Bad bot?


#1

This is what my logs show a visitor tried to access on my website:
69.31.78.137:6667/
And…
http://69.31.78.137:6667/
What are these (6667)?? Chat servers? There isn’t chat hosted at my site, so is this something I should worry about? Should I try to block these visits?

~Chell


#2

As you correctly identified, port 6667 is usually used by IRC. Unfortunately, it is also a port commonly used in Denial of Service attacks. I assume that this is something that warrants DreamHost’s attention, so I recommend contacting support.


Simon Jessey
Keystone Websites | si-blog


#3

I imagine it’s just something scanning for open proxies. What does the full line look like?

Does it say “CONNECT” anywhere?
213.180.210.35 - - [17/Sep/2004:15:43:35 -0700] “CONNECT 213.180.193.1:25 HTTP/1.0” 200 301 “-” “-”

In any event, I would just ignore it.


#4

I use a simple script to see stats, so all I know is that these requests have been coming in all day, alternating between http://69.31.78.137:6667/ and just 69.31.78.137:6667. My stats script always shows the requests coming from IP addy 69.31.78.130. Hope all that’s OK to put here. I tried using htaccess to block these hits earlier, and that didn’t work. So tried changing htaccess, and none of these hits for the past 45 minutes at least. Keeping fingers and toes crossed. Oh yah- no referrer, OS or program register for these. I did send a message to support, and hopefully didn’t waste their time.

~Chell


#5

Look for that IP in the actual log file.


#6

Aaaaaah… feeling pretty stupid now. OK, here are two lines from the actual log file, one for each request. And yes, there is “connect” in one of them:
69.31.78.130 - - [05/Oct/2004:08:20:35 -0700] “POST http://69.31.78.137:6667/ HTTP/1.0” 200 15704 “-” "-"
69.31.78.130 - - [05/Oct/2004:08:20:35 -0700] “CONNECT 69.31.78.137:6667 HTTP/1.0” 200 15704 “-” “-”

Since my last post here there haven’t been any more of these hits (knock on wood).

~Chell


#7

This is likely someone scanning for open proxies.

I’m not 100% sure, but I don’t think blocking the IP in .htaccess will work if they’re already requesting something that doesn’t exist.

Unless that domain is hosted on a unique IP and you (or someone) is connecting to that IRC server from that IP, I don’t think there’s a legitimate reason they’d be doing a proxy check on it.

meow% telnet 69.31.78.137 6667
Trying 69.31.78.137…
Connected to 69.31.78.137.
Escape character is ‘^]’.
:irc.baddass.us NOTICE AUTH :*** Looking up your hostname…
:irc.baddass.us NOTICE AUTH :*** Found your hostname

If I connect to that host from an IRC client, I see:
-opsb(opsb@stats.baddass.us)- Your Host is being Scanned for Open Proxies


#8

irc.badass.us? OK, I’m not the brightest bulb when it comes to this stuff, but I don’t own badass.us, and although my domain (chellsroost.com) does have an ip, that’s not it. So I am just not understanding this. Also, I don’t connect to chat. Tried out jabber once, quit even using that quite a while ago.

In a nutshell, the ip “69.31.78.137” isn’t mine, the domain “badass.us” isn’t mine, and I don’t chat or host chat. So I still don’t understand why my domain would be scanned like that. The only consolation is that there still hasn’t been another of these hits. :slight_smile:

~Chell


#9

Aaaaand… I meant to say “thank you” for your help and patience. You’re always doing everything possible to help out on this board, and it’s much appreciated. :slight_smile:

~Chell


#10

It’s normal for IRC servers to check whether the client IP connecting is an open proxy. This is because people often connect to IRC servers via open proxies to obscure their actual email address (much as spammers often exploit open proxies to send spam).

I’m not going to get into a long discussion of what an open proxy is, and why it’s bad, but basically, HTTP proxies which haven’t been properly secured can allow people to access resources without exposing their client address. In many cases, these proxies allow people to access resources other than just websites - often they allow someone to open an arbitrary TCP connection, such as to an IRC server or a mail server, “through” the proxy. Google for “open proxy” for some more information.

So my guess is that that IRC server is seeing a connection from that IP (your site’s IP) for some reason (maybe a spoofed connection), and is doing a test to make sure that your IP isn’t an open proxy. Port 80 is one of the common ports that open proxies can live on, so that’s why you’re seeing the request in your HTTP access log. The bot is checking to see if it can connect to 66.33.223.211 (your site’s IP) and open a connection back to itself; if it can, it knows it’s found an open proxy, and it will not allow a client connecting from that IP to connect to the IRC server.

Ultimately, you should usually ignore attempts like this, and not spend too much time worrying about it.

Hope that explains things a little more… does that make sense to you?


#11

Will, thank you sooo much for explaining, and for the ultra fast support. Yes, now I totally understand (ding ding! light went on). OK, I’m going to undo the changes of today to my htaccess and just not have a cow over this.

~Chell