[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Very strange logs

Subject: [cobalt-security] Very strange logs
From: "Mark Remde" <mark@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Mar 2001 02:21:02 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I have recently noticed strange entries in my apache access logs:

WWW.********.COM 195.222.69.86 - - [29/Mar/2001:13:17:05 +0100] "GET http://ctc.pornoground.com/cgi-bin/ctc/ctc.cgi?47917758 HTTP/1.0" 302 235 "http://vikspix.com"; "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
WWW.********.COM 195.222.69.86 - - [29/Mar/2001:13:17:10 +0100] "GET http://WWW.********.COM /cobalt_error/fileNotFound.html HTTP/1.0" 404 - "http://vikspix.com"; "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

Where the my customer's virtual domain is replaced with WWW.********.COM. I do not host any of the others mentioned above.

I at first thought that someone was trying to use this server as a proxy, but there's too few hits for that - just half a dozen a night - every night.
I added this IP to hosts.deny, and also created a hosts-deny rewrite rule for apache. That started the 404's seen above, but didn't stop the hits.

Is there some exploit that allows someone to use a webserver in this way to generate clicks?

Any help appreciated.

Regards
Mark Remde

Prev by Date: RE: [cobalt-security] 10 Steps To Securing A Server
Next by Date: [cobalt-security] new user + patches
Previous by thread: RE: [cobalt-security] 10 Steps To Securing A Server
Next by thread: [cobalt-security] new user + patches

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index