RE: [incidents] Bots hitting my web server?

From: Marco A. Zamora Cunningham (marco.zamora@cbbanorte.com.mx)
Date: 08/29/02 

From: "Marco A. Zamora Cunningham" <marco.zamora@cbbanorte.com.mx>
To: "'Adam Bultman'" <adamb@glaven.org>
Date: Thu, 29 Aug 2002 12:06:26 -0500

Adam Bultman:
> Apache 1.3.9, [...], with mod_proxy enabled. As a result,
> they were exploited and used by someone/something to fetch
> pages from remote servers. In many cases, ads (like
> service.bfast.com, etc) but in most cases, porn. Of
> course porn.

You're not seeing bots, you're seeing surfers in a misguided
attempt to keep their "anonymity," or to defeat proxies
that filter by domain/host in corporate/school environments
(hence the porn site requests you see in your logs).

Your server ended up in one or more open proxy lists after
being scanned for this vulnerability. To confirm this, just
look up your server's IP in Google.

The best you can do is change the server's IP and not reuse it
for some time (a year?) as a publicly-addressable server. This
might not be possible if you have URLs with the IP address
floating around (which is always a bad idea), but it's your
only recourse now.

Been there, done that... Marco Zamora

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: New article on SecurityFocus
    ... I dismiss any findings on porn sites. ... I'm also curious how one could compromise a web server ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • Re: banned by ip
    ... is a kernel module to enable tunneling on a server. ... run a server through your ISP? ... unknowingly are trafficking child porn. ...
    (Ubuntu)
  • Re: Motzarella update
    ... Since they require no registration or password setup, you can just use it by setting the server name in your newsreader. ... One final note...if you ever have problems getting to Eternal-September, it may be because the network you are using is blocking port 119. ... And I assume you mean "porn" not "pron" whatever that is. ... most people type it as "pr0n" to be double-sure to get around the filters. ...
    (rec.arts.disney.parks)
  • Re: How to send NNTP "cancel" message?
    ... words and removes it for content reasons. ... To verify that the problem is with the server, not OE, I just unsubscribed and resubscribed to this NG. ... (Thinks it's porn?). ... accepted "cancel" messages, ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)