[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Very strange logs
- Subject: [cobalt-security] Very strange logs
- From: "Mark Remde" <mark@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Mar 2001 02:21:02 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I have recently noticed strange entries in my apache access logs:
WWW.********.COM 195.222.69.86 - - [29/Mar/2001:13:17:05 +0100] "GET http://ctc.pornoground.com/cgi-bin/ctc/ctc.cgi?47917758 HTTP/1.0" 302 235 "http://vikspix.com" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
WWW.********.COM 195.222.69.86 - - [29/Mar/2001:13:17:10 +0100] "GET http://WWW.********.COM /cobalt_error/fileNotFound.html HTTP/1.0" 404 - "http://vikspix.com" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
Where the my customer's virtual domain is replaced with WWW.********.COM. I do not host any of the others mentioned above.
I at first thought that someone was trying to use this server as a proxy, but there's too few hits for that - just half a dozen a night - every night.
I added this IP to hosts.deny, and also created a hosts-deny rewrite rule for apache. That started the 404's seen above, but didn't stop the hits.
Is there some exploit that allows someone to use a webserver in this way to generate clicks?
Any help appreciated.
Regards
Mark Remde