Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Help determining what is happening with my webserver...

Reply
Thread Tools

Help determining what is happening with my webserver...

 
 
avidfan
Guest
Posts: n/a
 
      11-28-2004
I am running apache 2.0 on solaris 8 with mod proxy and php. In the
access.log, I am seeing entries in that reference urls that do not
exist in my domain, like this:

************************************************** ************************************************** ************
221.225.97.220 - - [27/Nov/2004:07:54:07 -0600] "GET
http://impgb.tradedoubler.com/imp/im...0144?161534368
HTTP/1.0"302 240 "http://www.bsless.com" "Mozilla/4.0 (compatible;
MSIE 5.02; Windows 9"
82.149.104.122 - - [27/Nov/2004:07:54:13 -0600] "GET
http://hotbox.danni.com/hotbox/index.cfm HTTP/1.0" 401 13396
"http://hotbox.danni.com/hotbox/index.cfm" "Mozilla/5.0 ( compatible;
MSIE 4.0; Windows 95; MSNIA )"
221.225.97.220 - - [27/Nov/2004:07:54:13 -0600] "GET
http://hstgb.tradedoubler.com/file/1...4/sm468x60.gif HTTP/1.0"
200 28809 "http://www.bsless.com" "Mozilla/4.0 (compatible; MSIE 5.02;
Windows 9"
64.62.253.96 - - [27/Nov/2004:07:54:21 -0600] "GET
http://www.google.com/search?hl=en&lr=&q=software HTTP/1.0" 200 15458
"http://www.7search.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1)"80.131.233.34 - - [27/Nov/2004:07:54:20 -0600] "GET
http://www.ronnituscadero.com/members HTTP/1.0" 401 790 "-"
"Mozilla/3.0 (compatible)"
213.114.179.10 - - [27/Nov/2004:07:54:32 -0600] "GET
http://www.photodromm.com/access/set...saer463245.htm HTTP/1.0"
401 401 "<NONE>" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
24.218.6.172 - - [27/Nov/2004:15:17:59 -0600] "GET
http://l23.login.dcn.yahoo.com/confi...LES?&.tries=1&
..src=jpg&.last=&promo=&.intl=us&.bypass=&.partner =&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_darkmage_&
passwd=spoiled HTTP/1.0" 200 16670 "-" "-"
24.218.6.172 - - [27/Nov/2004:15:18:01 -0600] "GET
http://l23.login.dcn.yahoo.com/confi...LES?&.tries=1&
..src=jpg&.last=&promo=&.intl=us&.bypass=&.partner =&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_deathice_&
passwd=spoiled HTTP/1.0" 200 16670 "-" "-"
24.218.6.172 - - [27/Nov/2004:15:18:03 -0600] "GET
http://l23.login.dcn.yahoo.com/confi...LES?&.tries=1&
..src=jpg&.last=&promo=&.intl=us&.bypass=&.partner =&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_delusion&p
asswd=spoiled HTTP/1.0" 200 16670 "-" "-"
12.221.59.151 - - [27/Nov/2004:18:54:04 -0600] "GET
http://www.spoiledslut.com/members/ HTTP/1.0" 401 397 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.0 [en]"
12.221.59.151 - - [27/Nov/2004:18:54:05 -0600] "GET
http://www.spoiledslut.com/members/ HTTP/1.0" 401 397 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
12.221.59.151 - - [27/Nov/2004:18:54:06 -0600] "GET
http://www.spoiledslut.com/members/ HTTP/1.0" 401 397 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
24.218.6.172 - - [27/Nov/2004:18:54:18 -0600] "GET
http://e4.member.ukl.yahoo.com/confi...LES?&.tries=1&
..src=jpg&.last=&promo=&.intl=us&.bypass=&.partner =&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=lord_of_dar
kness_&passwd=bodacious HTTP/1.0" 999 1251 "-" "-"
70.80.86.50 - - [27/Nov/2004:18:54:23 -0600] "GET
http://clickit.go2net.com/search?sit...02349&area=res
ults.directhit&rawto=http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/Unable%2Bto%2BUrinate/1/15/1/-/1/0/1/1/1/1
?&tpxnws=1 HTTP/1.0" 302 153
"http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/unable?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
12.221.59.151 - - [27/Nov/2004:18:54:24 -0600] "GET
http://www.spoiledslut.com/members/ HTTP/1.0" 401 397 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
70.80.86.50 - - [27/Nov/2004:18:54:24 -0600] "GET
http://msxml.info.com/_1_UYHT5U0U9EM.../Unable%2Bto%2
BUrinate/1/15/1/-/1/0/1/1/1/1?&tpxnws=1 HTTP/1.0" 200 46625
"http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/un
able?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
12.217.37.110 - - [27/Nov/2004:19:05:23 -0600] "GET
http://www.smt-data.com/~rankings/checkproxy.php HTTP/1.0" 200 17 "-"
"(compatible; MSIE 4.01; MSN 2.5; AOL 4.0; Windows 9"
69.81.24.39 - - [27/Nov/2004:19:14:33 -0600] "GET
http://www.exploitmasters.com/cgi-bin/proxyjudge.cgi HTTP/1.1" 200
1201 "http://www.exploitmasters.com/cgi-bin/proxyjudge.cgi"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
12.221.59.151 - - [27/Nov/2004:19:14:39 -0600] "GET
http://www.shanesworld.com/members HTTP/1.0" 401 1339 "<NONE>"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.0 [en]"

************************************************** ************************************************** ************

So I assumed that someone was using my proxy, but my httpd.conf file
is set this way:

**********
<IfModule mod_proxy.c>
ProxyRequests On

<Proxy *>
Order deny,allow
Deny from all
Allow from 192.168.1
</Proxy>

ProxyMaxForwards 10
ProxyVia Off
ProxyPass /blojsom/ http://192.168.1.145:8080/blojsom/
ProxyPassReverse /blojsom/ http://192.168.1.145:8080/blojsom/
ProxyPass /blojsom http://192.168.1.1454:8080/blojsom/
ProxyPassReverse /blojsom http://192.168.1.145:8080/blojsom/

***********

which I thought closed it, but to be safe, I commented all of these
lines out and restarted apache, disabling mod_proxy. But I am still
seeing this type of activity in the log files... even with mod_proxy
disabled. The 'intruder' is still running proxyjudge and seems to
still be able to use my webserver.

Can anyone offer any advice as to where I should be looking for the
cause of this and any way I might shut it down. I have the webserver
down now until I can figure out what's happening.

Thanks for any advice,

AvidFan
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What's happening Seth Cisco 2 12-06-2004 02:00 AM
Strange things happening with XP - Please help Buffy Computer Support 3 06-09-2004 05:26 PM
Any ideas why this is happening ? IHateSpam Cisco 0 02-23-2004 09:20 PM
Whats happening to my router? Bryan Martin Cisco 5 01-10-2004 01:23 AM
Good news just keep on happening tommylee MCSD 0 07-22-2003 04:57 PM



Advertisments