Help determining what is happening with my webserver...

Discussion in 'Computer Security' started by avidfan, Nov 28, 2004.

  1. avidfan

    avidfan Guest

    I am running apache 2.0 on solaris 8 with mod proxy and php. In the
    access.log, I am seeing entries in that reference urls that do not
    exist in my domain, like this:

    ****************************************************************************************************************
    221.225.97.220 - - [27/Nov/2004:07:54:07 -0600] "GET
    http://impgb.tradedoubler.com/imp/img/138372/1020144?161534368
    HTTP/1.0"302 240 "http://www.bsless.com" "Mozilla/4.0 (compatible;
    MSIE 5.02; Windows 98)"
    82.149.104.122 - - [27/Nov/2004:07:54:13 -0600] "GET
    http://hotbox.danni.com/hotbox/index.cfm HTTP/1.0" 401 13396
    "http://hotbox.danni.com/hotbox/index.cfm" "Mozilla/5.0 ( compatible;
    MSIE 4.0; Windows 95; MSNIA )"
    221.225.97.220 - - [27/Nov/2004:07:54:13 -0600] "GET
    http://hstgb.tradedoubler.com/file/17289/290604/sm468x60.gif HTTP/1.0"
    200 28809 "http://www.bsless.com" "Mozilla/4.0 (compatible; MSIE 5.02;
    Windows 98)"
    64.62.253.96 - - [27/Nov/2004:07:54:21 -0600] "GET
    http://www.google.com/search?hl=en&lr=&q=software HTTP/1.0" 200 15458
    "http://www.7search.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
    NT 5.1)"80.131.233.34 - - [27/Nov/2004:07:54:20 -0600] "GET
    http://www.ronnituscadero.com/members HTTP/1.0" 401 790 "-"
    "Mozilla/3.0 (compatible)"
    213.114.179.10 - - [27/Nov/2004:07:54:32 -0600] "GET
    http://www.photodromm.com/access/set/membdfsaer463245.htm HTTP/1.0"
    401 401 "<NONE>" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    24.218.6.172 - - [27/Nov/2004:15:17:59 -0600] "GET
    http://l23.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&
    ..src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_darkmage_&
    passwd=spoiled HTTP/1.0" 200 16670 "-" "-"
    24.218.6.172 - - [27/Nov/2004:15:18:01 -0600] "GET
    http://l23.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&
    ..src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_deathice_&
    passwd=spoiled HTTP/1.0" 200 16670 "-" "-"
    24.218.6.172 - - [27/Nov/2004:15:18:03 -0600] "GET
    http://l23.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&
    ..src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=_delusion&p
    asswd=spoiled HTTP/1.0" 200 16670 "-" "-"
    12.221.59.151 - - [27/Nov/2004:18:54:04 -0600] "GET
    http://www.spoiledslut.com/members/ HTTP/1.0" 401 397 "<NONE>"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.0 [en]"
    12.221.59.151 - - [27/Nov/2004:18:54:05 -0600] "GET
    http://www.spoiledslut.com/members/ HTTP/1.0" 401 397 "<NONE>"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.221.59.151 - - [27/Nov/2004:18:54:06 -0600] "GET
    http://www.spoiledslut.com/members/ HTTP/1.0" 401 397 "<NONE>"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    24.218.6.172 - - [27/Nov/2004:18:54:18 -0600] "GET
    http://e4.member.ukl.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&
    ..src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=lord_of_dar
    kness_&passwd=bodacious HTTP/1.0" 999 1251 "-" "-"
    70.80.86.50 - - [27/Nov/2004:18:54:23 -0600] "GET
    http://clickit.go2net.com/search?site=wbs&cp=infocom.us2&cid=302349&area=res
    ults.directhit&rawto=http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/Unable%2Bto%2BUrinate/1/15/1/-/1/0/1/1/1/1
    ?&tpxnws=1 HTTP/1.0" 302 153
    "http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/unable?"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    12.221.59.151 - - [27/Nov/2004:18:54:24 -0600] "GET
    http://www.spoiledslut.com/members/ HTTP/1.0" 401 397 "<NONE>"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    70.80.86.50 - - [27/Nov/2004:18:54:24 -0600] "GET
    http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/Unable+to%2
    BUrinate/1/15/1/-/1/0/1/1/1/1?&tpxnws=1 HTTP/1.0" 200 46625
    "http://msxml.info.com/_1_UYHT5U0U9EMF4__infocom.us2/search/web/un
    able?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    12.217.37.110 - - [27/Nov/2004:19:05:23 -0600] "GET
    http://www.smt-data.com/~rankings/checkproxy.php HTTP/1.0" 200 17 "-"
    "(compatible; MSIE 4.01; MSN 2.5; AOL 4.0; Windows 98)"
    69.81.24.39 - - [27/Nov/2004:19:14:33 -0600] "GET
    http://www.exploitmasters.com/cgi-bin/proxyjudge.cgi HTTP/1.1" 200
    1201 "http://www.exploitmasters.com/cgi-bin/proxyjudge.cgi"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.221.59.151 - - [27/Nov/2004:19:14:39 -0600] "GET
    http://www.shanesworld.com/members HTTP/1.0" 401 1339 "<NONE>"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.0 [en]"

    ****************************************************************************************************************

    So I assumed that someone was using my proxy, but my httpd.conf file
    is set this way:

    **********
    <IfModule mod_proxy.c>
    ProxyRequests On

    <Proxy *>
    Order deny,allow
    Deny from all
    Allow from 192.168.1
    </Proxy>

    ProxyMaxForwards 10
    ProxyVia Off
    ProxyPass /blojsom/ http://192.168.1.145:8080/blojsom/
    ProxyPassReverse /blojsom/ http://192.168.1.145:8080/blojsom/
    ProxyPass /blojsom http://192.168.1.1454:8080/blojsom/
    ProxyPassReverse /blojsom http://192.168.1.145:8080/blojsom/

    ***********

    which I thought closed it, but to be safe, I commented all of these
    lines out and restarted apache, disabling mod_proxy. But I am still
    seeing this type of activity in the log files... even with mod_proxy
    disabled. The 'intruder' is still running proxyjudge and seems to
    still be able to use my webserver.

    Can anyone offer any advice as to where I should be looking for the
    cause of this and any way I might shut it down. I have the webserver
    down now until I can figure out what's happening.

    Thanks for any advice,

    AvidFan
    avidfan, Nov 28, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mosfet
    Replies:
    2
    Views:
    443
    mosfet
    Jul 19, 2003
  2. J R
    Replies:
    2
    Views:
    973
  3. Helmut Wollmersdorfer.at
    Replies:
    1
    Views:
    998
  4. Replies:
    5
    Views:
    668
  5. YourBestFriend

    Apache Webserver Help

    YourBestFriend, Jul 10, 2007, in forum: Computer Support
    Replies:
    0
    Views:
    541
    YourBestFriend
    Jul 10, 2007
Loading...

Share This Page