search.cgi, solidly for about ten minutes.

Well, you've got the IP where this comes from. Contact the admin of the domain and tell them to stop.

Ivan
-----
Iyengar Yoga Resources / GT Plugins

Or block their IP, so they don't even get a chance to make a proper request to your site (could even be done at server level)...

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

Create a .htaccess file:

Thanks for your advice guys. Turns out he crashed it by constantly reloading the search page, up to ten times a second for about 5 minutes.

I contacted his institution (he wanted to sign up for the service, had entered his name and institutional email but had to pay, didn't and as such was probably frustrated), and they might take it further. Whether or not they do is immaterial.

Fact is that blocking a particular IP is futile. Many ISP's use a dynamic IP addressing system, so anyone using that system will be able to evade Htaccess IP blocks. Sure, I could block the entire range, but if he uses a major ISP it also means blocking about 10% of a given population, which is unacceptable.

As such, the solution lies in remedying the system. It would be advantageous if the script did not have this vulnerability. Perhaps it may not be a vulnerability of the script, but rather apache.