Help determining what is happening with my webserver...
From: avidfan (noone_at_nowhere.com)
Date: 11/28/04
- Next message: _Vanguard_: "Re: Trip to Disney -- Repeated ticket SPAM"
- Previous message: Christo: "norton av 2005 problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Nov 2004 13:09:07 -0600
I am running apache 2.0 on solaris 8 with mod proxy and php. In the
access.log, I am seeing entries in that reference urls that do not
exist in my domain, like this:
****************************************************************************************************************
221.225.97.220 - - [27/Nov/2004:07:54:07 -0600] "GET
http://impgb.tradedoubler.com/imp/img/138372/1020144?161534368
HTTP/1.0"302 240 "http://www.bsless.com" "Mozilla/4.0 (compatible;
MSIE 5.02; Windows 98)"
82.149.104.122 - - [27/Nov/2004:07:54:13 -0600] "GET
http://hotbox.danni.com/hotbox/index.cfm HTTP/1.0" 401 13396
"http://hotbox.danni.com/hotbox/index.cfm" "Mozilla/5.0 ( compatible;
MSIE 4.0; Windows 95; MSNIA )"
221.225.97.220 - - [27/Nov/2004:07:54:13 -0600] "GET
http://hstgb.tradedoubler.com/file/17289/290604/sm468x60.gif HTTP/1.0"
200 28809 "http://www.bsless.com" "Mozilla/4.0 (compatible; MSIE 5.02;
Windows 98)"
64.62.253.96 - - [27/Nov/2004:07:54:21 -0600] "GET
http://www.google.com/search?hl=en&lr=&q=software HTTP/1.0" 200 15458
"http://www.7search.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1)"80.131.233.34 - - [27/Nov/2004:07:54:20 -0600] "GET
http://www.ronnituscadero.com/members HTTP/1.0" 401 790 "-"
"Mozilla/3.0 (compatible)"
213.114.179.10 - - [27/Nov/2004:07:54:32 -0600] "GET
http://www.photodromm.com/access/set/membdfsaer463245.htm HTTP/1.0"
401 401 "<NONE>" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
24.218.6.172 - - [27/Nov/2004:15:17:59 -0600] "GET
http://l23.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&
.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_darkmage_&
passwd=spoiled HTTP/1.0" 200 16670 "-" "-"
24.218.6.172 - - [27/Nov/2004:15:18:01 -0600] "GET
http://l23.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&
.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_deathice_&
passwd=spoiled HTTP/1.0" 200 16670 "-" "-"
24.218.6.172 - - [27/Nov/2004:15:18:03 -0600] "GET
http://l23.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&
.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_delusion&p
asswd=spoiled HTTP/1.0" 200 16670 "-" "-"
12.221.59.151 - - [27/Nov/2004:18:54:04 -0600] "GET
http://www.spoiled***.com/members/ HTTP/1.0" 401 397 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.0 [en]"
12.221.59.151 - - [27/Nov/2004:18:54:05 -0600] "GET
http://www.spoiled***.com/members/ HTTP/1.0" 401 397 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
12.221.59.151 - - [27/Nov/2004:18:54:06 -0600] "GET
http://www.spoiled***.com/members/ HTTP/1.0" 401 397 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
24.218.6.172 - - [27/Nov/2004:18:54:18 -0600] "GET
http://e4.member.ukl.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&
.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=lord_of_dar
kness_&passwd=bodacious HTTP/1.0" 999 1251 "-" "-"
70.80.86.50 - - [27/Nov/2004:18:54:23 -0600] "GET
http://clickit.go2net.com/search?site=wbs&cp=infocom.us2&cid=302349&area=res
ults.directhit&rawto=http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/Unable%2Bto%2BUrinate/1/15/1/-/1/0/1/1/1/1
?&tpxnws=1 HTTP/1.0" 302 153
"http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/unable?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
12.221.59.151 - - [27/Nov/2004:18:54:24 -0600] "GET
http://www.spoiled***.com/members/ HTTP/1.0" 401 397 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
70.80.86.50 - - [27/Nov/2004:18:54:24 -0600] "GET
http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/Unable%2Bto%2
BUrinate/1/15/1/-/1/0/1/1/1/1?&tpxnws=1 HTTP/1.0" 200 46625
"http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/un
able?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
12.217.37.110 - - [27/Nov/2004:19:05:23 -0600] "GET
http://www.smt-data.com/~rankings/checkproxy.php HTTP/1.0" 200 17 "-"
"(compatible; MSIE 4.01; MSN 2.5; AOL 4.0; Windows 98)"
69.81.24.39 - - [27/Nov/2004:19:14:33 -0600] "GET
http://www.exploitmasters.com/cgi-bin/proxyjudge.cgi HTTP/1.1" 200
1201 "http://www.exploitmasters.com/cgi-bin/proxyjudge.cgi"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
12.221.59.151 - - [27/Nov/2004:19:14:39 -0600] "GET
http://www.shanesworld.com/members HTTP/1.0" 401 1339 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.0 [en]"
****************************************************************************************************************
So I assumed that someone was using my proxy, but my httpd.conf file
is set this way:
**********
<IfModule mod_proxy.c>
ProxyRequests On
<Proxy *>
Order deny,allow
Deny from all
Allow from 192.168.1
</Proxy>
ProxyMaxForwards 10
ProxyVia Off
ProxyPass /blojsom/ http://192.168.1.145:8080/blojsom/
ProxyPassReverse /blojsom/ http://192.168.1.145:8080/blojsom/
ProxyPass /blojsom http://192.168.1.1454:8080/blojsom/
ProxyPassReverse /blojsom http://192.168.1.145:8080/blojsom/
***********
which I thought closed it, but to be safe, I commented all of these
lines out and restarted apache, disabling mod_proxy. But I am still
seeing this type of activity in the log files... even with mod_proxy
disabled. The 'intruder' is still running proxyjudge and seems to
still be able to use my webserver.
Can anyone offer any advice as to where I should be looking for the
cause of this and any way I might shut it down. I have the webserver
down now until I can figure out what's happening.
Thanks for any advice,
AvidFan
- Next message: _Vanguard_: "Re: Trip to Disney -- Repeated ticket SPAM"
- Previous message: Christo: "norton av 2005 problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
